To: vim_dev@googlegroups.com Subject: Patch 8.2.4139 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.2.4139 Problem: Using freed memory if an expression abbreviation deletes the abbreviation. Solution: Do not access the pointer after evaluating the expression. Files: src/map.c, src/testdir/test_mapping.vim *** ../vim-8.2.4138/src/map.c 2022-01-16 14:58:31.052581613 +0000 --- src/map.c 2022-01-18 20:26:26.880966887 +0000 *************** *** 226,232 **** #endif int simplified) { ! mapblock_T *mp = ALLOC_ONE(mapblock_T); if (mp == NULL) return FAIL; --- 226,232 ---- #endif int simplified) { ! mapblock_T *mp = ALLOC_CLEAR_ONE(mapblock_T); if (mp == NULL) return FAIL; *************** *** 1515,1520 **** --- 1515,1526 ---- } if (mp != NULL) { + int noremap; + int silent; + #ifdef FEAT_EVAL + int expr; + #endif + // Found a match: // Insert the rest of the abbreviation in typebuf.tb_buf[]. // This goes from end to start. *************** *** 1567,1574 **** // insert the last typed char (void)ins_typebuf(tb, 1, 0, TRUE, mp->m_silent); } #ifdef FEAT_EVAL ! if (mp->m_expr) s = eval_map_expr(mp, c); else #endif --- 1573,1586 ---- // insert the last typed char (void)ins_typebuf(tb, 1, 0, TRUE, mp->m_silent); } + + // copy values here, calling eval_map_expr() may make "mp" invalid! + noremap = mp->m_noremap; + silent = mp->m_silent; #ifdef FEAT_EVAL ! expr = mp->m_expr; ! ! if (expr) s = eval_map_expr(mp, c); else #endif *************** *** 1576,1586 **** if (s != NULL) { // insert the to string ! (void)ins_typebuf(s, mp->m_noremap, 0, TRUE, mp->m_silent); // no abbrev. for these chars typebuf.tb_no_abbr_cnt += (int)STRLEN(s) + j + 1; #ifdef FEAT_EVAL ! if (mp->m_expr) vim_free(s); #endif } --- 1588,1598 ---- if (s != NULL) { // insert the to string ! (void)ins_typebuf(s, noremap, 0, TRUE, silent); // no abbrev. for these chars typebuf.tb_no_abbr_cnt += (int)STRLEN(s) + j + 1; #ifdef FEAT_EVAL ! if (expr) vim_free(s); #endif } *************** *** 1590,1596 **** if (has_mbyte) len = clen; // Delete characters instead of bytes while (len-- > 0) // delete the from string ! (void)ins_typebuf(tb, 1, 0, TRUE, mp->m_silent); return TRUE; } } --- 1602,1608 ---- if (has_mbyte) len = clen; // Delete characters instead of bytes while (len-- > 0) // delete the from string ! (void)ins_typebuf(tb, 1, 0, TRUE, silent); return TRUE; } } *************** *** 1601,1606 **** --- 1613,1619 ---- /* * Evaluate the RHS of a mapping or abbreviations and take care of escaping * special characters. + * Careful: after this "mp" will be invalid if the mapping was deleted. */ char_u * eval_map_expr( *** ../vim-8.2.4138/src/testdir/test_mapping.vim 2022-01-16 15:52:32.020847559 +0000 --- src/testdir/test_mapping.vim 2022-01-18 20:21:15.417676798 +0000 *************** *** 704,709 **** --- 704,714 ---- mapclear endfunc + func GetAbbrText() + unabbr hola + return 'hello' + endfunc + " Test for in abbreviation func Test_expr_abbr() new *************** *** 719,725 **** call assert_equal('', getline(1)) unabbr hte ! close! endfunc " Test for storing mappings in different modes in a vimrc file --- 724,737 ---- call assert_equal('', getline(1)) unabbr hte ! " evaluating the expression deletes the abbreviation ! abbr hola GetAbbrText() ! call assert_equal('GetAbbrText()', maparg('hola', 'i', '1')) ! call feedkeys("ahola \", 'xt') ! call assert_equal('hello ', getline('.')) ! call assert_equal('', maparg('hola', 'i', '1')) ! ! bwipe! endfunc " Test for storing mappings in different modes in a vimrc file *** ../vim-8.2.4138/src/version.c 2022-01-18 18:46:03.729827420 +0000 --- src/version.c 2022-01-18 20:30:01.048519950 +0000 *************** *** 752,753 **** --- 752,755 ---- { /* Add new patch number below this line */ + /**/ + 4139, /**/ -- BLACK KNIGHT: I move for no man. ARTHUR: So be it! [hah] [parry thrust] [ARTHUR chops the BLACK KNIGHT's left arm off] ARTHUR: Now stand aside, worthy adversary. BLACK KNIGHT: 'Tis but a scratch. The Quest for the Holy Grail (Monty Python) /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// \\\ \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///