From 6e5bc9dd6c477a71020dcbe6c7a387673825d941 Mon Sep 17 00:00:00 2001 From: Johannes Altmanninger Date: Wed, 28 Aug 2024 15:47:27 +0200 Subject: Fix use-after-free InsertCompletionHide touches used register Before performing the insertion, InsertCompleter::insert calls try_accept() to accept any selected completion candidate. If there is one, we fire InsertCompletionHide. If that one modifies the register used by , the inserted StringViews will be dangling. Fix this by running try_insert first, and read from the register later. Note that we call try_accept() twice but that's fine. It would probably make more sense to copy the register before calling insert() but I don't think it matters. Closes #5220 --- test/hooks/completion-hide-using-register/script | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 test/hooks/completion-hide-using-register/script (limited to 'test/hooks/completion-hide-using-register/script') diff --git a/test/hooks/completion-hide-using-register/script b/test/hooks/completion-hide-using-register/script new file mode 100644 index 00000000..a6096a99 --- /dev/null +++ b/test/hooks/completion-hide-using-register/script @@ -0,0 +1,7 @@ +ui_out -until '{ "jsonrpc": "2.0", "method": "refresh", "params": [true] }' +ui_in '{ "jsonrpc": "2.0", "method": "keys", "params": [ "Oe" ] }' +ui_out -until '{ "jsonrpc": "2.0", "method": "menu_show", "params": [[[{ "face": { "fg": "default", "bg": "default", "underline": "default", "attributes": [] }, "contents": "echo" }, { "face": { "fg": "default", "bg": "default", "underline": "default", "attributes": [] }, "contents": " " }, { "face": { "fg": "cyan", "bg": "default", "underline": "default", "attributes": [] }, "contents": "out" }]], { "line": 0, "column": 0 }, { "fg": "white", "bg": "blue", "underline": "default", "attributes": [] }, { "fg": "blue", "bg": "white", "underline": "default", "attributes": [] }, "inline"] }' +ui_in '{ "jsonrpc": "2.0", "method": "keys", "params": [ "" ] }' +ui_out -until '{ "jsonrpc": "2.0", "method": "menu_select", "params": [1] }' +ui_in '{ "jsonrpc": "2.0", "method": "keys", "params": [ "\"" ] }' +ui_out -until '{ "jsonrpc": "2.0", "method": "menu_hide", "params": [] }' -- cgit v1.2.3