patch 9.1.0115: Using freed memory with full tag stack and user data

Problem:  Using freed memory with full tag stack and user data
          (Konstantin Khlebnikov)
Solution: Clear the user data pointer of the newest entry.
          (zeertzjq, Konstantin Khlebnikov)

fixes: neovim/neovim#27498
closes: #14053

Co-authored-by: Konstantin Khlebnikov koct9i@gmail.com
Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Konstantin Khlebnikov koct9i@gmail.com
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
zeertzjq
2024-02-18 18:53:08 +01:00
committed by Christian Brabandt
parent 026b17404a
commit c86bff1771
4 changed files with 26 additions and 9 deletions

View File

@ -1,4 +1,4 @@
*testing.txt* For Vim version 9.1. Last change: 2024 Jan 23
*testing.txt* For Vim version 9.1. Last change: 2024 Feb 18
VIM REFERENCE MANUAL by Bram Moolenaar

View File

@ -395,7 +395,7 @@ do_tag(
tagstack_clear_entry(&tagstack[0]);
for (i = 1; i < tagstacklen; ++i)
tagstack[i - 1] = tagstack[i];
--tagstackidx;
tagstack[--tagstackidx].user_data = NULL;
}
/*

View File

@ -900,18 +900,33 @@ func Test_tag_stack()
endfor
call writefile(l, 'Xfoo', 'D')
" Jump to a tag when the tag stack is full. Oldest entry should be removed.
enew
" Jump to a tag when the tag stack is full. Oldest entry should be removed.
for i in range(10, 30)
exe "tag var" .. i
endfor
let l = gettagstack()
call assert_equal(20, l.length)
call assert_equal('var11', l.items[0].tagname)
let t = gettagstack()
call assert_equal(20, t.length)
call assert_equal('var11', t.items[0].tagname)
let full = deepcopy(t.items)
tag var31
let l = gettagstack()
call assert_equal('var12', l.items[0].tagname)
call assert_equal('var31', l.items[19].tagname)
let t = gettagstack()
call assert_equal('var12', t.items[0].tagname)
call assert_equal('var31', t.items[19].tagname)
" Jump to a tag when the tag stack is full, but with user data this time.
call foreach(full, {i, item -> extend(item, {'user_data': $'udata{i}'})})
call settagstack(0, {'items': full})
let t = gettagstack()
call assert_equal(20, t.length)
call assert_equal('var11', t.items[0].tagname)
call assert_equal('udata0', t.items[0].user_data)
tag var31
let t = gettagstack()
call assert_equal('var12', t.items[0].tagname)
call assert_equal('udata1', t.items[0].user_data)
call assert_equal('var31', t.items[19].tagname)
call assert_false(has_key(t.items[19], 'user_data'))
" Use tnext with a single match
call assert_fails('tnext', 'E427:')

View File

@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
115,
/**/
114,
/**/