commit d2d3be0a4a65f623e95b2eac1abf215233ba9f00
parent 9e9322b222566c0f92bb6df034d9b316317c81d5
Author: zeertzjq <zeertzjq@outlook.com>
Date: Thu, 10 Mar 2022 16:40:45 +0800
vim-patch:8.2.3949: using freed memory with /\%V
Problem: Using freed memory with /\%V.
Solution: Get the line again after getvvcol().
https://github.com/vim/vim/commit/4c13e5e6763c6eb36a343a2b8235ea227202e952
Diffstat:
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/src/nvim/regexp.c b/src/nvim/regexp.c
@@ -1136,8 +1136,8 @@ static bool reg_match_visual(void)
return false;
}
+ col = (colnr_T)(rex.input - rex.line);
if (mode == 'v') {
- col = (colnr_T)(rex.input - rex.line);
if ((lnum == top.lnum && col < top.col)
|| (lnum == bot.lnum && col >= bot.col + (*p_sel != 'e'))) {
return false;
@@ -1152,8 +1152,12 @@ static bool reg_match_visual(void)
if (top.col == MAXCOL || bot.col == MAXCOL || curswant == MAXCOL) {
end = MAXCOL;
}
- unsigned int cols_u = win_linetabsize(wp, rex.line,
- (colnr_T)(rex.input - rex.line));
+
+ // getvvcol() flushes rex.line, need to get it again
+ rex.line = reg_getline(rex.lnum);
+ rex.input = rex.line + col;
+
+ unsigned int cols_u = win_linetabsize(wp, rex.line, col);
assert(cols_u <= MAXCOL);
colnr_T cols = (colnr_T)cols_u;
if (cols < start || cols > end - (*p_sel == 'e')) {
diff --git a/src/nvim/testdir/test_regexp_latin.vim b/src/nvim/testdir/test_regexp_latin.vim
@@ -795,4 +795,12 @@ func Test_using_mark_position()
bwipe!
endfunc
+func Test_using_visual_position()
+ " this was using freed memory
+ new
+ exe "norm 0o\<Esc>\<C-V>k\<C-X>o0"
+ /\%V
+ bwipe!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
