patch 9.2.0771: dict_add_list() has inconsistent ownership on failure
Commit:
https://github.com/vim/vim/commit/3ae1443d10da03019d4b37c090daee38926da215
Author: Christian Brabandt <
c...@256bit.org>
Date: Thu Jul 2 19:33:45 2026 +0000
patch 9.2.0771: dict_add_list() has inconsistent ownership on failure
Problem: dict_add_list() frees the passed list on failure path
(when dict_add() fails) but not on the other (when
dictitem_alloc() fails), so a caller cannot tell whether it
still owns the list after a failure.
Solution: On failure leave the passed list untouched and owned by the
caller; only take a reference on success.
related: #20668
Supported by AI.
Signed-off-by: Christian Brabandt <
c...@256bit.org>
diff --git a/src/dict.c b/src/dict.c
index c34ce2981..110639508 100644
--- a/src/dict.c
+++ b/src/dict.c
@@ -484,12 +484,15 @@ dict_add_list(dict_T *d, char *key, list_T *list)
return FAIL;
item->di_tv.v_type = VAR_LIST;
item->di_tv.vval.v_list = list;
- ++list->lv_refcount;
if (dict_add(d, item) == FAIL)
{
+ // Detach "list" so dictitem_free() does not unref it: on failure
+ // ownership stays with the caller.
+ item->di_tv.vval.v_list = NULL;
dictitem_free(item);
return FAIL;
}
+ ++list->lv_refcount;
return OK;
}
diff --git a/src/version.c b/src/version.c
index c50ea4162..7fa823e7d 100644
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 771,
/**/
770,
/**/