To: vim_dev@googlegroups.com
Subject: Patch 7.3.1280
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------
Patch 7.3.1280
Problem: Reading memory already freed since patch 7.3.1247. (Simon
Ruderich, Dominique Pelle)
Solution: Copy submatches before reallocating the state list.
Files: src/regexp_nfa.c
*** ../vim-7.3.1279/src/regexp_nfa.c 2013-06-30 13:17:18.000000000 +0200
--- src/regexp_nfa.c 2013-06-30 23:17:46.000000000 +0200
***************
*** 3538,3544 ****
static int match_backref __ARGS((regsub_T *sub, int subidx, int *bytelen));
static int has_state_with_pos __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs));
static int state_in_list __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs));
! static void addstate __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs, nfa_pim_T *pim, int off));
static void addstate_here __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs, nfa_pim_T *pim, int *ip));
/*
--- 3538,3544 ----
static int match_backref __ARGS((regsub_T *sub, int subidx, int *bytelen));
static int has_state_with_pos __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs));
static int state_in_list __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs));
! static regsubs_T *addstate __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs_arg, nfa_pim_T *pim, int off));
static void addstate_here __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs, nfa_pim_T *pim, int *ip));
/*
***************
*** 3832,3844 ****
return FALSE;
}
! static void
! addstate(l, state, subs, pim, off)
! nfa_list_T *l; /* runtime state list */
! nfa_state_T *state; /* state to update */
! regsubs_T *subs; /* pointers to subexpressions */
! nfa_pim_T *pim; /* postponed look-behind match */
! int off; /* byte offset, when -1 go to next line */
{
int subidx;
nfa_thread_T *thread;
--- 3832,3849 ----
return FALSE;
}
! /*
! * Add "state" and possibly what follows to state list ".".
! * Returns "subs_arg", possibly copied into temp_subs.
! */
!
! static regsubs_T *
! addstate(l, state, subs_arg, pim, off)
! nfa_list_T *l; /* runtime state list */
! nfa_state_T *state; /* state to update */
! regsubs_T *subs_arg; /* pointers to subexpressions */
! nfa_pim_T *pim; /* postponed look-behind match */
! int off; /* byte offset, when -1 go to next line */
{
int subidx;
nfa_thread_T *thread;
***************
*** 3847,3852 ****
--- 3852,3859 ----
char_u *save_ptr;
int i;
regsub_T *sub;
+ regsubs_T *subs = subs_arg;
+ static regsubs_T temp_subs;
#ifdef ENABLE_LOG
int did_print = FALSE;
#endif
***************
*** 3941,3947 ****
fprintf(log_fd, "> Not adding state %d to list %d. char %d: %s\n",
abs(state->id), l->id, state->c, code);
#endif
! return;
}
/* Do not add the state again when it exists with the same
--- 3948,3954 ----
fprintf(log_fd, "> Not adding state %d to list %d. char %d: %s\n",
abs(state->id), l->id, state->c, code);
#endif
! return subs;
}
/* Do not add the state again when it exists with the same
***************
*** 3956,3961 ****
--- 3963,3980 ----
{
int newlen = l->len * 3 / 2 + 50;
+ if (subs != &temp_subs)
+ {
+ /* "subs" may point into the current array, need to make a
+ * copy before it becomes invalid. */
+ copy_sub(&temp_subs.norm, &subs->norm);
+ #ifdef FEAT_SYN_HL
+ if (nfa_has_zsubexpr)
+ copy_sub(&temp_subs.synt, &subs->synt);
+ #endif
+ subs = &temp_subs;
+ }
+
l->t = vim_realloc(l->t, newlen * sizeof(nfa_thread_T));
l->len = newlen;
}
***************
*** 3991,4004 ****
case NFA_SPLIT:
/* order matters here */
! addstate(l, state->out, subs, pim, off);
! addstate(l, state->out1, subs, pim, off);
break;
case NFA_SKIP_CHAR:
case NFA_NOPEN:
case NFA_NCLOSE:
! addstate(l, state->out, subs, pim, off);
break;
case NFA_MOPEN:
--- 4010,4023 ----
case NFA_SPLIT:
/* order matters here */
! subs = addstate(l, state->out, subs, pim, off);
! subs = addstate(l, state->out1, subs, pim, off);
break;
case NFA_SKIP_CHAR:
case NFA_NOPEN:
case NFA_NCLOSE:
! subs = addstate(l, state->out, subs, pim, off);
break;
case NFA_MOPEN:
***************
*** 4094,4100 ****
sub->list.line[subidx].start = reginput + off;
}
! addstate(l, state->out, subs, pim, off);
if (save_in_use == -1)
{
--- 4113,4119 ----
sub->list.line[subidx].start = reginput + off;
}
! subs = addstate(l, state->out, subs, pim, off);
if (save_in_use == -1)
{
***************
*** 4112,4118 ****
{
/* Do not overwrite the position set by \ze. If no \ze
* encountered end will be set in nfa_regtry(). */
! addstate(l, state->out, subs, pim, off);
break;
}
case NFA_MCLOSE1:
--- 4131,4137 ----
{
/* Do not overwrite the position set by \ze. If no \ze
* encountered end will be set in nfa_regtry(). */
! subs = addstate(l, state->out, subs, pim, off);
break;
}
case NFA_MCLOSE1:
***************
*** 4181,4187 ****
sub->list.line[subidx].end = reginput + off;
}
! addstate(l, state->out, subs, pim, off);
if (REG_MULTI)
sub->list.multi[subidx].end = save_lpos;
--- 4200,4206 ----
sub->list.line[subidx].end = reginput + off;
}
! subs = addstate(l, state->out, subs, pim, off);
if (REG_MULTI)
sub->list.multi[subidx].end = save_lpos;
***************
*** 4190,4195 ****
--- 4209,4215 ----
sub->in_use = save_in_use;
break;
}
+ return subs;
}
/*
*** ../vim-7.3.1279/src/version.c 2013-06-30 22:43:22.000000000 +0200
--- src/version.c 2013-06-30 23:23:02.000000000 +0200
***************
*** 730,731 ****
--- 730,733 ----
{ /* Add new patch number below this line */
+ /**/
+ 1280,
/**/
--
DENNIS: Listen -- strange women lying in ponds distributing swords is no
basis for a system of government. Supreme executive power derives
from a mandate from the masses, not from some farcical aquatic
ceremony.
The Quest for the Holy Grail (Monty Python)
/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///