patch 9.0.0487: using freed memory with combination of closures Problem: Using freed memory with combination of closures. Solution: Do not use a partial after it has been freed through the funcstack.

commit: acd6b9976bd939035025a16ceb4213a680827927 [log] [tgz]
author: Bram Moolenaar <Bram@vim.org> Sat Sep 17 16:27:39 2022 +0100
committer: Bram Moolenaar <Bram@vim.org> Sat Sep 17 16:27:39 2022 +0100
tree: 916b389f97f7a4094336ed69e9ab35d264718b0c
parent: d5bc762dea1fd32fa04342f8149f95ccfc3b9709 [diff] [blame]
diff --git a/src/eval.c b/src/eval.c
index f280e2a..3209d08 100644
--- a/src/eval.c
+++ b/src/eval.c

@@ -4876,6 +4876,8 @@
 {
     if (pt != NULL)
     {
+	int	done = FALSE;
+
 	if (--pt->pt_refcount <= 0)
 	    partial_free(pt);
 
@@ -4883,9 +4885,12 @@
 	// only reference and can be freed if no other partials reference it.
 	else if (pt->pt_refcount == 1)
 	{
+	    // careful: if the funcstack is freed it may contain this partial
+	    // and it gets freed as well
 	    if (pt->pt_funcstack != NULL)
-		funcstack_check_refcount(pt->pt_funcstack);
-	    if (pt->pt_loopvars != NULL)
+		done = funcstack_check_refcount(pt->pt_funcstack);
+
+	    if (!done && pt->pt_loopvars != NULL)
 		loopvars_check_refcount(pt->pt_loopvars);
 	}
     }
commit	acd6b9976bd939035025a16ceb4213a680827927	[log] [tgz]
author	Bram Moolenaar <Bram@vim.org>	Sat Sep 17 16:27:39 2022 +0100
committer	Bram Moolenaar <Bram@vim.org>	Sat Sep 17 16:27:39 2022 +0100
tree	916b389f97f7a4094336ed69e9ab35d264718b0c
parent	d5bc762dea1fd32fa04342f8149f95ccfc3b9709 [diff] [blame]