From: Bram Moolenaar Date: Thu, 14 Feb 2019 12:43:36 +0000 (+0100) Subject: patch 8.1.0917: double free when running out of memory X-Git-Tag: v8.1.0917 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=445e71c5ee06015064cf0642cac8190cfe8fbc59;p=vim patch 8.1.0917: double free when running out of memory Problem: Double free when running out of memory. Solution: Remove one free. (Ken Takata, closes #3955) --- diff --git a/src/userfunc.c b/src/userfunc.c index a293dd68e..6deb8a9f1 100644 --- a/src/userfunc.c +++ b/src/userfunc.c @@ -205,6 +205,7 @@ get_lambda_tv(char_u **arg, typval_T *rettv, int evaluate) garray_T newlines; garray_T *pnewargs; ufunc_T *fp = NULL; + partial_T *pt = NULL; int varargs; int ret; char_u *start = skipwhite(*arg + 1); @@ -252,7 +253,6 @@ get_lambda_tv(char_u **arg, typval_T *rettv, int evaluate) int len, flags = 0; char_u *p; char_u name[20]; - partial_T *pt; sprintf((char*)name, "%d", ++lambda_no); @@ -261,10 +261,7 @@ get_lambda_tv(char_u **arg, typval_T *rettv, int evaluate) goto errret; pt = (partial_T *)alloc_clear((unsigned)sizeof(partial_T)); if (pt == NULL) - { - vim_free(fp); goto errret; - } ga_init2(&newlines, (int)sizeof(char_u *), 1); if (ga_grow(&newlines, 1) == FAIL) @@ -318,6 +315,7 @@ errret: ga_clear_strings(&newargs); ga_clear_strings(&newlines); vim_free(fp); + vim_free(pt); eval_lavars_used = old_eval_lavars; return FAIL; } diff --git a/src/version.c b/src/version.c index 7614566d8..9a31c2f78 100644 --- a/src/version.c +++ b/src/version.c @@ -783,6 +783,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 917, /**/ 916, /**/