vim-patch:9.1.1131: potential out-of-memory issue in search.c

Problem: potential out-of-memory issue in search.c Solution: improve situation and refactor search.c slightly (John Marriott) - In function update_search_stat(): add a check for a theoretical null pointer reference, set and remember the length of lastpat, remove the three calls to STRLEN() and use the various string's associated lengths instead, add a check for an out-of-memory condition. - In function search_for_fuzz_match(): remove a call to strnsave() and thus avoid having to add a check for an out-of-memory condition, also replace the call to STRLEN() by ml_get_buf_len(). closes: vim/vim#16689 b79fa3d9c8 Co-authored-by: John Marriott <basilisk@internode.on.net>
2025-10-16 06:46:07 +00:00 · 2025-02-22 07:32:40 +08:00
parent c17caca9b7
commit 3029357520
1 changed files with 3 additions and 7 deletions
--- a/src/nvim/search.c
+++ b/src/nvim/search.c
@@ -3684,8 +3684,6 @@ bool search_for_fuzzy_match(buf_T *buf, pos_T *pos, char *pattern, int dir, pos_
  pos_T circly_end;
  bool found_new_match = false;
  bool looped_around = false;
-  char *next_word_end = NULL;
-  char *match_word = NULL;

  if (whole_line) {
    current_pos.lnum += dir;
@@ -3718,9 +3716,8 @@ bool search_for_fuzzy_match(buf_T *buf, pos_T *pos, char *pattern, int dir, pos_
          found_new_match = fuzzy_match_str_in_line(ptr, pattern, len, &current_pos);
          if (found_new_match) {
            if (ctrl_x_mode_normal()) {
-              match_word = xstrnsave(*ptr, (size_t)(*len));
-              if (strcmp(match_word, pattern) == 0) {
-                next_word_end = find_word_start(*ptr + *len);
+              if (strncmp(*ptr, pattern, (size_t)(*len)) == 0 && pattern[*len] == NUL) {
+                char *next_word_end = find_word_start(*ptr + *len);
                if (*next_word_end != NUL && *next_word_end != NL) {
                  // Find end of the word.
                  while (*next_word_end != NUL) {
@@ -3736,7 +3733,6 @@ bool search_for_fuzzy_match(buf_T *buf, pos_T *pos, char *pattern, int dir, pos_
                *len = (int)(next_word_end - *ptr);
                current_pos.col = *len;
              }
-              xfree(match_word);
            }
            *pos = current_pos;
            break;
@@ -3747,7 +3743,7 @@ bool search_for_fuzzy_match(buf_T *buf, pos_T *pos, char *pattern, int dir, pos_
          if (fuzzy_match_str(*ptr, pattern) > 0) {
            found_new_match = true;
            *pos = current_pos;
-            *len = (int)strlen(*ptr);
+            *len = ml_get_buf_len(buf, current_pos.lnum);
            break;
          }
        }