patch 9.1.1491: missing out-of-memory checks in cmdexpand.c

author John Marriott <basilisk@internode.on.net>

Sat, 28 Jun 2025 18:41:54 +0000 (20:41 +0200)

committer Christian Brabandt <cb@256bit.org>

Sat, 28 Jun 2025 18:41:54 +0000 (20:41 +0200)
author John Marriott <basilisk@internode.on.net>
Sat, 28 Jun 2025 18:41:54 +0000 (20:41 +0200)
committer Christian Brabandt <cb@256bit.org>
Sat, 28 Jun 2025 18:41:54 +0000 (20:41 +0200)
diff --git a/src/cmdexpand.c b/src/cmdexpand.c

index 2a23607229a3ec106578ca0114e008e9ee77fc3e..4615aafac9ffdf39477871ecf6d93a4b68368218 100644 (file)
--- a/src/cmdexpand.c
+++ b/src/cmdexpand.c
@@ -2991,6 +2991,9 @@ expand_files_and_dirs(
      {
         free_pat = TRUE;
         pat = vim_strsave(pat);
+       if (pat == NULL)
+           return ret;
+
         for (i = 0; pat[i]; ++i)
             if (pat[i] == '\\')
             {
@@ -3902,16 +3905,24 @@ ExpandUserDefined(
  
         if (match)
         {
+           char_u  *p = vim_strnsave(s, (size_t)(e - s));
+           if (p == NULL)
+               break;
+
             if (ga_grow(&ga, 1) == FAIL)
+           {
+               vim_free(p);
                 break;
+           }
+
             if (!fuzzy)
-               ((char_u **)ga.ga_data)[ga.ga_len] = vim_strnsave(s, e - s);
+               ((char_u **)ga.ga_data)[ga.ga_len] = p;
             else
             {
                 fuzmatch_str_T  *fuzmatch =
                                 &((fuzmatch_str_T  *)ga.ga_data)[ga.ga_len];
                 fuzmatch->idx = ga.ga_len;
-               fuzmatch->str = vim_strnsave(s, e - s);
+               fuzmatch->str = p;
                 fuzmatch->score = score;
             }
             ++ga.ga_len;
@@ -3963,14 +3974,22 @@ ExpandUserList(
      // Loop over the items in the list.
      FOR_ALL_LIST_ITEMS(retlist, li)
      {
+       char_u  *p;
+
         if (li->li_tv.v_type != VAR_STRING || li->li_tv.vval.v_string == NULL)
             continue;  // Skip non-string items and empty strings
  
+       p = vim_strsave(li->li_tv.vval.v_string);
+       if (p == NULL)
+           break;
+
         if (ga_grow(&ga, 1) == FAIL)
+       {
+           vim_free(p);
             break;
+       }
  
-       ((char_u **)ga.ga_data)[ga.ga_len] =
-                                        vim_strsave(li->li_tv.vval.v_string);
+       ((char_u **)ga.ga_data)[ga.ga_len] = p;
         ++ga.ga_len;
      }
      list_unref(retlist);
diff --git a/src/version.c b/src/version.c

index ff3c3485646bd67b06a579d0c0b4261f55d56018..42a3450329b0c5d0f1b2d3d6223b3063ff699199 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -719,6 +719,8 @@ static char *(features[]) =
  
  static int included_patches[] =
  {   /* Add new patch number below this line */
+/**/
+    1491,
  /**/
      1490,
  /**/
author	John Marriott <basilisk@internode.on.net>
	Sat, 28 Jun 2025 18:41:54 +0000 (20:41 +0200)
committer	Christian Brabandt <cb@256bit.org>
	Sat, 28 Jun 2025 18:41:54 +0000 (20:41 +0200)
src/cmdexpand.c		patch \| blob \| blame \| history
src/version.c		patch \| blob \| blame \| history