patch 9.2.0476: pattern completion leaks memory on alloc failures

Problem:  copy_substring_from_pos() leaked on ga_grow() failures,
          expand_pattern_in_buf() leaked "match" on ga_grow() failure,
          fuzzy_match_str_with_pos() ignored ga_grow() failures
Solution: Route failures through cleanup paths, check ga_grow before
          writing to ga_data (glepnir)

closes: #20203

Signed-off-by: glepnir <glephunter@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/cmdexpand.c b/src/cmdexpand.c
index f3139819849a534665dfbdb03c22e76ec695de57..19ae319981ff87048e862b7b99051c6686db9891 100644 (file)
--- a/src/cmdexpand.c
+++ b/src/cmdexpand.c
@@ -4914,7 +4914,7 @@ copy_substring_from_pos(pos_T *start, pos_T *end, char_u **match,
            line = ml_get(lnum);
            linelen = (int)ml_get_len(lnum);
            if (ga_grow(&ga, linelen + 2) != OK)
-               return FAIL;
+               goto fail;
            ga_concat_len(&ga, line, linelen);
            if (exacttext)
                GA_CONCAT_LITERAL(&ga, "\\n");
@@ -5141,8 +5141,8 @@ expand_pattern_in_buf(
        }
 
        // Extract the matching text prepended to completed word
-       if (!copy_substring_from_pos(&cur_match_pos, &end_match_pos, &full_match,
-                   &word_end_pos))
+       if (copy_substring_from_pos(&cur_match_pos, &end_match_pos, &full_match,
+                   &word_end_pos) == FAIL)
            break;
 
        if (exacttext)
@@ -5183,7 +5183,10 @@ expand_pattern_in_buf(
        if (match != NULL)
        {
            if (ga_grow(&ga, 1) == FAIL)
+           {
+               VIM_CLEAR(match);
                goto cleanup;
+           }
            ((char_u **)ga.ga_data)[ga.ga_len++] = match;
            if (ga.ga_len > TAG_MANY)
                break;

diff --git a/src/fuzzy.c b/src/fuzzy.c
index 9a94acea200f4a6399f608b8918fb086c01cd9cb..bb140fcace72c0c4599341f789849afbbc62c3b3 100644 (file)
--- a/src/fuzzy.c
+++ b/src/fuzzy.c
@@ -690,7 +690,12 @@ fuzzy_match_str_with_pos(char_u *str UNUSED, char_u *pat UNUSED)
     {
        if (!VIM_ISWHITE(PTR2CHAR(p)))
        {
-           ga_grow(match_positions, 1);
+           if (ga_grow(match_positions, 1) == FAIL)
+           {
+               ga_clear(match_positions);
+               vim_free(match_positions);
+               return NULL;
+           }
            ((int_u *)match_positions->ga_data)[match_positions->ga_len] =
                                                                    matches[j];
            match_positions->ga_len++;

diff --git a/src/version.c b/src/version.c
index 9e794b7ed36ed1acc14360d8cc2b104fcf61c6e4..6a8735c6bfd5a8647dc3bba4fd2144f51ce49e4d 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    476,
 /**/
     475,
 /**/