patch 9.0.0026: accessing freed memory with diff put

brammool · brammool · commit c5274dd12224 · 2022-07-02T15:10:00.000+01:00
Problem:    Accessing freed memory with diff put.
Solution:   Bail out when diff pointer is no longer valid.
diff --git a/src/diff.c b/src/diff.c
@@ -2642,6 +2642,20 @@ nv_diffgetput(int put, long count)
     ex_diffgetput(&ea);
 }
 
+/*
+ * Return TRUE if "diff" appears in the list of diff blocks of the current tab.
+ */
+    static int
+valid_diff(diff_T *diff)
+{
+    diff_T	*dp;
+
+    for (dp = curtab->tp_first_diff; dp != NULL; dp = dp->df_next)
+	if (dp == diff)
+	    return TRUE;
+    return FALSE;
+}
+
 /*
  * ":diffget"
  * ":diffput"
@@ -2899,9 +2913,9 @@ ex_diffgetput(exarg_T *eap)
 		}
 	    }
 
-	    // Adjust marks.  This will change the following entries!
 	    if (added != 0)
 	    {
+		// Adjust marks.  This will change the following entries!
 		mark_adjust(lnum, lnum + count - 1, (long)MAXLNUM, (long)added);
 		if (curwin->w_cursor.lnum >= lnum)
 		{
@@ -2923,7 +2937,13 @@ ex_diffgetput(exarg_T *eap)
 #endif
 		vim_free(dfree);
 	    }
-	    else
+
+	    // mark_adjust() may have made "dp" invalid.  We don't know where
+	    // to continue then, bail out.
+	    if (added != 0 && !valid_diff(dp))
+		break;
+
+	    if (dfree == NULL)
 		// mark_adjust() may have changed the count in a wrong way
 		dp->df_count[idx_to] = new_count;
 
diff --git a/src/version.c b/src/version.c
@@ -735,6 +735,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    26,
 /**/
     25,
 /**/
