mirrors/neovim
1
0
Fork 0
mirror of https://github.com/neovim/neovim.git synced 2025-09-05 19:08:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

vim-patch:9.1.1344: double free in f_complete_match() (after v9.1.1341)

Browse Source 
Problem:  double free in f_complete_match() (after v9.1.1341)
Solution: remove additional free of trig pointer, correctly free
          regmatch.regprog and before_cursor in the error case

closes: https://github.com/vim/vim/pull/17203

3accf046ec

Co-authored-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
glepnir
2025-04-27 15:03:32 +08:00
parent fcabbc2283
commit 31e31273bc
1 changed files with 2 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/nvim/insexpand.c
View File

@@ -3099,7 +3099,6 @@ static int add_match_to_list(typval_T *rettv, char *str, int pos)
/// "complete_match()" function
void f_complete_match(typval_T *argvars, typval_T *rettv, EvalFuncData fptr)
{
tv_list_alloc_ret(rettv, kListLenUnknown);
char *ise = curbuf->b_p_ise[0] != NUL ? curbuf->b_p_ise : p_ise;
@@ -3141,17 +3140,17 @@ void f_complete_match(typval_T *argvars, typval_T *rettv, EvalFuncData fptr)
regmatch.regprog = vim_regcomp("\\k\\+$", RE_MAGIC);
if (regmatch.regprog != NULL) {
if (vim_regexec_nl(&regmatch, before_cursor, (colnr_T)0)) {
int bytepos = (int)(regmatch.startp[0] - before_cursor);
char *trig = xstrnsave(regmatch.startp[0], (size_t)(regmatch.endp[0] - regmatch.startp[0]));
if (trig == NULL) {
xfree(before_cursor);
return;
}
int bytepos = (int)(regmatch.startp[0] - before_cursor);
int ret = add_match_to_list(rettv, trig, bytepos);
xfree(trig);
if (ret == FAIL) {
xfree(trig);
xfree(before_cursor);
vim_regfree(regmatch.regprog);
return;
}