patch 9.1.0395: getregionpos() may leak memory on error

Problem:  regionpos may leak memory on error, coverity
          complains about dereferencing Null pointer
Solution: free all list pointers (after v9.1.394),
          return early if buflist_findnr() returns NULL

closes: #14731

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/evalfunc.c b/src/evalfunc.c
index cca7e2ca4c496c669da4038f81ef66889155e24e..44c7d067610f0648e3027afb827b090f0edae579 100644 (file)
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -5727,6 +5727,10 @@ add_regionpos_range(
     buf_T      *findbuf;
     int                max_col1, max_col2;
 
+    findbuf = bufnr != 0 ? buflist_findnr(bufnr) : curbuf;
+    if (findbuf == NULL || findbuf->b_ml.ml_mfp == NULL)
+       return;
+
     l1 = list_alloc();
     if (l1 == NULL)
        return;
@@ -5739,25 +5743,34 @@ add_regionpos_range(
 
     l2 = list_alloc();
     if (l2 == NULL)
+    {
+       vim_free(l1);
        return;
+    }
 
     if (list_append_list(l1, l2) == FAIL)
     {
+       vim_free(l1);
        vim_free(l2);
        return;
     }
 
     l3 = list_alloc();
     if (l3 == NULL)
+    {
+       vim_free(l1);
+       vim_free(l2);
        return;
+    }
 
     if (list_append_list(l1, l3) == FAIL)
     {
+       vim_free(l1);
+       vim_free(l2);
        vim_free(l3);
        return;
     }
 
-    findbuf = bufnr != 0 ? buflist_findnr(bufnr) : curbuf;
 
     max_col1 = ml_get_buf_len(findbuf, lnum1);
     list_append_number(l2, bufnr);

diff --git a/src/version.c b/src/version.c
index 128197063f09a5470197fb73dde11bcf80765f99..0e6ac314ed9cd0eb45f59c2dca9a0f870550b972 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    395,
 /**/
     394,
 /**/