To: vim_dev@googlegroups.com Subject: Patch 7.3.1280 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 7.3.1280 Problem: Reading memory already freed since patch 7.3.1247. (Simon Ruderich, Dominique Pelle) Solution: Copy submatches before reallocating the state list. Files: src/regexp_nfa.c *** ../vim-7.3.1279/src/regexp_nfa.c 2013-06-30 13:17:18.000000000 +0200 --- src/regexp_nfa.c 2013-06-30 23:17:46.000000000 +0200 *************** *** 3538,3544 **** static int match_backref __ARGS((regsub_T *sub, int subidx, int *bytelen)); static int has_state_with_pos __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs)); static int state_in_list __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs)); ! static void addstate __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs, nfa_pim_T *pim, int off)); static void addstate_here __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs, nfa_pim_T *pim, int *ip)); /* --- 3538,3544 ---- static int match_backref __ARGS((regsub_T *sub, int subidx, int *bytelen)); static int has_state_with_pos __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs)); static int state_in_list __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs)); ! static regsubs_T *addstate __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs_arg, nfa_pim_T *pim, int off)); static void addstate_here __ARGS((nfa_list_T *l, nfa_state_T *state, regsubs_T *subs, nfa_pim_T *pim, int *ip)); /* *************** *** 3832,3844 **** return FALSE; } ! static void ! addstate(l, state, subs, pim, off) ! nfa_list_T *l; /* runtime state list */ ! nfa_state_T *state; /* state to update */ ! regsubs_T *subs; /* pointers to subexpressions */ ! nfa_pim_T *pim; /* postponed look-behind match */ ! int off; /* byte offset, when -1 go to next line */ { int subidx; nfa_thread_T *thread; --- 3832,3849 ---- return FALSE; } ! /* ! * Add "state" and possibly what follows to state list ".". ! * Returns "subs_arg", possibly copied into temp_subs. ! */ ! ! static regsubs_T * ! addstate(l, state, subs_arg, pim, off) ! nfa_list_T *l; /* runtime state list */ ! nfa_state_T *state; /* state to update */ ! regsubs_T *subs_arg; /* pointers to subexpressions */ ! nfa_pim_T *pim; /* postponed look-behind match */ ! int off; /* byte offset, when -1 go to next line */ { int subidx; nfa_thread_T *thread; *************** *** 3847,3852 **** --- 3852,3859 ---- char_u *save_ptr; int i; regsub_T *sub; + regsubs_T *subs = subs_arg; + static regsubs_T temp_subs; #ifdef ENABLE_LOG int did_print = FALSE; #endif *************** *** 3941,3947 **** fprintf(log_fd, "> Not adding state %d to list %d. char %d: %s\n", abs(state->id), l->id, state->c, code); #endif ! return; } /* Do not add the state again when it exists with the same --- 3948,3954 ---- fprintf(log_fd, "> Not adding state %d to list %d. char %d: %s\n", abs(state->id), l->id, state->c, code); #endif ! return subs; } /* Do not add the state again when it exists with the same *************** *** 3956,3961 **** --- 3963,3980 ---- { int newlen = l->len * 3 / 2 + 50; + if (subs != &temp_subs) + { + /* "subs" may point into the current array, need to make a + * copy before it becomes invalid. */ + copy_sub(&temp_subs.norm, &subs->norm); + #ifdef FEAT_SYN_HL + if (nfa_has_zsubexpr) + copy_sub(&temp_subs.synt, &subs->synt); + #endif + subs = &temp_subs; + } + l->t = vim_realloc(l->t, newlen * sizeof(nfa_thread_T)); l->len = newlen; } *************** *** 3991,4004 **** case NFA_SPLIT: /* order matters here */ ! addstate(l, state->out, subs, pim, off); ! addstate(l, state->out1, subs, pim, off); break; case NFA_SKIP_CHAR: case NFA_NOPEN: case NFA_NCLOSE: ! addstate(l, state->out, subs, pim, off); break; case NFA_MOPEN: --- 4010,4023 ---- case NFA_SPLIT: /* order matters here */ ! subs = addstate(l, state->out, subs, pim, off); ! subs = addstate(l, state->out1, subs, pim, off); break; case NFA_SKIP_CHAR: case NFA_NOPEN: case NFA_NCLOSE: ! subs = addstate(l, state->out, subs, pim, off); break; case NFA_MOPEN: *************** *** 4094,4100 **** sub->list.line[subidx].start = reginput + off; } ! addstate(l, state->out, subs, pim, off); if (save_in_use == -1) { --- 4113,4119 ---- sub->list.line[subidx].start = reginput + off; } ! subs = addstate(l, state->out, subs, pim, off); if (save_in_use == -1) { *************** *** 4112,4118 **** { /* Do not overwrite the position set by \ze. If no \ze * encountered end will be set in nfa_regtry(). */ ! addstate(l, state->out, subs, pim, off); break; } case NFA_MCLOSE1: --- 4131,4137 ---- { /* Do not overwrite the position set by \ze. If no \ze * encountered end will be set in nfa_regtry(). */ ! subs = addstate(l, state->out, subs, pim, off); break; } case NFA_MCLOSE1: *************** *** 4181,4187 **** sub->list.line[subidx].end = reginput + off; } ! addstate(l, state->out, subs, pim, off); if (REG_MULTI) sub->list.multi[subidx].end = save_lpos; --- 4200,4206 ---- sub->list.line[subidx].end = reginput + off; } ! subs = addstate(l, state->out, subs, pim, off); if (REG_MULTI) sub->list.multi[subidx].end = save_lpos; *************** *** 4190,4195 **** --- 4209,4215 ---- sub->in_use = save_in_use; break; } + return subs; } /* *** ../vim-7.3.1279/src/version.c 2013-06-30 22:43:22.000000000 +0200 --- src/version.c 2013-06-30 23:23:02.000000000 +0200 *************** *** 730,731 **** --- 730,733 ---- { /* Add new patch number below this line */ + /**/ + 1280, /**/ -- DENNIS: Listen -- strange women lying in ponds distributing swords is no basis for a system of government. Supreme executive power derives from a mandate from the masses, not from some farcical aquatic ceremony. The Quest for the Holy Grail (Monty Python) /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///