Commit: patch 9.2.0527: Possible double free in fill_partial_and_closure()
2 views
Skip to first unread message
Christian Brabandt
May 24, 2026, 12:45:14 PM (13 hours ago) May 24
to vim...@googlegroups.com
patch 9.2.0527: Possible double free in fill_partial_and_closure()
Commit: https://github.com/vim/vim/commit/07c8b4712f84daa5cfd0c96f134710e6f4865b95
Author: Christian Brabandt <c...@256bit.org>
Date: Sun May 24 15:25:03 2026 +0000
patch 9.2.0527: Possible double free in fill_partial_and_closure()
Problem: Possible double free in fill_partial_and_closure()
(xuqing yang)
Solution: Let the caller handle the free()
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/version.c b/src/version.c
index 91bfa5761..708cd1746 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 527,
/**/
526,
/**/
diff --git a/src/vim9execute.c b/src/vim9execute.c
index e1ddb7c1d..68ca777d0 100644
--- a/src/vim9execute.c
+++ b/src/vim9execute.c
@@ -2157,10 +2157,8 @@ fill_partial_and_closure(
// and local variables) so that the closure can use it later.
// Store a reference to the partial so we can handle that.
if (GA_GROW_FAILS(&ectx->ec_funcrefs, 1))
- {
- vim_free(pt);
+ // caller needs to free pt
return FAIL;
- }
// Extra variable keeps the count of closures created in the current
// function call.
++(((typval_T *)ectx->ec_stack.ga_data) + ectx->ec_frame_idx
@@ -5123,7 +5121,10 @@ exec_instructions(ectx_T *ectx)
if (fill_partial_and_closure(pt, ufunc,
extra == NULL ? NULL : &extra->fre_loopvar_info,
ectx) == FAIL)
+ {
+ vim_free(pt);
goto theend;
+ }
tv = STACK_TV_BOT(0);
++ectx->ec_stack.ga_len;
tv->vval.v_partial = pt;
Commit: https://github.com/vim/vim/commit/07c8b4712f84daa5cfd0c96f134710e6f4865b95
Author: Christian Brabandt <c...@256bit.org>
Date: Sun May 24 15:25:03 2026 +0000
patch 9.2.0527: Possible double free in fill_partial_and_closure()
Problem: Possible double free in fill_partial_and_closure()
(xuqing yang)
Solution: Let the caller handle the free()
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/version.c b/src/version.c
index 91bfa5761..708cd1746 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 527,
/**/
526,
/**/
diff --git a/src/vim9execute.c b/src/vim9execute.c
index e1ddb7c1d..68ca777d0 100644
--- a/src/vim9execute.c
+++ b/src/vim9execute.c
@@ -2157,10 +2157,8 @@ fill_partial_and_closure(
// and local variables) so that the closure can use it later.
// Store a reference to the partial so we can handle that.
if (GA_GROW_FAILS(&ectx->ec_funcrefs, 1))
- {
- vim_free(pt);
+ // caller needs to free pt
return FAIL;
- }
// Extra variable keeps the count of closures created in the current
// function call.
++(((typval_T *)ectx->ec_stack.ga_data) + ectx->ec_frame_idx
@@ -5123,7 +5121,10 @@ exec_instructions(ectx_T *ectx)
if (fill_partial_and_closure(pt, ufunc,
extra == NULL ? NULL : &extra->fre_loopvar_info,
ectx) == FAIL)
+ {
+ vim_free(pt);
goto theend;
+ }
tv = STACK_TV_BOT(0);
++ectx->ec_stack.ga_len;
tv->vval.v_partial = pt;
Reply all
Reply to author
Forward
0 new messages