From d747548c664815bb6e8520afa90b6108e1997591 Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Sat, 10 Oct 2020 20:31:37 +0200 Subject: patch 8.2.1825: Vim9: accessing freed memory Problem: Vim9: accessing freed memory. Solution: Clear sv_name when the variable is deleted. --- src/ex_eval.c | 32 +++++++++++++++++++------------- src/version.c | 2 ++ 2 files changed, 21 insertions(+), 13 deletions(-) (limited to 'src') diff --git a/src/ex_eval.c b/src/ex_eval.c index 6a7087b683..d205cafc47 100644 --- a/src/ex_eval.c +++ b/src/ex_eval.c @@ -925,22 +925,28 @@ leave_block(cstack_T *cstack) if (in_vim9script()) { - scriptitem_T *si = SCRIPT_ITEM(current_sctx.sc_sid); + scriptitem_T *si = SCRIPT_ITEM(current_sctx.sc_sid); + hashtab_T *ht = get_script_local_ht(); - for (i = cstack->cs_script_var_len[cstack->cs_idx]; - i < si->sn_var_vals.ga_len; ++i) + if (ht != NULL) { - svar_T *sv = ((svar_T *)si->sn_var_vals.ga_data) + i; - hashtab_T *ht = get_script_local_ht(); - hashitem_T *hi; - - if (ht != NULL) + for (i = cstack->cs_script_var_len[cstack->cs_idx]; + i < si->sn_var_vals.ga_len; ++i) { - // Remove a variable declared inside the block, if it still - // exists. - hi = hash_find(ht, sv->sv_name); - if (!HASHITEM_EMPTY(hi)) - delete_var(ht, hi); + svar_T *sv = ((svar_T *)si->sn_var_vals.ga_data) + i; + hashitem_T *hi; + + if (sv->sv_name != NULL) + { + // Remove a variable declared inside the block, if it still + // exists. + hi = hash_find(ht, sv->sv_name); + if (!HASHITEM_EMPTY(hi)) + { + delete_var(ht, hi); + sv->sv_name = NULL; + } + } } } } diff --git a/src/version.c b/src/version.c index e7e863be16..789e104938 100644 --- a/src/version.c +++ b/src/version.c @@ -750,6 +750,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1825, /**/ 1824, /**/ -- cgit v1.2.3