Commit: patch 9.2.0567: dict function name allocation failure not handled
1 view
Skip to first unread message
Christian Brabandt
May 30, 2026, 2:45:12 PM (2 days ago) May 30
to vim...@googlegroups.com
patch 9.2.0567: dict function name allocation failure not handled
Commit: https://github.com/vim/vim/commit/2b2dfc4f5a6064efd192c19750b551a01f393e83
Author: thinca <thi...@gmail.com>
Date: Sat May 30 18:36:34 2026 +0000
patch 9.2.0567: dict function name allocation failure not handled
Problem: When defining a dictionary function, the function name string
is allocated with vim_strnsave() but the result is not
checked. On allocation failure the dict entry is left with
type VAR_FUNC and a NULL name, and in the overwrite case the
previous entry has already been freed before the NULL is
stored.
Solution: Allocate the name before modifying the dict entry and bail out
on failure, freeing it on all error paths (thinca)
closes: #20376
Co-Authored-by: Claude <nor...@anthropic.com>
Signed-off-by: thinca <thi...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/userfunc.c b/src/userfunc.c
index 261518538..bd4c0bbc3 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -5612,18 +5612,27 @@ define_function(
if (fudi.fd_dict != NULL)
{
+ char_u *func_name = vim_strnsave(name, namelen);
+
+ if (func_name == NULL)
+ {
+ VIM_CLEAR(fp);
+ goto erret;
+ }
if (fudi.fd_di == NULL)
{
// add new dict entry
fudi.fd_di = dictitem_alloc(fudi.fd_newkey);
if (fudi.fd_di == NULL)
{
+ vim_free(func_name);
VIM_CLEAR(fp);
goto erret;
}
if (dict_add(fudi.fd_dict, fudi.fd_di) == FAIL)
{
vim_free(fudi.fd_di);
+ vim_free(func_name);
VIM_CLEAR(fp);
goto erret;
}
@@ -5632,7 +5641,7 @@ define_function(
// overwrite existing dict entry
clear_tv(&fudi.fd_di->di_tv);
fudi.fd_di->di_tv.v_type = VAR_FUNC;
- fudi.fd_di->di_tv.vval.v_string = vim_strnsave(name, namelen);
+ fudi.fd_di->di_tv.vval.v_string = func_name;
// behave like "dict" was used
flags |= FC_DICT;
diff --git a/src/version.c b/src/version.c
index cf4cf4f2d..56ebd6f0c 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 567,
/**/
566,
/**/
Commit: https://github.com/vim/vim/commit/2b2dfc4f5a6064efd192c19750b551a01f393e83
Author: thinca <thi...@gmail.com>
Date: Sat May 30 18:36:34 2026 +0000
patch 9.2.0567: dict function name allocation failure not handled
Problem: When defining a dictionary function, the function name string
is allocated with vim_strnsave() but the result is not
checked. On allocation failure the dict entry is left with
type VAR_FUNC and a NULL name, and in the overwrite case the
previous entry has already been freed before the NULL is
stored.
Solution: Allocate the name before modifying the dict entry and bail out
on failure, freeing it on all error paths (thinca)
closes: #20376
Co-Authored-by: Claude <nor...@anthropic.com>
Signed-off-by: thinca <thi...@gmail.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/userfunc.c b/src/userfunc.c
index 261518538..bd4c0bbc3 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -5612,18 +5612,27 @@ define_function(
if (fudi.fd_dict != NULL)
{
+ char_u *func_name = vim_strnsave(name, namelen);
+
+ if (func_name == NULL)
+ {
+ VIM_CLEAR(fp);
+ goto erret;
+ }
if (fudi.fd_di == NULL)
{
// add new dict entry
fudi.fd_di = dictitem_alloc(fudi.fd_newkey);
if (fudi.fd_di == NULL)
{
+ vim_free(func_name);
VIM_CLEAR(fp);
goto erret;
}
if (dict_add(fudi.fd_dict, fudi.fd_di) == FAIL)
{
vim_free(fudi.fd_di);
+ vim_free(func_name);
VIM_CLEAR(fp);
goto erret;
}
@@ -5632,7 +5641,7 @@ define_function(
// overwrite existing dict entry
clear_tv(&fudi.fd_di->di_tv);
fudi.fd_di->di_tv.v_type = VAR_FUNC;
- fudi.fd_di->di_tv.vval.v_string = vim_strnsave(name, namelen);
+ fudi.fd_di->di_tv.vval.v_string = func_name;
// behave like "dict" was used
flags |= FC_DICT;
diff --git a/src/version.c b/src/version.c
index cf4cf4f2d..56ebd6f0c 100644
--- a/src/version.c
+++ b/src/version.c
@@ -729,6 +729,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 567,
/**/
566,
/**/
Reply all
Reply to author
Forward
0 new messages