Patch 8.2.3290
Problem: Vim9: compiling dict may use pointer after free and leak memory on
failure.
Solution: Pass a pointer to generate_PUSHS(). (Zdenek Dohnal, closes #8699)
Files: src/vim9compile.c
*** ../vim-8.2.3289/src/vim9compile.c 2021-08-02 21:55:08.430701260 +0200
--- src/vim9compile.c 2021-08-04 22:29:01.672706084 +0200
***************
*** 1172,1192 ****
/*
* Generate an ISN_PUSHS instruction.
! * Consumes "str".
*/
static int
! generate_PUSHS(cctx_T *cctx, char_u *str)
{
isn_T *isn;
if (cctx->ctx_skip == SKIP_YES)
{
! vim_free(str);
return OK;
}
if ((isn = generate_instr_type(cctx, ISN_PUSHS, &t_string)) == NULL)
return FAIL;
! isn->isn_arg.string = str;
return OK;
}
--- 1172,1197 ----
/*
* Generate an ISN_PUSHS instruction.
! * Consumes "*str". When freed *str is set to NULL, unless "str" is NULL.
*/
static int
! generate_PUSHS(cctx_T *cctx, char_u **str)
{
isn_T *isn;
if (cctx->ctx_skip == SKIP_YES)
{
! if (str != NULL)
! VIM_CLEAR(*str);
return OK;
}
if ((isn = generate_instr_type(cctx, ISN_PUSHS, &t_string)) == NULL)
+ {
+ if (str != NULL)
+ VIM_CLEAR(*str);
return FAIL;
! }
! isn->isn_arg.string = str == NULL ? NULL : *str;
return OK;
}
***************
*** 2785,2791 ****
tv->vval.v_blob = NULL;
break;
case VAR_STRING:
! generate_PUSHS(cctx, tv->vval.v_string);
tv->vval.v_string = NULL;
break;
default:
--- 2790,2796 ----
tv->vval.v_blob = NULL;
break;
case VAR_STRING:
! generate_PUSHS(cctx, &tv->vval.v_string);
tv->vval.v_string = NULL;
break;
default:
***************
*** 3837,3843 ****
key = get_literal_key(arg);
if (key == NULL)
return FAIL;
! if (generate_PUSHS(cctx, key) == FAIL)
return FAIL;
}
--- 3842,3848 ----
key = get_literal_key(arg);
if (key == NULL)
return FAIL;
! if (generate_PUSHS(cctx, &key) == FAIL)
return FAIL;
}
***************
*** 6525,6531 ****
char_u *key_end = to_name_end(p + 1, TRUE);
char_u *key = vim_strnsave(p + 1, key_end - p - 1);
! r = generate_PUSHS(cctx, key);
}
return r;
}
--- 6530,6536 ----
char_u *key_end = to_name_end(p + 1, TRUE);
char_u *key = vim_strnsave(p + 1, key_end - p - 1);
! r = generate_PUSHS(cctx, &key);
}
return r;
}
***************
*** 6811,6817 ****
// Push each line and the create the list.
FOR_ALL_LIST_ITEMS(l, li)
{
! generate_PUSHS(cctx, li->li_tv.vval.v_string);
li->li_tv.vval.v_string = NULL;
}
generate_NEWLIST(cctx, l->lv_len);
--- 6816,6822 ----
// Push each line and the create the list.
FOR_ALL_LIST_ITEMS(l, li)
{
! generate_PUSHS(cctx, &li->li_tv.vval.v_string);
li->li_tv.vval.v_string = NULL;
}
generate_NEWLIST(cctx, l->lv_len);
***************
*** 8520,8526 ****
p += len + 2 + dropped;
if (pat == NULL)
return FAIL;
! if (generate_PUSHS(cctx, pat) == FAIL)
return FAIL;
if (generate_COMPARE(cctx, EXPR_MATCH, FALSE) == FAIL)
--- 8525,8531 ----
p += len + 2 + dropped;
if (pat == NULL)
return FAIL;
! if (generate_PUSHS(cctx, &pat) == FAIL)
return FAIL;
if (generate_COMPARE(cctx, EXPR_MATCH, FALSE) == FAIL)
***************
*** 9008,9014 ****
{
if (p > start)
{
! generate_PUSHS(cctx, vim_strnsave(start, p - start));
++count;
}
p += 2;
--- 9013,9021 ----
{
if (p > start)
{
! char_u *val = vim_strnsave(start, p - start);
!
! generate_PUSHS(cctx, &val);
++count;
}
p += 2;
***************
*** 9029,9035 ****
{
if (*skipwhite(start) != NUL)
{
! generate_PUSHS(cctx, vim_strsave(start));
++count;
}
break;
--- 9036,9044 ----
{
if (*skipwhite(start) != NUL)
{
! char_u *val = vim_strsave(start);
!
! generate_PUSHS(cctx, &val);
++count;
}
break;
***************
*** 9847,9852 ****
--- 9856,9862 ----
case CMD_execute:
case CMD_echomsg:
case CMD_echoerr:
+ // TODO: "echoconsole"
line = compile_mult_expr(p, ea.cmdidx, &cctx);
break;
***************
*** 9885,9892 ****
#endif
break;
- // TODO: any other commands with an expression argument?
-
case CMD_append:
case CMD_change:
case CMD_insert:
--- 9895,9900 ----
*** ../vim-8.2.3289/src/version.c 2021-08-04 21:16:46.690468437 +0200
--- src/version.c 2021-08-04 22:30:30.868503661 +0200
***************
*** 757,758 ****
--- 757,760 ----
{ /* Add new patch number below this line */
+ /**/
+ 3290,
/**/
--
Computers are not intelligent. They only think they are.
/// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/202108042031.174KVxe41130152%40masaka.moolenaar.net.
