patch 8.1.0917: double free when running out of memory

Problem:    Double free when running out of memory.
Solution:   Remove one free. (Ken Takata, closes #3955)

diff --git a/src/userfunc.c b/src/userfunc.c
index a293dd68e3f42efbaa7435f6c56eea3a0c365c4e..6deb8a9f1f85cb9c55d0c2d46925234d416a82cf 100644 (file)
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -205,6 +205,7 @@ get_lambda_tv(char_u **arg, typval_T *rettv, int evaluate)
     garray_T   newlines;
     garray_T   *pnewargs;
     ufunc_T    *fp = NULL;
+    partial_T   *pt = NULL;
     int                varargs;
     int                ret;
     char_u     *start = skipwhite(*arg + 1);
@@ -252,7 +253,6 @@ get_lambda_tv(char_u **arg, typval_T *rettv, int evaluate)
        int         len, flags = 0;
        char_u      *p;
        char_u      name[20];
-       partial_T   *pt;
 
        sprintf((char*)name, "<lambda>%d", ++lambda_no);
 
@@ -261,10 +261,7 @@ get_lambda_tv(char_u **arg, typval_T *rettv, int evaluate)
            goto errret;
        pt = (partial_T *)alloc_clear((unsigned)sizeof(partial_T));
        if (pt == NULL)
-       {
-           vim_free(fp);
            goto errret;
-       }
 
        ga_init2(&newlines, (int)sizeof(char_u *), 1);
        if (ga_grow(&newlines, 1) == FAIL)
@@ -318,6 +315,7 @@ errret:
     ga_clear_strings(&newargs);
     ga_clear_strings(&newlines);
     vim_free(fp);
+    vim_free(pt);
     eval_lavars_used = old_eval_lavars;
     return FAIL;
 }

diff --git a/src/version.c b/src/version.c
index 7614566d8d3a6941084a3328323147780b43ddf2..9a31c2f78e830b0dfeed9e4906f647125c4aa01d 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -783,6 +783,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    917,
 /**/
     916,
 /**/