patch 8.2.0087: crash in command line expansion when out of memory

Problem:    Crash in command line expansion when out of memory.
Solution:   Check for NULL pointer.  Also make ExpandGeneric() static.
            (Dominique Pelle, closes #5437)

diff --git a/src/cmdexpand.c b/src/cmdexpand.c
index 9dc78ed5c3c0d88913c14c3b21bd0f7976299c51..d788e27565e3695891d6eeff126074633cf7d771 100644 (file)
--- a/src/cmdexpand.c
+++ b/src/cmdexpand.c
@@ -16,6 +16,9 @@
 static int     cmd_showtail;   // Only show path tail in lists ?
 
 static void    set_expand_context(expand_T *xp);
+static int      ExpandGeneric(expand_T *xp, regmatch_T *regmatch,
+                             int *num_file, char_u ***file,
+                             char_u *((*func)(expand_T *, int)), int escaped);
 static int     ExpandFromContext(expand_T *xp, char_u *, int *, char_u ***, int);
 static int     expand_showtail(expand_T *xp);
 static int     expand_shellcmd(char_u *filepat, int *num_file, char_u ***file, int flagsarg);
@@ -2214,7 +2217,7 @@ ExpandFromContext(
  *
  * Returns OK when no problems encountered, FAIL for error (out of memory).
  */
-    int
+    static int
 ExpandGeneric(
     expand_T   *xp,
     regmatch_T *regmatch,
@@ -2250,6 +2253,13 @@ ExpandGeneric(
                        str = vim_strsave_escaped(str, (char_u *)" \t\\.");
                    else
                        str = vim_strsave(str);
+                   if (str == NULL)
+                   {
+                       FreeWild(count, *file);
+                       *num_file = 0;
+                       *file = NULL;
+                       return FAIL;
+                   }
                    (*file)[count] = str;
 # ifdef FEAT_MENU
                    if (func == get_menu_names && str != NULL)
@@ -2268,13 +2278,14 @@ ExpandGeneric(
        {
            if (count == 0)
                return OK;
-           *num_file = count;
            *file = ALLOC_MULT(char_u *, count);
            if (*file == NULL)
            {
-               *file = (char_u **)"";
+               *num_file = 0;
+               *file = NULL;
                return FAIL;
            }
+           *num_file = count;
            count = 0;
        }
     }
@@ -2297,7 +2308,6 @@ ExpandGeneric(
     // they don't show up when getting normal highlight names by ID.
     reset_expand_highlight();
 #endif
-
     return OK;
 }
 

diff --git a/src/proto/cmdexpand.pro b/src/proto/cmdexpand.pro
index f2cea9ff9c5ea2421b3afb8c76869c7470f67802..523565942dae6e50e532c2c156f48c1d3582f5f6 100644 (file)
--- a/src/proto/cmdexpand.pro
+++ b/src/proto/cmdexpand.pro
@@ -8,7 +8,6 @@ char_u *sm_gettail(char_u *s);
 char_u *addstar(char_u *fname, int len, int context);
 void set_cmd_context(expand_T *xp, char_u *str, int len, int col, int use_ccline);
 int expand_cmdline(expand_T *xp, char_u *str, int col, int *matchcount, char_u ***matches);
-int ExpandGeneric(expand_T *xp, regmatch_T *regmatch, int *num_file, char_u ***file, char_u *((*func)(expand_T *, int)), int escaped);
 void globpath(char_u *path, char_u *file, garray_T *ga, int expand_options);
 void f_getcompletion(typval_T *argvars, typval_T *rettv);
 /* vim: set ft=c : */

diff --git a/src/version.c b/src/version.c
index eff491dc03ac5daa3cc813465fca369cdb50f277..dfa31a77e660bceffac343e42d841e110c86c3a7 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -742,6 +742,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    87,
 /**/
     86,
 /**/