patch 9.1.0202: leaking memory in add_user() on failure

Problem: leaking memory in add_user() (LuMingYinDetect) Solution: free user_copy pointer instead of the user ptr add_user() is called with a user pointer and the user pointer comes from these functions: - return value from the getpwent() function (Unix). - return value from the getpwnam() function (Unix). - return value from the NetUserEnum() function (MS Windows). For the first 2 callers, the man page for those functions directly says, one should not free the returned pointer (since it comes from static memory). For the third caller (on MS Windows), the returned buffer is already freed directly after calling the add_user() function in NetApiBufferFree(), so this would lead to a double free(). This all indicates, the user ptr is wrongly freed in the add_user() function and the intention was to free the user_copy pointer instead in case of an error. So let's just use that now. fixes: #14250 closes: #14260 Signed-off-by: Christian Brabandt <cb@256bit.org>
vim · Mar 24, 2024 · 7a2f217 · 7a2f217
1 parent 366c81a
commit 7a2f217
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/src/misc1.c b/src/misc1.c
@@ -2092,7 +2092,7 @@ add_user(char_u *user, int need_copy)
     if (user_copy == NULL || *user_copy == NUL || ga_grow(&ga_users, 1) == FAIL)
     {
 	if (need_copy)
-	    vim_free(user);
+	    vim_free(user_copy);
 	return;
     }
     ((char_u **)(ga_users.ga_data))[ga_users.ga_len++] = user_copy;

diff --git a/src/version.c b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    202,
 /**/
     201,
 /**/