Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
patch 9.0.0026: accessing freed memory with diff put
Problem:    Accessing freed memory with diff put.
Solution:   Bail out when diff pointer is no longer valid.
  • Loading branch information
brammool committed Jul 2, 2022
1 parent c6fdb15 commit c5274dd
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 2 deletions.
24 changes: 22 additions & 2 deletions src/diff.c
Expand Up @@ -2642,6 +2642,20 @@ nv_diffgetput(int put, long count)
ex_diffgetput(&ea);
}

/*
* Return TRUE if "diff" appears in the list of diff blocks of the current tab.
*/
static int
valid_diff(diff_T *diff)
{
diff_T *dp;

for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next)
if (dp == diff)
return TRUE;
return FALSE;
}

/*
* ":diffget"
* ":diffput"
Expand Down Expand Up @@ -2899,9 +2913,9 @@ ex_diffgetput(exarg_T *eap)
}
}

// Adjust marks. This will change the following entries!
if (added != 0)
{
// Adjust marks. This will change the following entries!
mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added);
if (curwin->w_cursor.lnum >= lnum)
{
Expand All @@ -2923,7 +2937,13 @@ ex_diffgetput(exarg_T *eap)
#endif
vim_free(dfree);
}
else

// mark_adjust() may have made "dp" invalid. We don't know where
// to continue then, bail out.
if (added != 0 && !valid_diff(dp))
break;

if (dfree == NULL)
// mark_adjust() may have changed the count in a wrong way
dp->df_count[idx_to] = new_count;

Expand Down
2 changes: 2 additions & 0 deletions src/version.c
Expand Up @@ -735,6 +735,8 @@ static char *(features[]) =

static int included_patches[] =
{ /* Add new patch number below this line */
/**/
26,
/**/
25,
/**/
Expand Down

0 comments on commit c5274dd

Please sign in to comment.