Mercurial > vim
changeset 34627:5071d4c3ff2e v9.1.0202
patch 9.1.0202: leaking memory in add_user() on failure
Commit: https://github.com/vim/vim/commit/7a2f217988afa1c35b9c093a9d3477198ea250b9
Author: Christian Brabandt <cb@256bit.org>
Date: Sun Mar 24 09:50:03 2024 +0100
patch 9.1.0202: leaking memory in add_user() on failure
Problem: leaking memory in add_user() (LuMingYinDetect)
Solution: free user_copy pointer instead of the user ptr
add_user() is called with a user pointer and the user pointer comes
from these functions:
- return value from the getpwent() function (Unix).
- return value from the getpwnam() function (Unix).
- return value from the NetUserEnum() function (MS Windows).
For the first 2 callers, the man page for those functions directly says,
one should not free the returned pointer (since it comes from static
memory).
For the third caller (on MS Windows), the returned buffer is already
freed directly after calling the add_user() function in
NetApiBufferFree(), so this would lead to a double free().
This all indicates, the user ptr is wrongly freed in the add_user()
function and the intention was to free the user_copy pointer instead in
case of an error.
So let's just use that now.
fixes: #14250
closes: #14260
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Sun, 24 Mar 2024 10:00:09 +0100 |
| parents | 32d243b3ff9e |
| children | 758601ca4965 |
| files | src/misc1.c src/version.c |
| diffstat | 2 files changed, 3 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/misc1.c +++ b/src/misc1.c @@ -2092,7 +2092,7 @@ add_user(char_u *user, int need_copy) if (user_copy == NULL || *user_copy == NUL || ga_grow(&ga_users, 1) == FAIL) { if (need_copy) - vim_free(user); + vim_free(user_copy); return; } ((char_u **)(ga_users.ga_data))[ga_users.ga_len++] = user_copy;