Commit: patch 9.1.1344: double free in f_complete_match() (after v9.1.1341)

Fri, 25 Apr 2025 10:15:15 -0700 

patch 9.1.1344: double free in f_complete_match() (after v9.1.1341)

Commit: 
https://github.com/vim/vim/commit/3accf046ec3d0ee4a762d15452ae46596e1a0540
Author: Christian Brabandt <c...@256bit.org>
Date:   Fri Apr 25 19:01:06 2025 +0200

    patch 9.1.1344: double free in f_complete_match() (after v9.1.1341)
    
    Problem:  double free in f_complete_match() (after v9.1.1341)
    Solution: remove additional free of trig pointer, correctly free
              regmatch.regprog and before_cursor in the error case
    
    closes: #17203
    
    Signed-off-by: glepnir <glephun...@gmail.com>
    Signed-off-by: Christian Brabandt <c...@256bit.org>

diff --git a/src/insexpand.c b/src/insexpand.c
index 77c98311d..94901f133 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -3592,7 +3592,6 @@ f_complete_match(typval_T *argvars, typval_T *rettv)
     regmatch_T  regmatch;
     char_u      *before_cursor = NULL;
     char_u      *cur_end = NULL;
-    char_u      *trig = NULL;
     int          bytepos = 0;
     char_u     part[MAXPATHL];
     int                ret;
@@ -3643,20 +3642,21 @@ f_complete_match(typval_T *argvars, typval_T *rettv)
        {
            if (vim_regexec_nl(&regmatch, before_cursor, (colnr_T)0))
            {
-               bytepos = (int)(regmatch.startp[0] - before_cursor);
-               trig = vim_strnsave(regmatch.startp[0],
+               char_u  *trig = vim_strnsave(regmatch.startp[0],
                        regmatch.endp[0] - regmatch.startp[0]);
                if (trig == NULL)
                {
                    vim_free(before_cursor);
+                   vim_regfree(regmatch.regprog);
                    return;
                }
 
+               bytepos = (int)(regmatch.startp[0] - before_cursor);
                ret = add_match_to_list(rettv, trig, -1, bytepos);
                vim_free(trig);
                if (ret == FAIL)
                {
-                   vim_free(trig);
+                   vim_free(before_cursor);
                    vim_regfree(regmatch.regprog);
                    return;
                }
diff --git a/src/version.c b/src/version.c
index cd66bef57..1e8d8e350 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1344,
 /**/
     1343,
 /**/

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/vim_dev/E1u8Mdn-007PzM-DW%40256bit.org.

Raspunde prin e-mail lui