patch 9.1.1344: double free in f_complete_match() (after v9.1.1341)

Problem: double free in f_complete_match() (after v9.1.1341) Solution: remove additional free of trig pointer, correctly free regmatch.regprog and before_cursor in the error case closes: #17203 Signed-off-by: glepnir <glephunter@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-10-29 09:37:35 -04:00 · 2025-04-25 19:01:06 +02:00
parent e380b5cbba
commit 3accf046ec
2 changed files with 6 additions and 4 deletions
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -3592,7 +3592,6 @@ f_complete_match(typval_T *argvars, typval_T *rettv)
    regmatch_T  regmatch;
    char_u      *before_cursor = NULL;
    char_u      *cur_end = NULL;
    char_u      *trig = NULL;
    int          bytepos = 0;
    char_u	part[MAXPATHL];
    int		ret;
@@ -3643,20 +3642,21 @@ f_complete_match(typval_T *argvars, typval_T *rettv)
 	{
 	    if (vim_regexec_nl(&regmatch, before_cursor, (colnr_T)0))
 	    {
-		bytepos = (int)(regmatch.startp[0] - before_cursor);
+		char_u	*trig = vim_strnsave(regmatch.startp[0],
 		trig = vim_strnsave(regmatch.startp[0],
 			regmatch.endp[0] - regmatch.startp[0]);
 		if (trig == NULL)
 		{
 		    vim_free(before_cursor);
 		    vim_regfree(regmatch.regprog);
 		    return;
 		}
 		bytepos = (int)(regmatch.startp[0] - before_cursor);
 		ret = add_match_to_list(rettv, trig, -1, bytepos);
 		vim_free(trig);
 		if (ret == FAIL)
 		{
-		    vim_free(trig);
+		    vim_free(before_cursor);
 		    vim_regfree(regmatch.regprog);
 		    return;
 		}
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
    1344,
 /**/
    1343,
 /**/