From a916696a130b2bb9517c01f77148dfb77ef304fd Mon Sep 17 00:00:00 2001 From: oni-link Date: Thu, 12 Mar 2015 14:05:16 +0100 Subject: syntax.c: Prevent use after free for variable g:colors_name. ASan spotted a problem when using 'set background={light,dark}' with color scheme solarized. While loading the colors for color scheme 'g:colors_name', the pointer on the value for this variable can become invalid, because of an 'unlet colors_name' (part of an :highlight clear, syntax.c:6173). To prevent the use of the freed value, decouple the value from 'g:colors_name' before calling load_colors() with it. --- src/nvim/syntax.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/nvim/syntax.c b/src/nvim/syntax.c index 07f18bf93b..3f9466fd7c 100644 --- a/src/nvim/syntax.c +++ b/src/nvim/syntax.c @@ -5938,15 +5938,22 @@ init_highlight ( int i; char **pp; static int had_both = FALSE; - char_u *p; /* * Try finding the color scheme file. Used when a color file was loaded * and 'background' or 't_Co' is changed. */ - p = get_var_value((char_u *)"g:colors_name"); - if (p != NULL && load_colors(p) == OK) - return; + char_u *p = get_var_value((char_u *)"g:colors_name"); + if (p != NULL) { + // Value of g:colors_name could be freed in load_colors() and make + // p invalid, so copy it. + char_u *copy_p = vim_strsave(p); + bool okay = load_colors(copy_p); + free(copy_p); + if (okay) { + return; + } + } /* * Didn't use a color file, use the compiled-in colors. -- cgit