From: Christian Brabandt Date: Fri, 25 Apr 2025 17:01:06 +0000 (+0200) Subject: patch 9.1.1344: double free in f_complete_match() (after v9.1.1341) X-Git-Tag: v9.1.1344^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3accf046ec3d0ee4a762d15452ae46596e1a0540;p=thirdparty%2Fvim.git patch 9.1.1344: double free in f_complete_match() (after v9.1.1341) Problem: double free in f_complete_match() (after v9.1.1341) Solution: remove additional free of trig pointer, correctly free regmatch.regprog and before_cursor in the error case closes: #17203 Signed-off-by: glepnir Signed-off-by: Christian Brabandt --- diff --git a/src/insexpand.c b/src/insexpand.c index 77c98311d2..94901f133f 100644 --- a/src/insexpand.c +++ b/src/insexpand.c @@ -3592,7 +3592,6 @@ f_complete_match(typval_T *argvars, typval_T *rettv) regmatch_T regmatch; char_u *before_cursor = NULL; char_u *cur_end = NULL; - char_u *trig = NULL; int bytepos = 0; char_u part[MAXPATHL]; int ret; @@ -3643,20 +3642,21 @@ f_complete_match(typval_T *argvars, typval_T *rettv) { if (vim_regexec_nl(®match, before_cursor, (colnr_T)0)) { - bytepos = (int)(regmatch.startp[0] - before_cursor); - trig = vim_strnsave(regmatch.startp[0], + char_u *trig = vim_strnsave(regmatch.startp[0], regmatch.endp[0] - regmatch.startp[0]); if (trig == NULL) { vim_free(before_cursor); + vim_regfree(regmatch.regprog); return; } + bytepos = (int)(regmatch.startp[0] - before_cursor); ret = add_match_to_list(rettv, trig, -1, bytepos); vim_free(trig); if (ret == FAIL) { - vim_free(trig); + vim_free(before_cursor); vim_regfree(regmatch.regprog); return; } diff --git a/src/version.c b/src/version.c index cd66bef574..1e8d8e3508 100644 --- a/src/version.c +++ b/src/version.c @@ -704,6 +704,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 1344, /**/ 1343, /**/