From: thinca <thinca@gmail.com>
Date: Sat, 30 May 2026 18:36:34 +0000 (+0000)
Subject: patch 9.2.0567: dict function name allocation failure not handled
X-Git-Tag: v9.2.0567^0
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=2b2dfc4f5a6064efd192c19750b551a01f393e83;p=thirdparty%2Fvim.git

patch 9.2.0567: dict function name allocation failure not handled

Problem:  When defining a dictionary function, the function name string
          is allocated with vim_strnsave() but the result is not
          checked. On allocation failure the dict entry is left with
          type VAR_FUNC and a NULL name, and in the overwrite case the
          previous entry has already been freed before the NULL is
          stored.
Solution: Allocate the name before modifying the dict entry and bail out
          on failure, freeing it on all error paths (thinca)

closes: #20376

Co-Authored-by: Claude <noreply@anthropic.com>
Signed-off-by: thinca <thinca@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---

diff --git a/src/userfunc.c b/src/userfunc.c
index 2615185386..bd4c0bbc32 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -5612,18 +5612,27 @@ define_function(
 
 	if (fudi.fd_dict != NULL)
 	{
+	    char_u *func_name = vim_strnsave(name, namelen);
+
+	    if (func_name == NULL)
+	    {
+		VIM_CLEAR(fp);
+		goto erret;
+	    }
 	    if (fudi.fd_di == NULL)
 	    {
 		// add new dict entry
 		fudi.fd_di = dictitem_alloc(fudi.fd_newkey);
 		if (fudi.fd_di == NULL)
 		{
+		    vim_free(func_name);
 		    VIM_CLEAR(fp);
 		    goto erret;
 		}
 		if (dict_add(fudi.fd_dict, fudi.fd_di) == FAIL)
 		{
 		    vim_free(fudi.fd_di);
+		    vim_free(func_name);
 		    VIM_CLEAR(fp);
 		    goto erret;
 		}
@@ -5632,7 +5641,7 @@ define_function(
 		// overwrite existing dict entry
 		clear_tv(&fudi.fd_di->di_tv);
 	    fudi.fd_di->di_tv.v_type = VAR_FUNC;
-	    fudi.fd_di->di_tv.vval.v_string = vim_strnsave(name, namelen);
+	    fudi.fd_di->di_tv.vval.v_string = func_name;
 
 	    // behave like "dict" was used
 	    flags |= FC_DICT;
diff --git a/src/version.c b/src/version.c
index cf4cf4f2dc..56ebd6f0c0 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    567,
 /**/
     566,
 /**/