# HG changeset patch # User Bram Moolenaar # Date 1550148313 -3600 # Node ID bd75c9df2a142571066fd0b8113f8594daf3cf2c # Parent 806c95deeb615a7fb262b19101257e1ebb71ce38 patch 8.1.0917: double free when running out of memory commit https://github.com/vim/vim/commit/445e71c5ee06015064cf0642cac8190cfe8fbc59 Author: Bram Moolenaar Date: Thu Feb 14 13:43:36 2019 +0100 patch 8.1.0917: double free when running out of memory Problem: Double free when running out of memory. Solution: Remove one free. (Ken Takata, closes https://github.com/vim/vim/issues/3955) diff --git a/src/userfunc.c b/src/userfunc.c --- a/src/userfunc.c +++ b/src/userfunc.c @@ -205,6 +205,7 @@ get_lambda_tv(char_u **arg, typval_T *re garray_T newlines; garray_T *pnewargs; ufunc_T *fp = NULL; + partial_T *pt = NULL; int varargs; int ret; char_u *start = skipwhite(*arg + 1); @@ -252,7 +253,6 @@ get_lambda_tv(char_u **arg, typval_T *re int len, flags = 0; char_u *p; char_u name[20]; - partial_T *pt; sprintf((char*)name, "%d", ++lambda_no); @@ -261,10 +261,7 @@ get_lambda_tv(char_u **arg, typval_T *re goto errret; pt = (partial_T *)alloc_clear((unsigned)sizeof(partial_T)); if (pt == NULL) - { - vim_free(fp); goto errret; - } ga_init2(&newlines, (int)sizeof(char_u *), 1); if (ga_grow(&newlines, 1) == FAIL) @@ -318,6 +315,7 @@ errret: ga_clear_strings(&newargs); ga_clear_strings(&newlines); vim_free(fp); + vim_free(pt); eval_lavars_used = old_eval_lavars; return FAIL; } diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -784,6 +784,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 917, +/**/ 916, /**/ 915,