To: vim_dev@googlegroups.com Subject: Patch 8.1.0917 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.1.0917 Problem: Double free when running out of memory. Solution: Remove one free. (Ken Takata, closes #3955) Files: src/userfunc.c *** ../vim-8.1.0916/src/userfunc.c 2019-02-11 22:00:07.671917613 +0100 --- src/userfunc.c 2019-02-14 13:42:56.275420452 +0100 *************** *** 205,210 **** --- 205,211 ---- garray_T newlines; garray_T *pnewargs; ufunc_T *fp = NULL; + partial_T *pt = NULL; int varargs; int ret; char_u *start = skipwhite(*arg + 1); *************** *** 252,258 **** int len, flags = 0; char_u *p; char_u name[20]; - partial_T *pt; sprintf((char*)name, "%d", ++lambda_no); --- 253,258 ---- *************** *** 261,270 **** goto errret; pt = (partial_T *)alloc_clear((unsigned)sizeof(partial_T)); if (pt == NULL) - { - vim_free(fp); goto errret; - } ga_init2(&newlines, (int)sizeof(char_u *), 1); if (ga_grow(&newlines, 1) == FAIL) --- 261,267 ---- *************** *** 318,323 **** --- 315,321 ---- ga_clear_strings(&newargs); ga_clear_strings(&newlines); vim_free(fp); + vim_free(pt); eval_lavars_used = old_eval_lavars; return FAIL; } *** ../vim-8.1.0916/src/version.c 2019-02-14 13:28:42.143415639 +0100 --- src/version.c 2019-02-14 13:41:03.744014487 +0100 *************** *** 785,786 **** --- 785,788 ---- { /* Add new patch number below this line */ + /**/ + 917, /**/ -- I used to wonder about the meaning of life. But I looked it up in the dictionary under "L" and there it was - the meaning of life. It was less than I expected. - Dogbert /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///