From ecc8bc482ba601b9301a6c129c92a0d1f8527f72 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 13 Jan 2019 16:07:21 +0100
Subject: patch 8.1.0738: using freed memory, for loop over blob leaks memory

Problem:    Using freed memory, for loop over blob leaks memory.
Solution:   Clear pointer after freeing memory.  Decrement reference count
            after for loop over blob.
---
 src/eval.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

(limited to 'src/eval.c')

diff --git a/src/eval.c b/src/eval.c
index 993a5bc73b..a5e358fe15 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -2615,6 +2615,8 @@ eval_for_line(
 		    clear_tv(&tv);
 		else
 		{
+		    // No need to increment the refcount, it's already set for
+		    // the blob being used in "tv".
 		    fi->fi_blob = b;
 		    fi->fi_bi = 0;
 		}
@@ -2684,6 +2686,8 @@ free_for_info(void *fi_void)
 	list_rem_watch(fi->fi_list, &fi->fi_lw);
 	list_unref(fi->fi_list);
     }
+    if (fi != NULL && fi->fi_blob != NULL)
+	blob_unref(fi->fi_blob);
     vim_free(fi);
 }
 
@@ -4217,8 +4221,12 @@ eval7(
 		    {
 			if (!vim_isxdigit(bp[1]))
 			{
-			    EMSG(_("E973: Blob literal should have an even number of hex characters"));
-			    vim_free(blob);
+			    if (blob != NULL)
+			    {
+				EMSG(_("E973: Blob literal should have an even number of hex characters"));
+				ga_clear(&blob->bv_ga);
+				VIM_CLEAR(blob);
+			    }
 			    ret = FAIL;
 			    break;
 			}
@@ -4227,11 +4235,7 @@ eval7(
 					 (hex2nr(*bp) << 4) + hex2nr(*(bp+1)));
 		    }
 		    if (blob != NULL)
-		    {
-			++blob->bv_refcount;
-			rettv->v_type = VAR_BLOB;
-			rettv->vval.v_blob = blob;
-		    }
+			rettv_blob_set(rettv, blob);
 		    *arg = bp;
 		}
 		else
-- 
cgit v1.2.3