patch 7.4.2323
Problem: Using freed memory when using 'formatexpr'. (Dominique Pelle)
Solution: Make a copy of 'formatexpr' before evaluating it.
diff --git a/src/ops.c b/src/ops.c
index c03c7be..4bef6c5 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -4741,6 +4741,7 @@
int use_sandbox = was_set_insecurely((char_u *)"formatexpr",
OPT_LOCAL);
int r;
+ char_u *fex;
/*
* Set v:lnum to the first line number and v:count to the number of lines.
@@ -4750,16 +4751,22 @@
set_vim_var_nr(VV_COUNT, count);
set_vim_var_char(c);
+ /* Make a copy, the option could be changed while calling it. */
+ fex = vim_strsave(curbuf->b_p_fex);
+ if (fex == NULL)
+ return 0;
+
/*
* Evaluate the function.
*/
if (use_sandbox)
++sandbox;
- r = (int)eval_to_number(curbuf->b_p_fex);
+ r = (int)eval_to_number(fex);
if (use_sandbox)
--sandbox;
set_vim_var_string(VV_CHAR, NULL, -1);
+ vim_free(fex);
return r;
}
diff --git a/src/testdir/test_normal.vim b/src/testdir/test_normal.vim
index 98cb775..34561ff 100644
--- a/src/testdir/test_normal.vim
+++ b/src/testdir/test_normal.vim
@@ -192,6 +192,30 @@
bw!
endfu
+func Test_normal05_formatexpr_newbuf()
+ " Edit another buffer in the 'formatexpr' function
+ new
+ func! Format()
+ edit another
+ endfunc
+ set formatexpr=Format()
+ norm gqG
+ bw!
+ set formatexpr=
+endfunc
+
+func Test_normal05_formatexpr_setopt()
+ " Change the 'formatexpr' value in the function
+ new
+ func! Format()
+ set formatexpr=
+ endfunc
+ set formatexpr=Format()
+ norm gqG
+ bw!
+ set formatexpr=
+endfunc
+
func! Test_normal06_formatprg()
" basic test for formatprg
" only test on non windows platform
diff --git a/src/version.c b/src/version.c
index 155d9dd..85121d6 100644
--- a/src/version.c
+++ b/src/version.c
@@ -764,6 +764,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 2323,
+/**/
2322,
/**/
2321,