patch 9.1.0115: Using freed memory with full tag stack and user data
Problem:  Using freed memory with full tag stack and user data
          (Konstantin Khlebnikov)
Solution: Clear the user data pointer of the newest entry.
          (zeertzjq, Konstantin Khlebnikov)
fixes: neovim/neovim#27498
closes: #14053
Co-authored-by: Konstantin Khlebnikov koct9i@gmail.com
Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Konstantin Khlebnikov koct9i@gmail.com
Signed-off-by: Christian Brabandt <cb@256bit.org>
			
			
This commit is contained in:
		
				
					committed by
					
						 Christian Brabandt
						Christian Brabandt
					
				
			
			
				
	
			
			
			
						parent
						
							026b17404a
						
					
				
				
					commit
					c86bff1771
				
			| @ -1,4 +1,4 @@ | ||||
| *testing.txt*	For Vim version 9.1.  Last change: 2024 Jan 23 | ||||
| *testing.txt*	For Vim version 9.1.  Last change: 2024 Feb 18 | ||||
|  | ||||
|  | ||||
| 		  VIM REFERENCE MANUAL	  by Bram Moolenaar | ||||
|  | ||||
| @ -395,7 +395,7 @@ do_tag( | ||||
| 		    tagstack_clear_entry(&tagstack[0]); | ||||
| 		    for (i = 1; i < tagstacklen; ++i) | ||||
| 			tagstack[i - 1] = tagstack[i]; | ||||
| 		    --tagstackidx; | ||||
| 		    tagstack[--tagstackidx].user_data = NULL; | ||||
| 		} | ||||
|  | ||||
| 		/* | ||||
|  | ||||
| @ -900,18 +900,33 @@ func Test_tag_stack() | ||||
|   endfor | ||||
|   call writefile(l, 'Xfoo', 'D') | ||||
|  | ||||
|   " Jump to a tag when the tag stack is full. Oldest entry should be removed. | ||||
|   enew | ||||
|   " Jump to a tag when the tag stack is full. Oldest entry should be removed. | ||||
|   for i in range(10, 30) | ||||
|     exe "tag var" .. i | ||||
|   endfor | ||||
|   let l = gettagstack() | ||||
|   call assert_equal(20, l.length) | ||||
|   call assert_equal('var11', l.items[0].tagname) | ||||
|   let t = gettagstack() | ||||
|   call assert_equal(20, t.length) | ||||
|   call assert_equal('var11', t.items[0].tagname) | ||||
|   let full = deepcopy(t.items) | ||||
|   tag var31 | ||||
|   let l = gettagstack() | ||||
|   call assert_equal('var12', l.items[0].tagname) | ||||
|   call assert_equal('var31', l.items[19].tagname) | ||||
|   let t = gettagstack() | ||||
|   call assert_equal('var12', t.items[0].tagname) | ||||
|   call assert_equal('var31', t.items[19].tagname) | ||||
|  | ||||
|   " Jump to a tag when the tag stack is full, but with user data this time. | ||||
|   call foreach(full, {i, item -> extend(item, {'user_data': $'udata{i}'})}) | ||||
|   call settagstack(0, {'items': full}) | ||||
|   let t = gettagstack() | ||||
|   call assert_equal(20, t.length) | ||||
|   call assert_equal('var11', t.items[0].tagname) | ||||
|   call assert_equal('udata0', t.items[0].user_data) | ||||
|   tag var31 | ||||
|   let t = gettagstack() | ||||
|   call assert_equal('var12', t.items[0].tagname) | ||||
|   call assert_equal('udata1', t.items[0].user_data) | ||||
|   call assert_equal('var31', t.items[19].tagname) | ||||
|   call assert_false(has_key(t.items[19], 'user_data')) | ||||
|  | ||||
|   " Use tnext with a single match | ||||
|   call assert_fails('tnext', 'E427:') | ||||
|  | ||||
| @ -704,6 +704,8 @@ static char *(features[]) = | ||||
|  | ||||
| static int included_patches[] = | ||||
| {   /* Add new patch number below this line */ | ||||
| /**/ | ||||
|     115, | ||||
| /**/ | ||||
|     114, | ||||
| /**/ | ||||
|  | ||||
		Reference in New Issue
	
	Block a user