To: vim_dev@googlegroups.com Subject: Patch 8.2.1095 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.2.1095 Problem: May use pointer after freeing it when text properties are used. Solution: Update redo buffer before calling ml_replace(). Files: src/spellsuggest.c *** ../vim-8.2.1094/src/spellsuggest.c 2020-06-10 15:32:04.455653633 +0200 --- src/spellsuggest.c 2020-06-29 23:17:27.380217385 +0200 *************** *** 676,683 **** mch_memmove(p, line, c); STRCPY(p + c, stp->st_word); STRCAT(p, sug.su_badptr + stp->st_orglen); - ml_replace(curwin->w_cursor.lnum, p, FALSE); - curwin->w_cursor.col = c; // For redo we use a change-word command. ResetRedobuff(); --- 676,681 ---- *************** *** 686,692 **** stp->st_wordlen + sug.su_badlen - stp->st_orglen); AppendCharToRedobuff(ESC); ! // After this "p" may be invalid. changed_bytes(curwin->w_cursor.lnum, c); } } --- 684,693 ---- stp->st_wordlen + sug.su_badlen - stp->st_orglen); AppendCharToRedobuff(ESC); ! // "p" may be freed here ! ml_replace(curwin->w_cursor.lnum, p, FALSE); ! curwin->w_cursor.col = c; ! changed_bytes(curwin->w_cursor.lnum, c); } } *** ../vim-8.2.1094/src/version.c 2020-06-29 23:13:59.201083215 +0200 --- src/version.c 2020-06-29 23:18:21.903989089 +0200 *************** *** 756,757 **** --- 756,759 ---- { /* Add new patch number below this line */ + /**/ + 1095, /**/ -- I am always surprised in the Linux world how quickly solutions can be obtained. (Imagine sending an email to Bill Gates, asking why Windows crashed, and how to fix it... and then getting an answer that fixed the problem... <0>_<0> !) -- Mark Langdon /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///