patch 9.2.0527: Possible double free in fill_partial_and_closure()

Problem:  Possible double free in fill_partial_and_closure()
          (xuqing yang)
Solution: Let the caller handle the free()

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/version.c b/src/version.c
index 91bfa5761c3c41a93c8b51a23b3ce536ddcb2099..708cd1746b42e4c8fe7165600cc16c89f4516b3c 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    527,
 /**/
     526,
 /**/

diff --git a/src/vim9execute.c b/src/vim9execute.c
index e1ddb7c1de341b79637f554ed30d388c21106d3a..68ca777d069c5fbe23105452aa1775e0f78781d6 100644 (file)
--- a/src/vim9execute.c
+++ b/src/vim9execute.c
@@ -2157,10 +2157,8 @@ fill_partial_and_closure(
        // and local variables) so that the closure can use it later.
        // Store a reference to the partial so we can handle that.
        if (GA_GROW_FAILS(&ectx->ec_funcrefs, 1))
-       {
-           vim_free(pt);
+           // caller needs to free pt
            return FAIL;
-       }
        // Extra variable keeps the count of closures created in the current
        // function call.
        ++(((typval_T *)ectx->ec_stack.ga_data) + ectx->ec_frame_idx
@@ -5123,7 +5121,10 @@ exec_instructions(ectx_T *ectx)
                    if (fill_partial_and_closure(pt, ufunc,
                               extra == NULL ? NULL : &extra->fre_loopvar_info,
                                                                 ectx) == FAIL)
+                   {
+                       vim_free(pt);
                        goto theend;
+                   }
                    tv = STACK_TV_BOT(0);
                    ++ectx->ec_stack.ga_len;
                    tv->vval.v_partial = pt;