diff options
| author | Bram Moolenaar <Bram@vim.org> | 2022-05-18 13:11:57 +0100 |
|---|---|---|
| committer | Bram Moolenaar <Bram@vim.org> | 2022-05-18 13:11:57 +0100 |
| commit | e2bd8600b873d2cd1f9d667c28cba8b1dba18839 (patch) | |
| tree | 64b679c01edbe4d0c1e131f0f132fd66bd2c1bcf /src | |
| parent | b1040dc11fa15818eda724c35a334f460cf98005 (diff) | |
patch 8.2.4977: memory access error when substitute expression changes windowv8.2.4977
Problem: Memory access error when substitute expression changes window.
Solution: Disallow changing window in substitute expression.
Diffstat (limited to 'src')
| -rw-r--r-- | src/ex_cmds.c | 11 | ||||
| -rw-r--r-- | src/testdir/test_substitute.vim | 13 | ||||
| -rw-r--r-- | src/version.c | 2 |
3 files changed, 26 insertions, 0 deletions
diff --git a/src/ex_cmds.c b/src/ex_cmds.c index 7e730becb4..210e21fe7a 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -4412,12 +4412,17 @@ ex_substitute(exarg_T *eap) // Save flags for recursion. They can change for e.g. // :s/^/\=execute("s#^##gn") subflags_save = subflags; + + // Disallow changing text or switching window in an expression. + ++textwinlock; #endif // get length of substitution part sublen = vim_regsub_multi(®match, sub_firstlnum - regmatch.startpos[0].lnum, sub, sub_firstline, FALSE, magic_isset(), TRUE); #ifdef FEAT_EVAL + --textwinlock; + // If getting the substitute string caused an error, don't do // the replacement. // Don't keep flags set by a recursive call. @@ -4518,9 +4523,15 @@ ex_substitute(exarg_T *eap) mch_memmove(new_end, sub_firstline + copycol, (size_t)copy_len); new_end += copy_len; +#ifdef FEAT_EVAL + ++textwinlock; +#endif (void)vim_regsub_multi(®match, sub_firstlnum - regmatch.startpos[0].lnum, sub, new_end, TRUE, magic_isset(), TRUE); +#ifdef FEAT_EVAL + --textwinlock; +#endif sub_nsubs++; did_sub = TRUE; diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim index f3fd7ab1ce..a1c324ed8d 100644 --- a/src/testdir/test_substitute.vim +++ b/src/testdir/test_substitute.vim @@ -1000,6 +1000,19 @@ func Test_using_old_sub() set nocompatible endfunc +" This was switching windows in between computing the length and using it. +func Test_sub_change_window() + silent! lfile + sil! norm o0000000000000000000000000000000000000000000000000000 + func Repl() + lopen + endfunc + silent! s/\%')/\=Repl() + bwipe! + bwipe! + delfunc Repl +endfunc + " Test for the 2-letter and 3-letter :substitute commands func Test_substitute_short_cmd() new diff --git a/src/version.c b/src/version.c index 4c63ea0771..782642b5d5 100644 --- a/src/version.c +++ b/src/version.c @@ -747,6 +747,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 4977, +/**/ 4976, /**/ 4975, |