Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_vim / c86bff1771ed9c340f8f4433ae5530fd6de97980^! / . / src
commitc86bff1771ed9c340f8f4433ae5530fd6de97980[log] [tgz]
authorzeertzjq <zeertzjq@outlook.com>Sun Feb 18 18:53:08 2024 +0100
committerChristian Brabandt <cb@256bit.org>Sun Feb 18 18:57:07 2024 +0100
treee36a2fc5b221480d2b7a0266298159c2232d855e
parent026b17404aa3b6e01c4ee5f14a174f33c53f4401 [diff]
patch 9.1.0115: Using freed memory with full tag stack and user data

Problem:  Using freed memory with full tag stack and user data
          (Konstantin Khlebnikov)
Solution: Clear the user data pointer of the newest entry.
          (zeertzjq, Konstantin Khlebnikov)

fixes: neovim/neovim#27498
closes: #14053

Co-authored-by: Konstantin Khlebnikov koct9i@gmail.com
Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Konstantin Khlebnikov koct9i@gmail.com
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/tag.c b/src/tag.c
index 893415f..3df767d 100644
--- a/src/tag.c
+++ b/src/tag.c

@@ -395,7 +395,7 @@
 		    tagstack_clear_entry(&tagstack[0]);
 		    for (i = 1; i < tagstacklen; ++i)
 			tagstack[i - 1] = tagstack[i];
-		    --tagstackidx;
+		    tagstack[--tagstackidx].user_data = NULL;
 		}
 
 		/*

diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
index 8b85bd6..2abf1f6 100644
--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim

@@ -900,18 +900,33 @@
   endfor
   call writefile(l, 'Xfoo', 'D')
 
-  " Jump to a tag when the tag stack is full. Oldest entry should be removed.
   enew
+  " Jump to a tag when the tag stack is full. Oldest entry should be removed.
   for i in range(10, 30)
     exe "tag var" .. i
   endfor
-  let l = gettagstack()
-  call assert_equal(20, l.length)
-  call assert_equal('var11', l.items[0].tagname)
+  let t = gettagstack()
+  call assert_equal(20, t.length)
+  call assert_equal('var11', t.items[0].tagname)
+  let full = deepcopy(t.items)
   tag var31
-  let l = gettagstack()
-  call assert_equal('var12', l.items[0].tagname)
-  call assert_equal('var31', l.items[19].tagname)
+  let t = gettagstack()
+  call assert_equal('var12', t.items[0].tagname)
+  call assert_equal('var31', t.items[19].tagname)
+
+  " Jump to a tag when the tag stack is full, but with user data this time.
+  call foreach(full, {i, item -> extend(item, {'user_data': $'udata{i}'})})
+  call settagstack(0, {'items': full})
+  let t = gettagstack()
+  call assert_equal(20, t.length)
+  call assert_equal('var11', t.items[0].tagname)
+  call assert_equal('udata0', t.items[0].user_data)
+  tag var31
+  let t = gettagstack()
+  call assert_equal('var12', t.items[0].tagname)
+  call assert_equal('udata1', t.items[0].user_data)
+  call assert_equal('var31', t.items[19].tagname)
+  call assert_false(has_key(t.items[19], 'user_data'))
 
   " Use tnext with a single match
   call assert_fails('tnext', 'E427:')

diff --git a/src/version.c b/src/version.c
index bcb1d7c..80cdfbc 100644
--- a/src/version.c
+++ b/src/version.c

@@ -705,6 +705,8 @@
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    115,
+/**/
     114,
 /**/
     113,