From e2e63832e3621a279a9f9a93564cd93b22f549df Mon Sep 17 00:00:00 2001 From: oni-link Date: Mon, 24 Nov 2014 18:11:14 +0100 Subject: Fix memory leak detected in PR 1510. LSAN/ASAN detected, on an error code path, that not all elements of a struct ChannelCallFrame were freed. --- src/nvim/msgpack_rpc/channel.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/nvim/msgpack_rpc/channel.c b/src/nvim/msgpack_rpc/channel.c index 0c04a7b23e..760f150b19 100644 --- a/src/nvim/msgpack_rpc/channel.c +++ b/src/nvim/msgpack_rpc/channel.c @@ -241,6 +241,7 @@ Object channel_send_call(uint64_t id, if (frame.errored) { api_set_error(err, Exception, "%s", frame.result.data.string.data); + api_free_object(frame.result); return NIL; } -- cgit From eae3105ee3ebc09549f2db2c1f3125a74c223c41 Mon Sep 17 00:00:00 2001 From: oni-link Date: Wed, 3 Dec 2014 12:45:31 +0100 Subject: channel.c: Fix for heap-use-after-free ASAN detected this heap-use-after-free. A job started by channel_from_job() could terminate and result in a call to free_channel(), while channel_send_call() was still active/pending and accessing Channel elements. Original patch by @tarruda. --- src/nvim/msgpack_rpc/channel.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/nvim/msgpack_rpc/channel.c b/src/nvim/msgpack_rpc/channel.c index 760f150b19..b6ac3fab82 100644 --- a/src/nvim/msgpack_rpc/channel.c +++ b/src/nvim/msgpack_rpc/channel.c @@ -348,7 +348,13 @@ static void job_err(RStream *rstream, void *data, bool eof) static void job_exit(Job *job, void *data) { - free_channel((Channel *)data); + Channel *channel = data; + // ensure the channel is flagged as closed so channel_send_call frees it + // later + channel->closed = true; + if (!kv_size(channel->call_stack)) { + free_channel(channel); + } } static void parse_msgpack(RStream *rstream, void *data, bool eof) -- cgit