0
0
mirror of https://github.com/vim/vim.git synced 2025-07-24 10:45:12 -04:00

patch 9.1.1344: double free in f_complete_match() (after v9.1.1341)

Problem:  double free in f_complete_match() (after v9.1.1341)
Solution: remove additional free of trig pointer, correctly free
          regmatch.regprog and before_cursor in the error case

closes: #17203

Signed-off-by: glepnir <glephunter@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt 2025-04-25 19:01:06 +02:00
parent e380b5cbba
commit 3accf046ec
No known key found for this signature in database
GPG Key ID: F3F92DA383FDDE09
2 changed files with 6 additions and 4 deletions

View File

@ -3592,7 +3592,6 @@ f_complete_match(typval_T *argvars, typval_T *rettv)
regmatch_T regmatch;
char_u *before_cursor = NULL;
char_u *cur_end = NULL;
char_u *trig = NULL;
int bytepos = 0;
char_u part[MAXPATHL];
int ret;
@ -3643,20 +3642,21 @@ f_complete_match(typval_T *argvars, typval_T *rettv)
{
if (vim_regexec_nl(&regmatch, before_cursor, (colnr_T)0))
{
bytepos = (int)(regmatch.startp[0] - before_cursor);
trig = vim_strnsave(regmatch.startp[0],
char_u *trig = vim_strnsave(regmatch.startp[0],
regmatch.endp[0] - regmatch.startp[0]);
if (trig == NULL)
{
vim_free(before_cursor);
vim_regfree(regmatch.regprog);
return;
}
bytepos = (int)(regmatch.startp[0] - before_cursor);
ret = add_match_to_list(rettv, trig, -1, bytepos);
vim_free(trig);
if (ret == FAIL)
{
vim_free(trig);
vim_free(before_cursor);
vim_regfree(regmatch.regprog);
return;
}

View File

@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
1344,
/**/
1343,
/**/