vim-patch:8.0.1218: writing to freed memory in autocmd

Problem: Writing to freed memory in autocmd. Solution: Make a copy of the tag line. (Dominique Pelle, closes vim/vim#2245) 8d84ff1a3c
2025-02-25 18:55:25 -06:00 · 2018-08-14 10:18:08 -04:00 · 2018-08-14 10:18:08 -04:00 · 5e38ff105c
commit 5e38ff105c
parent 84569693e1
2 changed files with 40 additions and 10 deletions
--- a/src/nvim/tag.c
+++ b/src/nvim/tag.c
@ -2217,6 +2217,16 @@ static bool test_for_static(tagptrs_T *tagp)
  return FALSE;
 }

+// Returns the length of a matching tag line.
+static size_t matching_line_len(const char_u *const lbuf)
+{
+  const char_u *p = lbuf + 1;
+
+  // does the same thing as parse_match()
+  p += STRLEN(p) + 2;
+  return (p - lbuf) + STRLEN(p);
+}
+
 /*
 * Parse a line from a matching tag.  Does not change the line itself.
 *
@ -2300,11 +2310,10 @@ static char_u *tag_full_fname(tagptrs_T *tagp)
 *
 * returns OK for success, NOTAGFILE when file not found, FAIL otherwise.
 */
-static int 
-jumpto_tag (
-    char_u *lbuf,              /* line from the tags file for this tag */
-    int forceit,                    /* :ta with ! */
-    int keep_help                  /* keep help flag (FALSE for cscope) */
+static int jumpto_tag(
+    const char_u *lbuf_arg,   // line from the tags file for this tag
+    int forceit,              // :ta with !
+    int keep_help             // keep help flag (FALSE for cscope)
 )
 {
  int save_secure;
@ -2312,7 +2321,6 @@ jumpto_tag (
  bool save_p_ws;
  int save_p_scs, save_p_ic;
  linenr_T save_lnum;
-  int csave = 0;
  char_u      *str;
  char_u      *pbuf;                    /* search pattern buffer */
  char_u      *pbuf_end;
@ -2327,6 +2335,9 @@ jumpto_tag (
  char_u      *full_fname = NULL;
  int old_KeyTyped = KeyTyped;              /* getting the file may reset it */
  const int l_g_do_tagpreview = g_do_tagpreview;
+  const size_t len = matching_line_len(lbuf_arg) + 1;
+  char_u *lbuf = xmalloc(len);
+  memmove(lbuf, lbuf_arg, len);

  pbuf = xmalloc(LSIZE);

@ -2336,8 +2347,7 @@ jumpto_tag (
    goto erret;
  }

-  /* truncate the file name, so it can be used as a string */
-  csave = *tagp.fname_end;
+  // truncate the file name, so it can be used as a string
  *tagp.fname_end = NUL;
  fname = tagp.fname;

@ -2447,7 +2457,10 @@ jumpto_tag (
    else
      keep_help_flag = curbuf->b_help;
  }
+
  if (getfile_result == GETFILE_UNUSED) {
+    // Careful: getfile() may trigger autocommands and call jumpto_tag()
+    // recursively.
    getfile_result = getfile(0, fname, NULL, true, (linenr_T)0, forceit);
  }
  keep_help_flag = false;
@ -2606,8 +2619,7 @@ jumpto_tag (

 erret:
  g_do_tagpreview = 0;   /* For next time */
-  if (tagp.fname_end != NULL)
-    *tagp.fname_end = csave;
+  xfree(lbuf);
  xfree(pbuf);
  xfree(tofree_fname);
  xfree(full_fname);
--- a/src/nvim/testdir/test_autocmd.vim
+++ b/src/nvim/testdir/test_autocmd.vim
@ -248,6 +248,24 @@ func Test_augroup_warning()
  au! VimEnter
 endfunc

+func Test_BufReadCmdHelp()
+  " This used to cause access to free memory
+  au BufReadCmd * e +h
+  help
+
+  helpclose
+  au! BufReadCmd
+endfunc
+
+func Test_BufReadCmdHelpJump()
+  " This used to cause access to free memory
+  au BufReadCmd * e +h{
+  help
+
+  helpclose
+  au! BufReadCmd
+endfunc
+
 func Test_augroup_deleted()
  " This caused a crash before E936 was introduced
  augroup x