updated for version 7.4.624

Problem:    May leak memory or crash when vim_realloc() returns NULL.
Solution:   Handle a NULL value properly. (Mike Williams)

diff --git a/src/if_cscope.c b/src/if_cscope.c
index ab31a035194d3f4d1d1f618ff76e4aec7a280ed6..f72a96b9ce96bfa32bcce47300ab15f2cb8dd343 100644 (file)
--- a/src/if_cscope.c
+++ b/src/if_cscope.c
@@ -1507,9 +1507,16 @@ cs_insert_filelist(fname, ppath, flags, sb)
        }
        else
        {
+           csinfo_T *t_csinfo = csinfo;
+
            /* Reallocate space for more connections. */
            csinfo_size *= 2;
            csinfo = vim_realloc(csinfo, sizeof(csinfo_T)*csinfo_size);
+           if (csinfo == NULL)
+           {
+               vim_free(t_csinfo);
+               csinfo_size = 0;
+           }
        }
        if (csinfo == NULL)
            return -1;
@@ -2059,6 +2066,7 @@ cs_print_tags_priv(matches, cntxts, num_matches)
     int num_matches;
 {
     char       *buf = NULL;
+    char       *t_buf;
     int                bufsize = 0; /* Track available bufsize */
     int                newsize = 0;
     char       *ptag;
@@ -2120,9 +2128,13 @@ cs_print_tags_priv(matches, cntxts, num_matches)
        newsize = (int)(strlen(csfmt_str) + 16 + strlen(lno));
        if (bufsize < newsize)
        {
+           t_buf = buf;
            buf = (char *)vim_realloc(buf, newsize);
            if (buf == NULL)
+           {
                bufsize = 0;
+               vim_free(t_buf);
+           }
            else
                bufsize = newsize;
        }
@@ -2143,9 +2155,13 @@ cs_print_tags_priv(matches, cntxts, num_matches)
 
        if (bufsize < newsize)
        {
+           t_buf = buf;
            buf = (char *)vim_realloc(buf, newsize);
            if (buf == NULL)
+           {
                bufsize = 0;
+               vim_free(t_buf);
+           }
            else
                bufsize = newsize;
        }

diff --git a/src/memline.c b/src/memline.c
index 7adb2dc9905ea6a21fca2b7d5d44b62e1f412fa0..d62697d6b41cfa2d0baad5344d783b53d3e92680 100644 (file)
--- a/src/memline.c
+++ b/src/memline.c
@@ -5057,6 +5057,8 @@ ml_updatechunk(buf, line, len, updtype)
        /* May resize here so we don't have to do it in both cases below */
        if (buf->b_ml.ml_usedchunks + 1 >= buf->b_ml.ml_numchunks)
        {
+           chunksize_T *t_chunksize = buf->b_ml.ml_chunksize;
+
            buf->b_ml.ml_numchunks = buf->b_ml.ml_numchunks * 3 / 2;
            buf->b_ml.ml_chunksize = (chunksize_T *)
                vim_realloc(buf->b_ml.ml_chunksize,
@@ -5064,6 +5066,7 @@ ml_updatechunk(buf, line, len, updtype)
            if (buf->b_ml.ml_chunksize == NULL)
            {
                /* Hmmmm, Give up on offset for this buffer */
+               vim_free(t_chunksize);
                buf->b_ml.ml_usedchunks = -1;
                return;
            }

diff --git a/src/misc1.c b/src/misc1.c
index e3e7da82453662be8d6b1fdc5a2092eb85ad6934..707abf8d5a36806b620725f46269aef718807f69 100644 (file)
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -3431,10 +3431,14 @@ get_keystroke()
            buf = alloc(buflen);
        else if (maxlen < 10)
        {
+           char_u  *t_buf = buf;
+
            /* Need some more space. This might happen when receiving a long
             * escape sequence. */
            buflen += 100;
            buf = vim_realloc(buf, buflen);
+           if (buf == NULL)
+               vim_free(t_buf);
            maxlen = (buflen - 6 - len) / 3;
        }
        if (buf == NULL)

diff --git a/src/netbeans.c b/src/netbeans.c
index c3345447aadaacfb85aeb1950ac1e27e3a9ade87..4f6cf2f47f2e354185da78806ae65169a1de7295 100644 (file)
--- a/src/netbeans.c
+++ b/src/netbeans.c
@@ -1080,10 +1080,18 @@ nb_get_buf(int bufno)
     {
        if (bufno >= buf_list_size) /* grow list */
        {
+           nbbuf_T *t_buf_list = buf_list;
+
            incr = bufno - buf_list_size + 90;
            buf_list_size += incr;
            buf_list = (nbbuf_T *)vim_realloc(
                                   buf_list, buf_list_size * sizeof(nbbuf_T));
+           if (buf_list == NULL)
+           {
+               vim_free(t_buf_list);
+               buf_list_size = 0;
+               return NULL;
+           }
            vim_memset(buf_list + buf_list_size - incr, 0,
                                                      incr * sizeof(nbbuf_T));
        }
@@ -3678,11 +3686,18 @@ addsigntype(
            {
                int incr;
                int oldlen = globalsignmaplen;
+               char **t_globalsignmap = globalsignmap;
 
                globalsignmaplen *= 2;
                incr = globalsignmaplen - oldlen;
                globalsignmap = (char **)vim_realloc(globalsignmap,
                                           globalsignmaplen * sizeof(char *));
+               if (globalsignmap == NULL)
+               {
+                   vim_free(t_globalsignmap);
+                   globalsignmaplen = 0;
+                   return;
+               }
                vim_memset(globalsignmap + oldlen, 0, incr * sizeof(char *));
            }
        }
@@ -3708,11 +3723,18 @@ addsigntype(
        {
            int incr;
            int oldlen = buf->signmaplen;
+           int *t_signmap = buf->signmap;
 
            buf->signmaplen *= 2;
            incr = buf->signmaplen - oldlen;
            buf->signmap = (int *)vim_realloc(buf->signmap,
                                               buf->signmaplen * sizeof(int));
+           if (buf->signmap == NULL)
+           {
+               vim_free(t_signmap);
+               buf->signmaplen = 0;
+               return;
+           }
            vim_memset(buf->signmap + oldlen, 0, incr * sizeof(int));
        }
     }

diff --git a/src/version.c b/src/version.c
index b52926a369d91117a52ce5477162323ffc7d8979..70a8633d03909f931786242bc54863b582cb1c35 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -741,6 +741,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    624,
 /**/
     623,
 /**/