nvim-oxi icon indicating copy to clipboard operation
nvim-oxi copied to clipboard
verified publisher icon noib3

Prevent nvim_buf_get_name frees buf->b_ffname

Open tony84727 opened this issue 3 years ago • 0 comments

nvim_buf_get_name C API doesn't copy memory but return a String with pointer to buf->b_ffname rust shouldn't free buf->b_ffname

ref: https://github.com/neovim/neovim/blob/09dffb9db7d16496e55e86f78ab60241533d86f6/src/nvim/api/buffer.c#L1038 https://github.com/neovim/neovim/blob/09dffb9db7d16496e55e86f78ab60241533d86f6/src/nvim/api/private/helpers.c#L403-L408

Reproduce code

use nvim_oxi as oxi;
use oxi::{Dictionary, Function};

#[oxi::module]
fn buffer_name_double_free_sample() -> oxi::Result<Dictionary> {
    Ok(Dictionary::from_iter([(
        "test",
        Function::from_fn(|()| {
            let buffer = oxi::api::get_current_buf();
            let name = buffer.get_name().unwrap();
            oxi::Result::<String>::Ok(String::from(name.to_str().unwrap()))
        }),
    )]))
}

Calling test function returned by the module twice will get a double free error (found on Mac)

tony84727 avatar Nov 05 '22 11:11 tony84727