commit 595f7f37a98f3af12fe94ba4332b8f33004b7e4b
parent 1e4adf4b56cb7a360d16c4d04290c50ae7e80fbc
Author: zeertzjq <zeertzjq@outlook.com>
Date: Sat, 5 Nov 2022 16:59:07 +0800
vim-patch:9.0.0246: using freed memory when 'tagfunc' deletes the buffer
Problem: Using freed memory when 'tagfunc' deletes the buffer.
Solution: Make a copy of the tag name.
https://github.com/vim/vim/commit/adce965162dd89bf29ee0e5baf53652e7515762c
Co-authored-by: Bram Moolenaar <Bram@vim.org>
Diffstat:
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/nvim/tag.c b/src/nvim/tag.c
@@ -199,6 +199,7 @@ void do_tag(char *tag, int type, int count, int forceit, int verbose)
int skip_msg = false;
char_u *buf_ffname = (char_u *)curbuf->b_ffname; // name for priority computation
int use_tfu = 1;
+ char *tofree = NULL;
// remember the matches for the last used tag
static int num_matches = 0;
@@ -450,7 +451,10 @@ void do_tag(char *tag, int type, int count, int forceit, int verbose)
// When desired match not found yet, try to find it (and others).
if (use_tagstack) {
- name = tagstack[tagstackidx].tagname;
+ // make a copy, the tagstack may change in 'tagfunc'
+ name = xstrdup(tagstack[tagstackidx].tagname);
+ xfree(tofree);
+ tofree = name;
} else if (g_do_tagpreview != 0) {
name = ptag_entry.tagname;
} else {
@@ -681,6 +685,7 @@ end_do_tag:
}
postponed_split = 0; // don't split next time
g_do_tagpreview = 0; // don't do tag preview next time
+ xfree(tofree);
}
// List all the matching tags.
diff --git a/src/nvim/testdir/test_tagfunc.vim b/src/nvim/testdir/test_tagfunc.vim
@@ -273,4 +273,16 @@ func Test_tagfunc_callback()
%bw!
endfunc
+func Test_tagfunc_wipes_buffer()
+ func g:Tag0unc0(t,f,o)
+ bwipe
+ endfunc
+ set tagfunc=g:Tag0unc0
+ new
+ cal assert_fails('tag 0', 'E987:')
+
+ delfunc g:Tag0unc0
+ set tagfunc=
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
