patch 9.0.0554: using freed memory when command follows lambda
Problem: Using freed memory when command follows lambda.
Solution: Don't free what is still in use. (closes #11201)
diff --git a/src/eval.c b/src/eval.c
index 77f0d7f..bdf0389 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -382,23 +382,34 @@
{
if (evalarg != NULL)
{
- if (evalarg->eval_tofree != NULL)
+ garray_T *etga = &evalarg->eval_tofree_ga;
+
+ if (evalarg->eval_tofree != NULL || evalarg->eval_using_cmdline)
{
if (eap != NULL)
{
// We may need to keep the original command line, e.g. for
- // ":let" it has the variable names. But we may also need the
- // new one, "nextcmd" points into it. Keep both.
+ // ":let" it has the variable names. But we may also need
+ // the new one, "nextcmd" points into it. Keep both.
vim_free(eap->cmdline_tofree);
eap->cmdline_tofree = *eap->cmdlinep;
- *eap->cmdlinep = evalarg->eval_tofree;
+
+ if (evalarg->eval_using_cmdline && etga->ga_len > 0)
+ {
+ // "nextcmd" points into the last line in eval_tofree_ga,
+ // need to keep it around.
+ --etga->ga_len;
+ *eap->cmdlinep = ((char_u **)etga->ga_data)[etga->ga_len];
+ }
+ else
+ *eap->cmdlinep = evalarg->eval_tofree;
}
else
vim_free(evalarg->eval_tofree);
evalarg->eval_tofree = NULL;
}
- ga_clear_strings(&evalarg->eval_tofree_ga);
+ ga_clear_strings(etga);
VIM_CLEAR(evalarg->eval_tofree_lambda);
}
}