patch 9.1.0395: getregionpos() may leak memory on error

Problem: regionpos may leak memory on error, coverity complains about dereferencing Null pointer Solution: free all list pointers (after v9.1.394), return early if buflist_findnr() returns NULL closes: #14731 Signed-off-by: Christian Brabandt <cb@256bit.org>
vim · May 8, 2024 · b8ecedc · b8ecedc
1 parent 3ac83c7
commit b8ecedc
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/src/evalfunc.c b/src/evalfunc.c
@@ -5727,6 +5727,10 @@ add_regionpos_range(
     buf_T	*findbuf;
     int		max_col1, max_col2;
 
+    findbuf = bufnr != 0 ? buflist_findnr(bufnr) : curbuf;
+    if (findbuf == NULL || findbuf->b_ml.ml_mfp == NULL)
+	return;
+
     l1 = list_alloc();
     if (l1 == NULL)
 	return;
@@ -5739,25 +5743,34 @@ add_regionpos_range(
 
     l2 = list_alloc();
     if (l2 == NULL)
+    {
+	vim_free(l1);
 	return;
+    }
 
     if (list_append_list(l1, l2) == FAIL)
     {
+	vim_free(l1);
 	vim_free(l2);
 	return;
     }
 
     l3 = list_alloc();
     if (l3 == NULL)
+    {
+	vim_free(l1);
+	vim_free(l2);
 	return;
+    }
 
     if (list_append_list(l1, l3) == FAIL)
     {
+	vim_free(l1);
+	vim_free(l2);
 	vim_free(l3);
 	return;
     }
 
-    findbuf = bufnr != 0 ? buflist_findnr(bufnr) : curbuf;
 
     max_col1 = ml_get_buf_len(findbuf, lnum1);
     list_append_number(l2, bufnr);

diff --git a/src/version.c b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    395,
 /**/
     394,
 /**/