Mercurial > vim

comparison src/userfunc.c @ 15820:bd75c9df2a14 v8.1.0917

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 8.1.0917: double free when running out of memory commit https://github.com/vim/vim/commit/445e71c5ee06015064cf0642cac8190cfe8fbc59 Author: Bram Moolenaar <Bram@vim.org> Date: Thu Feb 14 13:43:36 2019 +0100 patch 8.1.0917: double free when running out of memory Problem: Double free when running out of memory. Solution: Remove one free. (Ken Takata, closes https://github.com/vim/vim/issues/3955)
author Bram Moolenaar <Bram@vim.org>
date Thu, 14 Feb 2019 13:45:13 +0100
parents 5b6c3c7feba8
children 879829e44091
comparison
equal deleted inserted replaced
15819:806c95deeb61 15820:bd75c9df2a14
203 { 203 {
204 garray_T newargs; 204 garray_T newargs;
205 garray_T newlines; 205 garray_T newlines;
206 garray_T *pnewargs; 206 garray_T *pnewargs;
207 ufunc_T *fp = NULL; 207 ufunc_T *fp = NULL;
208 partial_T *pt = NULL;
208 int varargs; 209 int varargs;
209 int ret; 210 int ret;
210 char_u *start = skipwhite(*arg + 1); 211 char_u *start = skipwhite(*arg + 1);
211 char_u *s, *e; 212 char_u *s, *e;
212 static int lambda_no = 0; 213 static int lambda_no = 0;
250 if (evaluate) 251 if (evaluate)
251 { 252 {
252 int len, flags = 0; 253 int len, flags = 0;
253 char_u *p; 254 char_u *p;
254 char_u name[20]; 255 char_u name[20];
255 partial_T *pt;
256 256
257 sprintf((char*)name, "<lambda>%d", ++lambda_no); 257 sprintf((char*)name, "<lambda>%d", ++lambda_no);
258 258
259 fp = (ufunc_T *)alloc_clear((unsigned)(sizeof(ufunc_T) + STRLEN(name))); 259 fp = (ufunc_T *)alloc_clear((unsigned)(sizeof(ufunc_T) + STRLEN(name)));
260 if (fp == NULL) 260 if (fp == NULL)
261 goto errret; 261 goto errret;
262 pt = (partial_T *)alloc_clear((unsigned)sizeof(partial_T)); 262 pt = (partial_T *)alloc_clear((unsigned)sizeof(partial_T));
263 if (pt == NULL) 263 if (pt == NULL)
264 {
265 vim_free(fp);
266 goto errret; 264 goto errret;
267 }
268 265
269 ga_init2(&newlines, (int)sizeof(char_u *), 1); 266 ga_init2(&newlines, (int)sizeof(char_u *), 1);
270 if (ga_grow(&newlines, 1) == FAIL) 267 if (ga_grow(&newlines, 1) == FAIL)
271 goto errret; 268 goto errret;
272 269
316 313
317 errret: 314 errret:
318 ga_clear_strings(&newargs); 315 ga_clear_strings(&newargs);
319 ga_clear_strings(&newlines); 316 ga_clear_strings(&newlines);
320 vim_free(fp); 317 vim_free(fp);
318 vim_free(pt);
321 eval_lavars_used = old_eval_lavars; 319 eval_lavars_used = old_eval_lavars;
322 return FAIL; 320 return FAIL;
323 } 321 }
324 322
325 /* 323 /*