patch 9.0.0221: accessing freed memory if compiling nested function fails Problem: Accessing freed memory if compiling nested function fails. Solution: Mess up the variable name so that it won't be found.

commit: 1889f499a4f248cd84e0e0bf6d0d820016774494 [log] [tgz]
author: Bram Moolenaar <Bram@vim.org> Tue Aug 16 19:34:44 2022 +0100
committer: Bram Moolenaar <Bram@vim.org> Tue Aug 16 19:34:44 2022 +0100
tree: c96c3f34bca0a083d283707c86aa2a808a4dcd47
parent: f6d39c31d2177549a986d170e192d8351bd571e2 [diff] [blame]
diff --git a/src/vim9compile.c b/src/vim9compile.c
index 98fc84c..d1e2c87 100644
--- a/src/vim9compile.c
+++ b/src/vim9compile.c

@@ -830,6 +830,7 @@
     int		r = FAIL;
     compiletype_T   compile_type;
     isn_T	*funcref_isn = NULL;
+    lvar_T	*lvar = NULL;
 
     if (eap->forceit)
     {
@@ -936,9 +937,8 @@
     else
     {
 	// Define a local variable for the function reference.
-	lvar_T	*lvar = reserve_local(cctx, func_name, name_end - name_start,
+	lvar = reserve_local(cctx, func_name, name_end - name_start,
 						    TRUE, ufunc->uf_func_type);
-
 	if (lvar == NULL)
 	    goto theend;
 	if (generate_FUNCREF(cctx, ufunc, &funcref_isn) == FAIL)
@@ -957,6 +957,9 @@
 	    && compile_def_function(ufunc, TRUE, compile_type, cctx) == FAIL)
     {
 	func_ptr_unref(ufunc);
+	if (lvar != NULL)
+	    // Now the local variable can't be used.
+	    *lvar->lv_name = '/';  // impossible value
 	goto theend;
     }
commit	1889f499a4f248cd84e0e0bf6d0d820016774494	[log] [tgz]
author	Bram Moolenaar <Bram@vim.org>	Tue Aug 16 19:34:44 2022 +0100
committer	Bram Moolenaar <Bram@vim.org>	Tue Aug 16 19:34:44 2022 +0100
tree	c96c3f34bca0a083d283707c86aa2a808a4dcd47
parent	f6d39c31d2177549a986d170e192d8351bd571e2 [diff] [blame]