From 7200454ee6f500bb851bea992707c019d9982cb9 Mon Sep 17 00:00:00 2001 From: Sean Dewar Date: Tue, 24 Nov 2020 20:55:04 +0000 Subject: vim-patch:8.1.0738: using freed memory, for loop over blob leaks memory Problem: Using freed memory, for loop over blob leaks memory. Solution: Clear pointer after freeing memory. Decrement reference count after for loop over blob. https://github.com/vim/vim/commit/ecc8bc482ba601b9301a6c129c92a0d1f8527f72 --- src/nvim/eval.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/nvim/eval.c b/src/nvim/eval.c index 29df1a168f..eb8f0406c4 100644 --- a/src/nvim/eval.c +++ b/src/nvim/eval.c @@ -2603,6 +2603,8 @@ void *eval_for_line(const char_u *arg, bool *errp, char_u **nextcmdp, int skip) if (b == NULL) { tv_clear(&tv); } else { + // No need to increment the refcount, it's already set for + // the blob being used in "tv". fi->fi_blob = b; fi->fi_bi = 0; } @@ -2666,6 +2668,9 @@ void free_for_info(void *fi_void) tv_list_watch_remove(fi->fi_list, &fi->fi_lw); tv_list_unref(fi->fi_list); } + if (fi != NULL && fi->fi_blob != NULL) { + tv_blob_unref(fi->fi_blob); + } xfree(fi); } @@ -4072,9 +4077,12 @@ static int eval7( char_u *bp; for (bp = *arg + 2; ascii_isxdigit(bp[0]); bp += 2) { if (!ascii_isxdigit(bp[1])) { - EMSG(_("E973: Blob literal should have an even number of hex " - "characters")); - xfree(blob); + if (blob != NULL) { + EMSG(_("E973: Blob literal should have an even number of hex " + "characters")); + ga_clear(&blob->bv_ga); + XFREE_CLEAR(blob); + } ret = FAIL; break; } -- cgit