To: vim_dev@googlegroups.com

Subject: Patch 7.3.1280

Fcc: outbox

From: Bram Moolenaar <Bram@moolenaar.net>

Mime-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

------------

Patch 7.3.1280

Problem:    Reading memory already freed since patch 7.3.1247. (Simon

	    Ruderich, Dominique Pelle)

Solution:   Copy submatches before reallocating the state list.

Files:	    src/regexp_nfa.c

*** ../vim-7.3.1279/src/regexp_nfa.c	2013-06-30 13:17:18.000000000 +0200

--- src/regexp_nfa.c	2013-06-30 23:17:46.000000000 +0200

***************

*** 3538,3544 ****

  static int match_backref __ARGS((regsub_T *sub, int subidx, int *bytelen));

  static int has_state_with_pos __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs));

  static int state_in_list __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs));

! static void addstate __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs, nfa_pim_T *pim, int off));

  static void addstate_here __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs, nfa_pim_T *pim, int *ip));

  /*

--- 3538,3544 ----

  static int match_backref __ARGS((regsub_T *sub, int subidx, int *bytelen));

  static int has_state_with_pos __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs));

  static int state_in_list __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs));

! static regsubs_T *addstate __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs_arg, nfa_pim_T *pim, int off));

  static void addstate_here __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs, nfa_pim_T *pim, int *ip));

  /*

***************

*** 3832,3844 ****

      return FALSE;

  }

!     static void

! addstate(l, state, subs, pim, off)

!     nfa_list_T		*l;	/* runtime state list */

!     nfa_state_T		*state;	/* state to update */

!     regsubs_T		*subs;	/* pointers to subexpressions */

!     nfa_pim_T		*pim;   /* postponed look-behind match */

!     int			off;	/* byte offset, when -1 go to next line */

  {

      int			subidx;

      nfa_thread_T	*thread;

--- 3832,3849 ----

      return FALSE;

  }

! /*

!  * Add "state" and possibly what follows to state list ".".

!  * Returns "subs_arg", possibly copied into temp_subs.

!  */

! 

!     static regsubs_T *

! addstate(l, state, subs_arg, pim, off)

!     nfa_list_T		*l;	    /* runtime state list */

!     nfa_state_T		*state;	    /* state to update */

!     regsubs_T		*subs_arg;  /* pointers to subexpressions */

!     nfa_pim_T		*pim;	    /* postponed look-behind match */

!     int			off;	    /* byte offset, when -1 go to next line */

  {

      int			subidx;

      nfa_thread_T	*thread;

***************

*** 3847,3852 ****

--- 3852,3859 ----

      char_u		*save_ptr;

      int			i;

      regsub_T		*sub;

+     regsubs_T		*subs = subs_arg;

+     static regsubs_T	temp_subs;

  #ifdef ENABLE_LOG

      int			did_print = FALSE;

  #endif

***************

*** 3941,3947 ****

  		    fprintf(log_fd, "> Not adding state %d to list %d. char %d: %s\n",

  			    abs(state->id), l->id, state->c, code);

  #endif

! 		    return;

  		}

  		/* Do not add the state again when it exists with the same

--- 3948,3954 ----

  		    fprintf(log_fd, "> Not adding state %d to list %d. char %d: %s\n",

  			    abs(state->id), l->id, state->c, code);

  #endif

! 		    return subs;

  		}

  		/* Do not add the state again when it exists with the same

***************

*** 3956,3961 ****

--- 3963,3980 ----

  	    {

  		int newlen = l->len * 3 / 2 + 50;

+ 		if (subs != &temp_subs)

+ 		{

+ 		    /* "subs" may point into the current array, need to make a

+ 		     * copy before it becomes invalid. */

+ 		    copy_sub(&temp_subs.norm, &subs->norm);

+ #ifdef FEAT_SYN_HL

+ 		    if (nfa_has_zsubexpr)

+ 			copy_sub(&temp_subs.synt, &subs->synt);

+ #endif

+ 		    subs = &temp_subs;

+ 		}

+ 

  		l->t = vim_realloc(l->t, newlen * sizeof(nfa_thread_T));

  		l->len = newlen;

  	    }

***************

*** 3991,4004 ****

  	case NFA_SPLIT:

  	    /* order matters here */

! 	    addstate(l, state->out, subs, pim, off);

! 	    addstate(l, state->out1, subs, pim, off);

  	    break;

  	case NFA_SKIP_CHAR:

  	case NFA_NOPEN:

  	case NFA_NCLOSE:

! 	    addstate(l, state->out, subs, pim, off);

  	    break;

  	case NFA_MOPEN:

--- 4010,4023 ----

  	case NFA_SPLIT:

  	    /* order matters here */

! 	    subs = addstate(l, state->out, subs, pim, off);

! 	    subs = addstate(l, state->out1, subs, pim, off);

  	    break;

  	case NFA_SKIP_CHAR:

  	case NFA_NOPEN:

  	case NFA_NCLOSE:

! 	    subs = addstate(l, state->out, subs, pim, off);

  	    break;

  	case NFA_MOPEN:

***************

*** 4094,4100 ****

  		sub->list.line[subidx].start = reginput + off;

  	    }

! 	    addstate(l, state->out, subs, pim, off);

  	    if (save_in_use == -1)

  	    {

--- 4113,4119 ----

  		sub->list.line[subidx].start = reginput + off;

  	    }

! 	    subs = addstate(l, state->out, subs, pim, off);

  	    if (save_in_use == -1)

  	    {

***************

*** 4112,4118 ****

  	    {

  		/* Do not overwrite the position set by \ze. If no \ze

  		 * encountered end will be set in nfa_regtry(). */

! 		addstate(l, state->out, subs, pim, off);

  		break;

  	    }

  	case NFA_MCLOSE1:

--- 4131,4137 ----

  	    {

  		/* Do not overwrite the position set by \ze. If no \ze

  		 * encountered end will be set in nfa_regtry(). */

! 		subs = addstate(l, state->out, subs, pim, off);

  		break;

  	    }

  	case NFA_MCLOSE1:

***************

*** 4181,4187 ****

  		sub->list.line[subidx].end = reginput + off;

  	    }

! 	    addstate(l, state->out, subs, pim, off);

  	    if (REG_MULTI)

  		sub->list.multi[subidx].end = save_lpos;

--- 4200,4206 ----

  		sub->list.line[subidx].end = reginput + off;

  	    }

! 	    subs = addstate(l, state->out, subs, pim, off);

  	    if (REG_MULTI)

  		sub->list.multi[subidx].end = save_lpos;

***************

*** 4190,4195 ****

--- 4209,4215 ----

  	    sub->in_use = save_in_use;

  	    break;

      }

+     return subs;

  }

  /*

*** ../vim-7.3.1279/src/version.c	2013-06-30 22:43:22.000000000 +0200

--- src/version.c	2013-06-30 23:23:02.000000000 +0200

***************

*** 730,731 ****

--- 730,733 ----

  {   /* Add new patch number below this line */

+ /**/

+     1280,

  /**/

-- 

DENNIS:  Listen -- strange women lying in ponds distributing swords is no

         basis for a system of government.  Supreme executive power derives

         from a mandate from the masses, not from some farcical aquatic

         ceremony.

                                  The Quest for the Holy Grail (Monty Python)

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\

///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\

\\\  an exciting new programming language -- http://www.Zimbu.org        ///

 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///