patch 8.2.1825: Vim9: accessing freed memory

Problem: Vim9: accessing freed memory. Solution: Clear sv_name when the variable is deleted.
vim · Oct 10, 2020 · d747548 · d747548
1 parent fcdc5d8
commit d747548
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 13 deletions.
diff --git a/src/ex_eval.c b/src/ex_eval.c
@@ -925,22 +925,28 @@ leave_block(cstack_T *cstack)
 
     if (in_vim9script())
     {
-	scriptitem_T *si = SCRIPT_ITEM(current_sctx.sc_sid);
+	scriptitem_T	*si = SCRIPT_ITEM(current_sctx.sc_sid);
+	hashtab_T	*ht = get_script_local_ht();
 
-	for (i = cstack->cs_script_var_len[cstack->cs_idx];
-					       i < si->sn_var_vals.ga_len; ++i)
+	if (ht != NULL)
 	{
-	    svar_T	*sv = ((svar_T *)si->sn_var_vals.ga_data) + i;
-	    hashtab_T	*ht = get_script_local_ht();
-	    hashitem_T	*hi;
-
-	    if (ht != NULL)
+	    for (i = cstack->cs_script_var_len[cstack->cs_idx];
+					       i < si->sn_var_vals.ga_len; ++i)
 	    {
-		// Remove a variable declared inside the block, if it still
-		// exists.
-		hi = hash_find(ht, sv->sv_name);
-		if (!HASHITEM_EMPTY(hi))
-		    delete_var(ht, hi);
+		svar_T	*sv = ((svar_T *)si->sn_var_vals.ga_data) + i;
+		hashitem_T	*hi;
+
+		if (sv->sv_name != NULL)
+		{
+		    // Remove a variable declared inside the block, if it still
+		    // exists.
+		    hi = hash_find(ht, sv->sv_name);
+		    if (!HASHITEM_EMPTY(hi))
+		    {
+			delete_var(ht, hi);
+			sv->sv_name = NULL;
+		    }
+		}
 	    }
 	}
     }

diff --git a/src/version.c b/src/version.c
@@ -750,6 +750,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1825,
 /**/
     1824,
 /**/