From: Bram Moolenaar <Bram@vim.org>
Date: Wed, 4 Jan 2023 13:16:20 +0000 (+0000)
Subject: patch 9.0.1142: crash and/or memory leak when redefining function
X-Git-Tag: v9.0.1142
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f057171d8b562c72334fd7c15c89ff787358ce3a;p=thirdparty%2Fvim.git

patch 9.0.1142: crash and/or memory leak when redefining function

Problem:    Crash and/or memory leak when redefining function after error.
Solution:   Clear pointer after making a copy.  Clear arrays on failure.
            (closes #11774)
---

diff --git a/src/userfunc.c b/src/userfunc.c
index 758b9eac5f..46b6c91778 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -525,9 +525,9 @@ parse_argument_types(ufunc_T *fp, garray_T *argtypes, int varargs)
 
 	// Move the last argument "...name: type" to uf_va_name and
 	// uf_va_type.
-	fp->uf_va_name = ((char_u **)fp->uf_args.ga_data)
-					      [fp->uf_args.ga_len - 1];
 	--fp->uf_args.ga_len;
+	fp->uf_va_name = ((char_u **)fp->uf_args.ga_data)[fp->uf_args.ga_len];
+	((char_u **)fp->uf_args.ga_data)[fp->uf_args.ga_len] = NULL;
 	p = ((char_u **)argtypes->ga_data)[len];
 	if (p == NULL)
 	    // TODO: get type from default value
@@ -4787,7 +4787,7 @@ define_function(
     // invalid.
     ++p;
     if (get_function_args(&p, ')', &newargs,
-			eap->cmdidx == CMD_def ? &argtypes : NULL, FALSE,
+			 eap->cmdidx == CMD_def ? &argtypes : NULL, FALSE,
 			 NULL, &varargs, &default_args, eap->skip,
 			 eap, in_class, &newlines, lines_to_free) == FAIL)
 	goto errret_2;
@@ -5209,17 +5209,23 @@ define_function(
     goto ret_free;
 
 erret:
-    ga_clear_strings(&newargs);
-    ga_clear_strings(&default_args);
     if (fp != NULL)
     {
+	// these were set to "newargs" and "default_args", which are cleared
+	// below
 	ga_init(&fp->uf_args);
 	ga_init(&fp->uf_def_args);
     }
 errret_2:
+    ga_clear_strings(&newargs);
+    ga_clear_strings(&default_args);
     ga_clear_strings(&newlines);
     if (fp != NULL)
+    {
 	VIM_CLEAR(fp->uf_arg_types);
+	VIM_CLEAR(fp->uf_va_name);
+	clear_type_list(&fp->uf_type_list);
+    }
     if (free_fp)
     {
 	vim_free(fp);
diff --git a/src/version.c b/src/version.c
index 3bfa6d46ff..df02bb87b8 100644
--- a/src/version.c
+++ b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1142,
 /**/
     1141,
 /**/