commit 31e31273bc03e39dd6c2173b4c51d46f1978c627
parent fcabbc2283c5d217d879d4ac0cc6c8501f15fc64
Author: glepnir <glephunter@gmail.com>
Date: Sun, 27 Apr 2025 15:03:32 +0800
vim-patch:9.1.1344: double free in f_complete_match() (after v9.1.1341)
Problem: double free in f_complete_match() (after v9.1.1341)
Solution: remove additional free of trig pointer, correctly free
regmatch.regprog and before_cursor in the error case
closes: https://github.com/vim/vim/pull/17203
https://github.com/vim/vim/commit/3accf046ec3d0ee4a762d15452ae46596e1a0540
Co-authored-by: Christian Brabandt <cb@256bit.org>
Diffstat:
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/nvim/insexpand.c b/src/nvim/insexpand.c
@@ -3099,7 +3099,6 @@ static int add_match_to_list(typval_T *rettv, char *str, int pos)
/// "complete_match()" function
void f_complete_match(typval_T *argvars, typval_T *rettv, EvalFuncData fptr)
{
-
tv_list_alloc_ret(rettv, kListLenUnknown);
char *ise = curbuf->b_p_ise[0] != NUL ? curbuf->b_p_ise : p_ise;
@@ -3141,17 +3140,17 @@ void f_complete_match(typval_T *argvars, typval_T *rettv, EvalFuncData fptr)
regmatch.regprog = vim_regcomp("\\k\\+$", RE_MAGIC);
if (regmatch.regprog != NULL) {
if (vim_regexec_nl(®match, before_cursor, (colnr_T)0)) {
- int bytepos = (int)(regmatch.startp[0] - before_cursor);
char *trig = xstrnsave(regmatch.startp[0], (size_t)(regmatch.endp[0] - regmatch.startp[0]));
if (trig == NULL) {
xfree(before_cursor);
return;
}
+ int bytepos = (int)(regmatch.startp[0] - before_cursor);
int ret = add_match_to_list(rettv, trig, bytepos);
xfree(trig);
if (ret == FAIL) {
- xfree(trig);
+ xfree(before_cursor);
vim_regfree(regmatch.regprog);
return;
}
