From 1889f499a4f248cd84e0e0bf6d0d820016774494 Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Tue, 16 Aug 2022 19:34:44 +0100 Subject: [PATCH] patch 9.0.0221: accessing freed memory if compiling nested function fails Problem: Accessing freed memory if compiling nested function fails. Solution: Mess up the variable name so that it won't be found. --- src/testdir/test_vim9_func.vim | 12 ++++++++++++ src/version.c | 2 ++ src/vim9compile.c | 7 +++++-- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim index 5c7545784f3d6..fd7182d50e082 100644 --- a/src/testdir/test_vim9_func.vim +++ b/src/testdir/test_vim9_func.vim @@ -911,6 +911,18 @@ def Test_nested_function() v9.CheckScriptFailure(lines, 'E1173: Text found after enddef: burp', 3) enddef +def Test_nested_function_fails() + var lines =<< trim END + def T() + def Func(g: string):string + enddef + Func() + enddef + silent! defcompile + END + v9.CheckScriptFailure(lines, 'E1069:') +enddef + def Test_not_nested_function() echo printf('%d', function('len')('xxx')) diff --git a/src/version.c b/src/version.c index a6293e0cfa162..03d641fd77f74 100644 --- a/src/version.c +++ b/src/version.c @@ -735,6 +735,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 221, /**/ 220, /**/ diff --git a/src/vim9compile.c b/src/vim9compile.c index 98fc84c58a4cb..d1e2c87fd82c6 100644 --- a/src/vim9compile.c +++ b/src/vim9compile.c @@ -830,6 +830,7 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free) int r = FAIL; compiletype_T compile_type; isn_T *funcref_isn = NULL; + lvar_T *lvar = NULL; if (eap->forceit) { @@ -936,9 +937,8 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free) else { // Define a local variable for the function reference. - lvar_T *lvar = reserve_local(cctx, func_name, name_end - name_start, + lvar = reserve_local(cctx, func_name, name_end - name_start, TRUE, ufunc->uf_func_type); - if (lvar == NULL) goto theend; if (generate_FUNCREF(cctx, ufunc, &funcref_isn) == FAIL) @@ -957,6 +957,9 @@ compile_nested_function(exarg_T *eap, cctx_T *cctx, garray_T *lines_to_free) && compile_def_function(ufunc, TRUE, compile_type, cctx) == FAIL) { func_ptr_unref(ufunc); + if (lvar != NULL) + // Now the local variable can't be used. + *lvar->lv_name = '/'; // impossible value goto theend; }