diff options
| author | Jan Edmund Lazo <jan.lazo@mail.utoronto.ca> | 2020-11-01 20:22:42 -0500 |
|---|---|---|
| committer | Jan Edmund Lazo <jan.lazo@mail.utoronto.ca> | 2020-11-01 21:11:02 -0500 |
| commit | 4b65e4aeab16c1700a3c01a643e439a5000d932e (patch) | |
| tree | ffa272383fa6ad9a6deb7dc3b76ec14103a50a40 /src | |
| parent | f9adb3eccb871aee5455674a704186e10e6fecff (diff) | |
| download | rneovim-4b65e4aeab16c1700a3c01a643e439a5000d932e.tar.gz rneovim-4b65e4aeab16c1700a3c01a643e439a5000d932e.tar.bz2 rneovim-4b65e4aeab16c1700a3c01a643e439a5000d932e.zip | |
vim-patch:8.2.1086: possibly using freed memory when text properties used
Problem: Possibly using freed memory when text properties used when
changing indent of a line.
Solution: Compute the offset before calling ml_replace().
https://github.com/vim/vim/commit/cf30643ae607ae1a97b50e19c622dc8303723fa2
Diffstat (limited to 'src')
| -rw-r--r-- | src/nvim/indent.c | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/src/nvim/indent.c b/src/nvim/indent.c index bb0fdfec01..9e6693afdf 100644 --- a/src/nvim/indent.c +++ b/src/nvim/indent.c @@ -295,13 +295,17 @@ int set_indent(int size, int flags) // Replace the line (unless undo fails). if (!(flags & SIN_UNDO) || (u_savesub(curwin->w_cursor.lnum) == OK)) { + const colnr_T old_offset = (colnr_T)(p - oldline); + const colnr_T new_offset = (colnr_T)(s - newline); + + // this may free "newline" ml_replace(curwin->w_cursor.lnum, newline, false); if (!(flags & SIN_NOMARK)) { extmark_splice_cols(curbuf, (int)curwin->w_cursor.lnum-1, skipcols, - (int)(p-oldline) - skipcols, - (int)(s-newline) - skipcols, + old_offset - skipcols, + new_offset - skipcols, kExtmarkUndo); } @@ -311,15 +315,14 @@ int set_indent(int size, int flags) // Correct saved cursor position if it is in this line. if (saved_cursor.lnum == curwin->w_cursor.lnum) { - if (saved_cursor.col >= (colnr_T)(p - oldline)) { + if (saved_cursor.col >= old_offset) { // Cursor was after the indent, adjust for the number of // bytes added/removed. - saved_cursor.col += ind_len - (colnr_T)(p - oldline); - - } else if (saved_cursor.col >= (colnr_T)(s - newline)) { + saved_cursor.col += ind_len - old_offset; + } else if (saved_cursor.col >= new_offset) { // Cursor was in the indent, and is now after it, put it back // at the start of the indent (replacing spaces with TAB). - saved_cursor.col = (colnr_T)(s - newline); + saved_cursor.col = new_offset; } } retval = true; |