commit 2f378237037150f3c7405fec1d8762e73067d223
parent e7ac16425c2bcbe26167d89134c51bf412c7b15e
Author: zeertzjq <zeertzjq@outlook.com>
Date: Wed, 30 Mar 2022 07:44:12 +0800
vim-patch:8.2.4646: using buffer line after it has been freed (#17907)
Problem: Using buffer line after it has been freed in old regexp engine.
Solution: After getting mark get the line again.
https://github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5
Diffstat:
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/nvim/regexp_bt.c b/src/nvim/regexp_bt.c
@@ -3130,9 +3130,17 @@ static bool regmatch(
{
int mark = OPERAND(scan)[0];
int cmp = OPERAND(scan)[1];
- pos_T *pos;
+ pos_T *pos;
+ size_t col = REG_MULTI ? rex.input - rex.line : 0;
pos = getmark_buf(rex.reg_buf, mark, false);
+
+ // Line may have been freed, get it again.
+ if (REG_MULTI) {
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+ }
+
if (pos == NULL // mark doesn't exist
|| pos->lnum <= 0) { // mark isn't set in reg_buf
status = RA_NOMATCH;
diff --git a/src/nvim/testdir/test_regexp_latin.vim b/src/nvim/testdir/test_regexp_latin.vim
@@ -789,10 +789,17 @@ endfunc
func Test_using_mark_position()
" this was using freed memory
+ " new engine
new
norm O0
call assert_fails("s/\\%')", 'E486:')
bwipe!
+
+ " old engine
+ new
+ norm O0
+ call assert_fails("s/\\%#=1\\%')", 'E486:')
+ bwipe!
endfunc
func Test_using_visual_position()
