patch 9.0.0221: accessing freed memory if compiling nested function fails
Problem: Accessing freed memory if compiling nested function fails.
Solution: Mess up the variable name so that it won't be found.
diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim
index 5c75457..fd7182d 100644
--- a/src/testdir/test_vim9_func.vim
+++ b/src/testdir/test_vim9_func.vim
@@ -911,6 +911,18 @@
v9.CheckScriptFailure(lines, 'E1173: Text found after enddef: burp', 3)
enddef
+def Test_nested_function_fails()
+ var lines =<< trim END
+ def T()
+ def Func(g: string):string
+ enddef
+ Func()
+ enddef
+ silent! defcompile
+ END
+ v9.CheckScriptFailure(lines, 'E1069:')
+enddef
+
def Test_not_nested_function()
echo printf('%d',
function('len')('xxx'))
diff --git a/src/version.c b/src/version.c
index a6293e0..03d641f 100644
--- a/src/version.c
+++ b/src/version.c
@@ -736,6 +736,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 221,
+/**/
220,
/**/
219,
diff --git a/src/vim9compile.c b/src/vim9compile.c
index 98fc84c..d1e2c87 100644
--- a/src/vim9compile.c
+++ b/src/vim9compile.c
@@ -830,6 +830,7 @@
int r = FAIL;
compiletype_T compile_type;
isn_T *funcref_isn = NULL;
+ lvar_T *lvar = NULL;
if (eap->forceit)
{
@@ -936,9 +937,8 @@
else
{
// Define a local variable for the function reference.
- lvar_T *lvar = reserve_local(cctx, func_name, name_end - name_start,
+ lvar = reserve_local(cctx, func_name, name_end - name_start,
TRUE, ufunc->uf_func_type);
-
if (lvar == NULL)
goto theend;
if (generate_FUNCREF(cctx, ufunc, &funcref_isn) == FAIL)
@@ -957,6 +957,9 @@
&& compile_def_function(ufunc, TRUE, compile_type, cctx) == FAIL)
{
func_ptr_unref(ufunc);
+ if (lvar != NULL)
+ // Now the local variable can't be used.
+ *lvar->lv_name = '/'; // impossible value
goto theend;
}