From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date: Wed, 10 Jun 2026 20:55:06 +0000 (+0000)
Subject: patch 9.2.0618: use-after-free in popup_getoptions() on dict_add() failure
X-Git-Tag: v9.2.0618^0
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f202f6ca95220cd7915e80bb8d81e0e70082faaa;p=thirdparty%2Fvim.git

patch 9.2.0618: use-after-free in popup_getoptions() on dict_add() failure

Problem:  use-after-free in popup_getoptions() on dict_add() failure
Solution: Set b to NULL (Yasuhiro Matsumoto).

When dict_add() failed, dictitem_free() unref'd and freed the blob, but
the error cleanup then read the freed blob's refcount and could free it
again. Clear the pointer after dictitem_free().

closes: #20464

Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/popupwin.c b/src/popupwin.c
index 7610ae538a..351c865568 100644
--- a/src/popupwin.c
+++ b/src/popupwin.c
@@ -5433,7 +5433,9 @@ f_popup_getoptions(typval_T *argvars, typval_T *rettv)
 		++b->bv_refcount;
 		if (dict_add(idict, item) == FAIL)
 		{
+		    // dictitem_free() already freed the blob
 		    dictitem_free(item);
+		    b = NULL;
 		    ok = FALSE;
 		}
 	    }
diff --git a/src/version.c b/src/version.c
index e100c8a4b1..8d6afb613b 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    618,
 /**/
     617,
 /**/