From 4b65e4aeab16c1700a3c01a643e439a5000d932e Mon Sep 17 00:00:00 2001 From: Jan Edmund Lazo Date: Sun, 1 Nov 2020 20:22:42 -0500 Subject: vim-patch:8.2.1086: possibly using freed memory when text properties used Problem: Possibly using freed memory when text properties used when changing indent of a line. Solution: Compute the offset before calling ml_replace(). https://github.com/vim/vim/commit/cf30643ae607ae1a97b50e19c622dc8303723fa2 --- src/nvim/indent.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/nvim/indent.c b/src/nvim/indent.c index bb0fdfec01..9e6693afdf 100644 --- a/src/nvim/indent.c +++ b/src/nvim/indent.c @@ -295,13 +295,17 @@ int set_indent(int size, int flags) // Replace the line (unless undo fails). if (!(flags & SIN_UNDO) || (u_savesub(curwin->w_cursor.lnum) == OK)) { + const colnr_T old_offset = (colnr_T)(p - oldline); + const colnr_T new_offset = (colnr_T)(s - newline); + + // this may free "newline" ml_replace(curwin->w_cursor.lnum, newline, false); if (!(flags & SIN_NOMARK)) { extmark_splice_cols(curbuf, (int)curwin->w_cursor.lnum-1, skipcols, - (int)(p-oldline) - skipcols, - (int)(s-newline) - skipcols, + old_offset - skipcols, + new_offset - skipcols, kExtmarkUndo); } @@ -311,15 +315,14 @@ int set_indent(int size, int flags) // Correct saved cursor position if it is in this line. if (saved_cursor.lnum == curwin->w_cursor.lnum) { - if (saved_cursor.col >= (colnr_T)(p - oldline)) { + if (saved_cursor.col >= old_offset) { // Cursor was after the indent, adjust for the number of // bytes added/removed. - saved_cursor.col += ind_len - (colnr_T)(p - oldline); - - } else if (saved_cursor.col >= (colnr_T)(s - newline)) { + saved_cursor.col += ind_len - old_offset; + } else if (saved_cursor.col >= new_offset) { // Cursor was in the indent, and is now after it, put it back // at the start of the indent (replacing spaces with TAB). - saved_cursor.col = (colnr_T)(s - newline); + saved_cursor.col = new_offset; } } retval = true; -- cgit