commit 8f1f2a1d9f6af56ae928f6cdc29055a0ba13baea
parent 1c520053a9bf89004f1e5af9b31d3239341d7488
Author: zeertzjq <zeertzjq@outlook.com>
Date: Mon, 19 Feb 2024 06:53:13 +0800
vim-patch:9.1.0115: Using freed memory with full tag stack and user data (#27525)
Problem: Using freed memory with full tag stack and user data
(Konstantin Khlebnikov)
Solution: Clear the user data pointer of the newest entry.
(zeertzjq, Konstantin Khlebnikov)
fixes: neovim/neovim#27498
closes: vim/vim#14053
https://github.com/vim/vim/commit/c86bff1771ed9c340f8f4433ae5530fd6de97980
Cherry-pick Test_tag_stack() changes from patch 9.0.0767.
Co-authored-by: Konstantin Khlebnikov <koct9i@gmail.com>
Diffstat:
2 files changed, 27 insertions(+), 16 deletions(-)
diff --git a/src/nvim/tag.c b/src/nvim/tag.c
@@ -388,7 +388,7 @@ void do_tag(char *tag, int type, int count, int forceit, bool verbose)
for (int i = 1; i < tagstacklen; i++) {
tagstack[i - 1] = tagstack[i];
}
- tagstackidx--;
+ tagstack[--tagstackidx].user_data = NULL;
}
// put the tag name in the tag stack
diff --git a/test/old/testdir/test_tagjump.vim b/test/old/testdir/test_tagjump.vim
@@ -907,14 +907,14 @@ func Test_tag_last_search_pat()
\ "first\tXfoo\t/^int first() {}/",
\ "second\tXfoo\t/^int second() {}/",
\ "third\tXfoo\t/^int third() {}/"],
- \ 'Xtags')
+ \ 'Xtags', 'D')
set tags=Xtags
let code =<< trim [CODE]
int first() {}
int second() {}
int third() {}
[CODE]
- call writefile(code, 'Xfoo')
+ call writefile(code, 'Xfoo', 'D')
enew
let save_cpo = &cpo
@@ -924,8 +924,6 @@ func Test_tag_last_search_pat()
call assert_equal('^int second() {}', @/)
let &cpo = save_cpo
- call delete('Xtags')
- call delete('Xfoo')
set tags&
%bwipe
endfunc
@@ -936,27 +934,42 @@ func Test_tag_stack()
for i in range(10, 31)
let l += ["var" .. i .. "\tXfoo\t/^int var" .. i .. ";$/"]
endfor
- call writefile(l, 'Xtags')
+ call writefile(l, 'Xtags', 'D')
set tags=Xtags
let l = []
for i in range(10, 31)
let l += ["int var" .. i .. ";"]
endfor
- call writefile(l, 'Xfoo')
+ call writefile(l, 'Xfoo', 'D')
- " Jump to a tag when the tag stack is full. Oldest entry should be removed.
enew
+ " Jump to a tag when the tag stack is full. Oldest entry should be removed.
for i in range(10, 30)
exe "tag var" .. i
endfor
- let l = gettagstack()
- call assert_equal(20, l.length)
- call assert_equal('var11', l.items[0].tagname)
+ let t = gettagstack()
+ call assert_equal(20, t.length)
+ call assert_equal('var11', t.items[0].tagname)
+ let full = deepcopy(t.items)
tag var31
- let l = gettagstack()
- call assert_equal('var12', l.items[0].tagname)
- call assert_equal('var31', l.items[19].tagname)
+ let t = gettagstack()
+ call assert_equal('var12', t.items[0].tagname)
+ call assert_equal('var31', t.items[19].tagname)
+
+ " Jump to a tag when the tag stack is full, but with user data this time.
+ call foreach(full, {i, item -> extend(item, {'user_data': $'udata{i}'})})
+ call settagstack(0, {'items': full})
+ let t = gettagstack()
+ call assert_equal(20, t.length)
+ call assert_equal('var11', t.items[0].tagname)
+ call assert_equal('udata0', t.items[0].user_data)
+ tag var31
+ let t = gettagstack()
+ call assert_equal('var12', t.items[0].tagname)
+ call assert_equal('udata1', t.items[0].user_data)
+ call assert_equal('var31', t.items[19].tagname)
+ call assert_false(has_key(t.items[19], 'user_data'))
" Use tnext with a single match
call assert_fails('tnext', 'E427:')
@@ -988,8 +1001,6 @@ func Test_tag_stack()
call settagstack(1, {'items' : []})
call assert_fails('pop', 'E73:')
- call delete('Xtags')
- call delete('Xfoo')
set tags&
%bwipe
endfunc
