Skip to content

Commit 2b2dfc4

Browse files
thincaclaude
authored andcommitted
patch 9.2.0567: dict function name allocation failure not handled
Problem: When defining a dictionary function, the function name string is allocated with vim_strnsave() but the result is not checked. On allocation failure the dict entry is left with type VAR_FUNC and a NULL name, and in the overwrite case the previous entry has already been freed before the NULL is stored. Solution: Allocate the name before modifying the dict entry and bail out on failure, freeing it on all error paths (thinca) closes: #20376 Co-Authored-by: Claude <[email protected]> Signed-off-by: thinca <[email protected]> Signed-off-by: Christian Brabandt <[email protected]>
1 parent 22a78b5 commit 2b2dfc4

2 files changed

Lines changed: 12 additions & 1 deletion

File tree

src/userfunc.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5612,18 +5612,27 @@ define_function(
56125612

56135613
if (fudi.fd_dict != NULL)
56145614
{
5615+
char_u *func_name = vim_strnsave(name, namelen);
5616+
5617+
if (func_name == NULL)
5618+
{
5619+
VIM_CLEAR(fp);
5620+
goto erret;
5621+
}
56155622
if (fudi.fd_di == NULL)
56165623
{
56175624
// add new dict entry
56185625
fudi.fd_di = dictitem_alloc(fudi.fd_newkey);
56195626
if (fudi.fd_di == NULL)
56205627
{
5628+
vim_free(func_name);
56215629
VIM_CLEAR(fp);
56225630
goto erret;
56235631
}
56245632
if (dict_add(fudi.fd_dict, fudi.fd_di) == FAIL)
56255633
{
56265634
vim_free(fudi.fd_di);
5635+
vim_free(func_name);
56275636
VIM_CLEAR(fp);
56285637
goto erret;
56295638
}
@@ -5632,7 +5641,7 @@ define_function(
56325641
// overwrite existing dict entry
56335642
clear_tv(&fudi.fd_di->di_tv);
56345643
fudi.fd_di->di_tv.v_type = VAR_FUNC;
5635-
fudi.fd_di->di_tv.vval.v_string = vim_strnsave(name, namelen);
5644+
fudi.fd_di->di_tv.vval.v_string = func_name;
56365645

56375646
// behave like "dict" was used
56385647
flags |= FC_DICT;

src/version.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -729,6 +729,8 @@ static char *(features[]) =
729729

730730
static int included_patches[] =
731731
{ /* Add new patch number below this line */
732+
/**/
733+
567,
732734
/**/
733735
566,
734736
/**/

0 commit comments

Comments
 (0)