From 32acf1f1a72ebb9d8942b9c9d80023bf1bb668ea Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Thu, 7 Jul 2022 22:20:31 +0100 Subject: [PATCH] patch 9.0.0047: using freed memory with recursive substitute Problem: Using freed memory with recursive substitute. Solution: Always make a copy for reg_prev_sub. --- src/ex_cmds.c | 11 ++++++++++- src/regexp.c | 8 ++++---- src/testdir/test_regexp_latin.vim | 12 ++++++++++++ 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/src/ex_cmds.c b/src/ex_cmds.c index 0a22f59..5a90c2f 100644 --- a/src/ex_cmds.c +++ b/src/ex_cmds.c @@ -3881,7 +3881,16 @@ do_sub(exarg_T *eap) sub_copy = sub; } else - sub = regtilde(sub, p_magic); + { + char_u *newsub = regtilde(sub, p_magic); + + if (newsub != sub) + { + // newsub was allocated, free it later. + sub_copy = newsub; + sub = newsub; + } + } /* * Check for a match on each line. diff --git a/src/regexp.c b/src/regexp.c index 6849cba..c2f29c8 100644 --- a/src/regexp.c +++ b/src/regexp.c @@ -1761,11 +1761,11 @@ regtilde(char_u *source, int magic) } } + // Store a copy of newsub in reg_prev_sub. It is always allocated, + // because recursive calls may make the returned string invalid. vim_free(reg_prev_sub); - if (newsub != source) // newsub was allocated, just keep it - reg_prev_sub = newsub; - else // no ~ found, need to save newsub - reg_prev_sub = vim_strsave(newsub); + reg_prev_sub = vim_strsave(newsub); + return newsub; } diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim index a242d91..b668f87 100644 --- a/src/testdir/test_regexp_latin.vim +++ b/src/testdir/test_regexp_latin.vim @@ -172,3 +172,15 @@ func Test_using_invalid_visual_position() /\%V bwipe! endfunc + +func Test_recursive_substitute_expr() + new + func Repl() + s + endfunc + silent! s/\%')/~\=Repl() + + bwipe! + delfunc Repl +endfunc + -- 1.8.3.1