To: vim_dev@googlegroups.com
Subject: Patch 8.2.3290
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 8.2.3290
Problem:    Vim9: compiling dict may use pointer after free and leak memory on
            failure.
Solution:   Pass a pointer to generate_PUSHS().  (Zdenek Dohnal, closes #8699)
Files:      src/vim9compile.c


*** ../vim-8.2.3289/src/vim9compile.c	2021-08-02 21:55:08.430701260 +0200
--- src/vim9compile.c	2021-08-04 22:29:01.672706084 +0200
***************
*** 1172,1192 ****
  
  /*
   * Generate an ISN_PUSHS instruction.
!  * Consumes "str".
   */
      static int
! generate_PUSHS(cctx_T *cctx, char_u *str)
  {
      isn_T	*isn;
  
      if (cctx->ctx_skip == SKIP_YES)
      {
! 	vim_free(str);
  	return OK;
      }
      if ((isn = generate_instr_type(cctx, ISN_PUSHS, &t_string)) == NULL)
  	return FAIL;
!     isn->isn_arg.string = str;
  
      return OK;
  }
--- 1172,1197 ----
  
  /*
   * Generate an ISN_PUSHS instruction.
!  * Consumes "*str".  When freed *str is set to NULL, unless "str" is NULL.
   */
      static int
! generate_PUSHS(cctx_T *cctx, char_u **str)
  {
      isn_T	*isn;
  
      if (cctx->ctx_skip == SKIP_YES)
      {
! 	if (str != NULL)
! 	    VIM_CLEAR(*str);
  	return OK;
      }
      if ((isn = generate_instr_type(cctx, ISN_PUSHS, &t_string)) == NULL)
+     {
+ 	if (str != NULL)
+ 	    VIM_CLEAR(*str);
  	return FAIL;
!     }
!     isn->isn_arg.string = str == NULL ? NULL : *str;
  
      return OK;
  }
***************
*** 2785,2791 ****
  		tv->vval.v_blob = NULL;
  		break;
  	    case VAR_STRING:
! 		generate_PUSHS(cctx, tv->vval.v_string);
  		tv->vval.v_string = NULL;
  		break;
  	    default:
--- 2790,2796 ----
  		tv->vval.v_blob = NULL;
  		break;
  	    case VAR_STRING:
! 		generate_PUSHS(cctx, &tv->vval.v_string);
  		tv->vval.v_string = NULL;
  		break;
  	    default:
***************
*** 3837,3843 ****
  	    key = get_literal_key(arg);
  	    if (key == NULL)
  		return FAIL;
! 	    if (generate_PUSHS(cctx, key) == FAIL)
  		return FAIL;
  	}
  
--- 3842,3848 ----
  	    key = get_literal_key(arg);
  	    if (key == NULL)
  		return FAIL;
! 	    if (generate_PUSHS(cctx, &key) == FAIL)
  		return FAIL;
  	}
  
***************
*** 6525,6531 ****
  	char_u *key_end = to_name_end(p + 1, TRUE);
  	char_u *key = vim_strnsave(p + 1, key_end - p - 1);
  
! 	r = generate_PUSHS(cctx, key);
      }
      return r;
  }
--- 6530,6536 ----
  	char_u *key_end = to_name_end(p + 1, TRUE);
  	char_u *key = vim_strnsave(p + 1, key_end - p - 1);
  
! 	r = generate_PUSHS(cctx, &key);
      }
      return r;
  }
***************
*** 6811,6817 ****
  	    // Push each line and the create the list.
  	    FOR_ALL_LIST_ITEMS(l, li)
  	    {
! 		generate_PUSHS(cctx, li->li_tv.vval.v_string);
  		li->li_tv.vval.v_string = NULL;
  	    }
  	    generate_NEWLIST(cctx, l->lv_len);
--- 6816,6822 ----
  	    // Push each line and the create the list.
  	    FOR_ALL_LIST_ITEMS(l, li)
  	    {
! 		generate_PUSHS(cctx, &li->li_tv.vval.v_string);
  		li->li_tv.vval.v_string = NULL;
  	    }
  	    generate_NEWLIST(cctx, l->lv_len);
***************
*** 8520,8526 ****
  	p += len + 2 + dropped;
  	if (pat == NULL)
  	    return FAIL;
! 	if (generate_PUSHS(cctx, pat) == FAIL)
  	    return FAIL;
  
  	if (generate_COMPARE(cctx, EXPR_MATCH, FALSE) == FAIL)
--- 8525,8531 ----
  	p += len + 2 + dropped;
  	if (pat == NULL)
  	    return FAIL;
! 	if (generate_PUSHS(cctx, &pat) == FAIL)
  	    return FAIL;
  
  	if (generate_COMPARE(cctx, EXPR_MATCH, FALSE) == FAIL)
***************
*** 9008,9014 ****
  	{
  	    if (p > start)
  	    {
! 		generate_PUSHS(cctx, vim_strnsave(start, p - start));
  		++count;
  	    }
  	    p += 2;
--- 9013,9021 ----
  	{
  	    if (p > start)
  	    {
! 		char_u *val = vim_strnsave(start, p - start);
! 
! 		generate_PUSHS(cctx, &val);
  		++count;
  	    }
  	    p += 2;
***************
*** 9029,9035 ****
  	    {
  		if (*skipwhite(start) != NUL)
  		{
! 		    generate_PUSHS(cctx, vim_strsave(start));
  		    ++count;
  		}
  		break;
--- 9036,9044 ----
  	    {
  		if (*skipwhite(start) != NUL)
  		{
! 		    char_u *val = vim_strsave(start);
! 
! 		    generate_PUSHS(cctx, &val);
  		    ++count;
  		}
  		break;
***************
*** 9847,9852 ****
--- 9856,9862 ----
  	    case CMD_execute:
  	    case CMD_echomsg:
  	    case CMD_echoerr:
+ 	    // TODO:  "echoconsole"
  		    line = compile_mult_expr(p, ea.cmdidx, &cctx);
  		    break;
  
***************
*** 9885,9892 ****
  #endif
  		    break;
  
- 	    // TODO: any other commands with an expression argument?
- 
  	    case CMD_append:
  	    case CMD_change:
  	    case CMD_insert:
--- 9895,9900 ----
*** ../vim-8.2.3289/src/version.c	2021-08-04 21:16:46.690468437 +0200
--- src/version.c	2021-08-04 22:30:30.868503661 +0200
***************
*** 757,758 ****
--- 757,760 ----
  {   /* Add new patch number below this line */
+ /**/
+     3290,
  /**/

-- 
Computers are not intelligent.  They only think they are.

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///                                                                      \\\
\\\        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///