patch 9.0.0047: using freed memory with recursive substitute
Problem: Using freed memory with recursive substitute.
Solution: Always make a copy for reg_prev_sub.
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index eb3016f..5253863 100644
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -3994,7 +3994,16 @@
sub_copy = sub;
}
else
- sub = regtilde(sub, magic_isset());
+ {
+ char_u *newsub = regtilde(sub, magic_isset());
+
+ if (newsub != sub)
+ {
+ // newsub was allocated, free it later.
+ sub_copy = newsub;
+ sub = newsub;
+ }
+ }
/*
* Check for a match on each line.
diff --git a/src/regexp.c b/src/regexp.c
index 2cbe64e..f35a5e8 100644
--- a/src/regexp.c
+++ b/src/regexp.c
@@ -1766,11 +1766,11 @@
}
}
+ // Store a copy of newsub in reg_prev_sub. It is always allocated,
+ // because recursive calls may make the returned string invalid.
vim_free(reg_prev_sub);
- if (newsub != source) // newsub was allocated, just keep it
- reg_prev_sub = newsub;
- else // no ~ found, need to save newsub
- reg_prev_sub = vim_strsave(newsub);
+ reg_prev_sub = vim_strsave(newsub);
+
return newsub;
}
diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim
index 1fe4699..dce6709 100644
--- a/src/testdir/test_regexp_latin.vim
+++ b/src/testdir/test_regexp_latin.vim
@@ -1114,4 +1114,15 @@
bwipe!
endfunc
+func Test_recursive_substitute_expr()
+ new
+ func Repl()
+ s
+ endfunc
+ silent! s/\%')/~\=Repl()
+
+ bwipe!
+ delfunc Repl
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index de8e968..2d917a8 100644
--- a/src/version.c
+++ b/src/version.c
@@ -736,6 +736,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 47,
+/**/
46,
/**/
45,