patch 9.0.0530: using freed memory when autocmd changes mark

Problem: Using freed memory when autocmd changes mark. Solution: Copy the mark before editing another buffer.
2025-07-16 01:01:58 +00:00 · 2022-09-21 13:07:22 +01:00
parent 8eaee1fa5c
commit 8ecfa2c56b
3 changed files with 22 additions and 5 deletions
--- a/src/mark.c
+++ b/src/mark.c
@ -221,17 +221,19 @@ movemark(int count)
 	    fname2fnum(jmp);
 	if (jmp->fmark.fnum != curbuf->b_fnum)
 	{
-	    // jump to other file
-	    if (buflist_findnr(jmp->fmark.fnum) == NULL)
+	    // Make a copy, an autocommand may make "jmp" invalid.
+	    fmark_T fmark = jmp->fmark;
+
+	    // jump to the file with the mark
+	    if (buflist_findnr(fmark.fnum) == NULL)
 	    {					     // Skip this one ..
 		count += count < 0 ? -1 : 1;
 		continue;
 	    }
-	    if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum,
-							    0, FALSE) == FAIL)
+	    if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL)
 		return (pos_T *)NULL;
 	    // Set lnum again, autocommands my have changed it
-	    curwin->w_cursor = jmp->fmark.mark;
+	    curwin->w_cursor = fmark.mark;
 	    pos = (pos_T *)-1;
 	}
 	else
--- a/src/testdir/test_marks.vim
+++ b/src/testdir/test_marks.vim
@ -305,4 +305,17 @@ func Test_getmarklist()
  close!
 endfunc

+" This was using freed memory
+func Test_jump_mark_autocmd()
+  next 00
+  edit 0
+  sargument
+  au BufEnter 0 all
+  sil norm 
+
+  au! BufEnter
+  bwipe!
+endfunc
+
+
 " vim: shiftwidth=2 sts=2 expandtab
--- a/src/version.c
+++ b/src/version.c
@ -699,6 +699,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    530,
 /**/
    529,
 /**/