patch 9.1.0202: leaking memory in add_user() on failure

Problem:  leaking memory in add_user() (LuMingYinDetect)
Solution: free user_copy pointer instead of the user ptr

add_user() is called with a user pointer and the user pointer comes
from these functions:
- return value from the getpwent() function (Unix).
- return value from the getpwnam() function (Unix).
- return value from the NetUserEnum() function (MS Windows).

For the first 2 callers, the man page for those functions directly says,
one should not free the returned pointer (since it comes from static
memory).
For the third caller (on MS Windows), the returned buffer is already
freed directly after calling the add_user() function in
NetApiBufferFree(), so this would lead to a double free().

This all indicates, the user ptr is wrongly freed in the add_user()
function and the intention was to free the user_copy pointer instead in
case of an error.

So let's just use that now.

fixes: #14250
closes: #14260

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/misc1.c b/src/misc1.c
index 3085fc77fb5bb24f48573f659f011ba48d75aebc..3b265be4fac07af7d2835ac7cb767f2b635b4792 100644 (file)
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -2092,7 +2092,7 @@ add_user(char_u *user, int need_copy)
     if (user_copy == NULL || *user_copy == NUL || ga_grow(&ga_users, 1) == FAIL)
     {
        if (need_copy)
-           vim_free(user);
+           vim_free(user_copy);
        return;
     }
     ((char_u **)(ga_users.ga_data))[ga_users.ga_len++] = user_copy;

diff --git a/src/version.c b/src/version.c
index b38b235a19236581c5ba39b2ecae4b655eed6178..e074aebd0ac5ac05eba34c4f678be01e36f0f915 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    202,
 /**/
     201,
 /**/