patch 9.0.0530: using freed memory when autocmd changes mark

Problem: Using freed memory when autocmd changes mark. Solution: Copy the mark before editing another buffer.
vim · Sep 21, 2022 · 8ecfa2c · 8ecfa2c
1 parent 8eaee1f
commit 8ecfa2c
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 5 deletions.
diff --git a/src/mark.c b/src/mark.c
@@ -221,17 +221,19 @@ movemark(int count)
 	    fname2fnum(jmp);
 	if (jmp->fmark.fnum != curbuf->b_fnum)
 	{
-	    // jump to other file
-	    if (buflist_findnr(jmp->fmark.fnum) == NULL)
+	    // Make a copy, an autocommand may make "jmp" invalid.
+	    fmark_T fmark = jmp->fmark;
+
+	    // jump to the file with the mark
+	    if (buflist_findnr(fmark.fnum) == NULL)
 	    {					     // Skip this one ..
 		count += count < 0 ? -1 : 1;
 		continue;
 	    }
-	    if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum,
-							    0, FALSE) == FAIL)
+	    if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL)
 		return (pos_T *)NULL;
 	    // Set lnum again, autocommands my have changed it
-	    curwin->w_cursor = jmp->fmark.mark;
+	    curwin->w_cursor = fmark.mark;
 	    pos = (pos_T *)-1;
 	}
 	else

diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim
@@ -305,4 +305,17 @@ func Test_getmarklist()
   close!
 endfunc
 
+" This was using freed memory
+func Test_jump_mark_autocmd()
+  next 00
+  edit 0
+  sargument
+  au BufEnter 0 all
+  sil norm 
+
+  au! BufEnter
+  bwipe!
+endfunc
+
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
@@ -699,6 +699,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    530,
 /**/
     529,
 /**/