patch 8.2.3923: Vim9: double free with split argument list in nested function
Problem: Vim9: double free if a nested function has a line break in the
argument list.
Solution: Set cmdlinep when freeing the previous line.
diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim
index 1a14c10..88c0af8 100644
--- a/src/testdir/test_vim9_func.vim
+++ b/src/testdir/test_vim9_func.vim
@@ -1669,7 +1669,7 @@
assert_fails('FuncWithForwardCall()', 'E1096:', '', 1, 'FuncWithForwardCall')
enddef
-def Test_nested_functin_with_nextcmd()
+def Test_nested_function_with_nextcmd()
var lines =<< trim END
vim9script
# Define an outer function
@@ -1689,6 +1689,24 @@
CheckScriptFailure(lines, 'E476: Invalid command: AAAAA')
enddef
+def Test_nested_function_with_args_split()
+ var lines =<< trim END
+ vim9script
+ def FirstFunction()
+ def SecondFunction(
+ )
+ # had a double free if the right parenthesis of the nested function is
+ # on the next line
+
+ enddef|BBBB
+ enddef
+ # Compile all functions
+ defcompile
+ END
+ # FIXME: this should fail on the BBBB
+ CheckScriptSuccess(lines)
+enddef
+
def Test_return_type_wrong()
CheckScriptFailure([
'def Func(): number',
diff --git a/src/userfunc.c b/src/userfunc.c
index e1028e7..a7cbac3 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -219,6 +219,8 @@
if (theline == NULL)
break;
vim_free(*line_to_free);
+ if (*eap->cmdlinep == *line_to_free)
+ *eap->cmdlinep = theline;
*line_to_free = theline;
whitep = (char_u *)" ";
p = skipwhite(theline);
diff --git a/src/version.c b/src/version.c
index 6c8bced..5d22d98 100644
--- a/src/version.c
+++ b/src/version.c
@@ -750,6 +750,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 3923,
+/**/
3922,
/**/
3921,