vim-patch:8.2.3513: using freed memory when using a timer and searching (#21519)

Problem: Using freed memory when using a timer and searching. (Dominique Pellé) Solution: Allocated mr_pattern. a2cff1dbc9 Restore xfree(strcopy) removed in ported patch 8.1.1270. Co-authored-by: Bram Moolenaar <Bram@vim.org>
2025-02-25 18:55:25 -06:00 · 2022-12-24 09:07:03 +08:00 · 2022-12-24 09:07:03 +08:00 · 4d4e697ef0
commit 4d4e697ef0
parent 3b9bd7bd43
1 changed files with 17 additions and 17 deletions
--- a/src/nvim/search.c
+++ b/src/nvim/search.c
@ -103,11 +103,12 @@ static int lastc_bytelen = 1;             // >1 for multi-byte char
 // copy of spats[], for keeping the search patterns while executing autocmds
 static struct spat saved_spats[2];
 static char *saved_mr_pattern = NULL;
 static int saved_spats_last_idx = 0;
 static bool saved_spats_no_hlsearch = false;
-static char_u *mr_pattern = NULL;    // pattern used by search_regcomp()
+// allocated copy of pattern used by search_regcomp()
-static bool mr_pattern_alloced = false;    // mr_pattern was allocated
+static char *mr_pattern = NULL;
 // Type used by find_pattern_in_path() to remember which included files have
 // been searched already.
@ -168,16 +169,11 @@ int search_regcomp(char_u *pat, char_u **used_pat, int pat_save, int pat_use, in
    *used_pat = pat;
  }
-  if (mr_pattern_alloced) {
+  xfree(mr_pattern);
    xfree(mr_pattern);
    mr_pattern_alloced = false;
  }
  if (curwin->w_p_rl && *curwin->w_p_rlc == 's') {
-    mr_pattern = (char_u *)reverse_text((char *)pat);
+    mr_pattern = reverse_text((char *)pat);
    mr_pattern_alloced = true;
  } else {
-    mr_pattern = pat;
+    mr_pattern = xstrdup((char *)pat);
  }
  // Save the currently used pattern in the appropriate place,
@ -202,8 +198,8 @@ int search_regcomp(char_u *pat, char_u **used_pat, int pat_save, int pat_use, in
  return OK;
 }
-// Get search pattern used by search_regcomp().
+/// Get search pattern used by search_regcomp().
-char_u *get_search_pat(void)
+char *get_search_pat(void)
 {
  return mr_pattern;
 }
@ -241,6 +237,11 @@ void save_search_patterns(void)
    if (spats[1].pat != NULL) {
      saved_spats[1].pat = xstrdup(spats[1].pat);
    }
    if (mr_pattern == NULL) {
      saved_mr_pattern = NULL;
    } else {
      saved_mr_pattern = xstrdup(mr_pattern);
    }
    saved_spats_last_idx = last_idx;
    saved_spats_no_hlsearch = no_hlsearch;
  }
@ -254,6 +255,8 @@ void restore_search_patterns(void)
    set_vv_searchforward();
    free_spat(&spats[1]);
    spats[1] = saved_spats[1];
    xfree(mr_pattern);
    mr_pattern = saved_mr_pattern;
    last_idx = saved_spats_last_idx;
    set_no_hlsearch(saved_spats_no_hlsearch);
  }
@ -273,11 +276,7 @@ void free_search_patterns(void)
  CLEAR_FIELD(spats);
-  if (mr_pattern_alloced) {
+  XFREE_CLEAR(mr_pattern);
    xfree(mr_pattern);
    mr_pattern_alloced = false;
    mr_pattern = NULL;
  }
 }
 #endif
@ -1413,6 +1412,7 @@ end_do_search:
  if ((options & SEARCH_KEEP) || (cmdmod.cmod_flags & CMOD_KEEPPATTERNS)) {
    spats[0].off = old_off;
  }
  xfree(strcopy);
  xfree(msgbuf);
  return retval;