patch 9.0.0047: using freed memory with recursive substitute Problem: Using freed memory with recursive substitute. Solution: Always make a copy for reg_prev_sub.

commit: 32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea [log] [tgz]
author: Bram Moolenaar <Bram@vim.org> Thu Jul 07 22:20:31 2022 +0100
committer: Bram Moolenaar <Bram@vim.org> Thu Jul 07 22:20:31 2022 +0100
tree: 2e7f8098e185f03d1c8eb8ffcdc40bc24343d849
parent: baefde14550231f6468ac2ed2ed495bc381c0c92 [diff] [blame]
diff --git a/src/regexp.c b/src/regexp.c
index 2cbe64e..f35a5e8 100644
--- a/src/regexp.c
+++ b/src/regexp.c

@@ -1766,11 +1766,11 @@
 	}
     }
 
+    // Store a copy of newsub  in reg_prev_sub.  It is always allocated,
+    // because recursive calls may make the returned string invalid.
     vim_free(reg_prev_sub);
-    if (newsub != source)	// newsub was allocated, just keep it
-	reg_prev_sub = newsub;
-    else			// no ~ found, need to save newsub
-	reg_prev_sub = vim_strsave(newsub);
+    reg_prev_sub = vim_strsave(newsub);
+
     return newsub;
 }
commit	32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea	[log] [tgz]
author	Bram Moolenaar <Bram@vim.org>	Thu Jul 07 22:20:31 2022 +0100
committer	Bram Moolenaar <Bram@vim.org>	Thu Jul 07 22:20:31 2022 +0100
tree	2e7f8098e185f03d1c8eb8ffcdc40bc24343d849
parent	baefde14550231f6468ac2ed2ed495bc381c0c92 [diff] [blame]