From 674db4b01fc6b899c7f56a40b77fa40c32466f6c Mon Sep 17 00:00:00 2001
From: James McCoy <jamessan@jamessan.com>
Date: Thu, 12 Jan 2017 13:57:37 -0500
Subject: eval: Remove dictwatcher from watchers queue before freeing it

This fixes a use-after-free noticed by ASAN which would occur when a
dictwatcher was still active on a dictionary when the dictionary was
freed.

    fun! MakeWatch()
      let d = {'foo': 'bar'}
      call dictwatcheradd(d, 'foo', function('...'))
    endfun

Patch-by: oni-link
Closes #5930
---
 src/nvim/eval.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/nvim/eval.c b/src/nvim/eval.c
index 1688a565c1..cdf60d9765 100644
--- a/src/nvim/eval.c
+++ b/src/nvim/eval.c
@@ -6410,8 +6410,8 @@ static void dict_free_contents(dict_T *d) {
   while (!QUEUE_EMPTY(&d->watchers)) {
     QUEUE *w = QUEUE_HEAD(&d->watchers);
     DictWatcher *watcher = dictwatcher_node_data(w);
-    dictwatcher_free(watcher);
     QUEUE_REMOVE(w);
+    dictwatcher_free(watcher);
   }
 
   hash_clear(&d->dv_hashtab);
-- 
cgit