commit 3accf046ec3d0ee4a762d15452ae46596e1a0540
author Christian Brabandt <cb@256bit.org> Fri Apr 25 19:01:06 2025 +0200
committer Christian Brabandt <cb@256bit.org> Fri Apr 25 19:01:06 2025 +0200
tree d544545413e557b59519d334f6e40b5b8ba40cb1
parent e380b5cbba23869b07e17cfc7f4602e2fe681945

patch 9.1.1344: double free in f_complete_match() (after v9.1.1341)

Problem:  double free in f_complete_match() (after v9.1.1341)
Solution: remove additional free of trig pointer, correctly free
          regmatch.regprog and before_cursor in the error case

closes: #17203

Signed-off-by: glepnir <glephunter@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>

src/insexpand.c

diff --git a/src/insexpand.c b/src/insexpand.c
index 77c9831..94901f1 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -3592,7 +3592,6 @@
     regmatch_T  regmatch;
     char_u      *before_cursor = NULL;
     char_u      *cur_end = NULL;
-    char_u      *trig = NULL;
     int          bytepos = 0;
     char_u	part[MAXPATHL];
     int		ret;
@@ -3643,20 +3642,21 @@
 	{
 	    if (vim_regexec_nl(&regmatch, before_cursor, (colnr_T)0))
 	    {
-		bytepos = (int)(regmatch.startp[0] - before_cursor);
-		trig = vim_strnsave(regmatch.startp[0],
+		char_u	*trig = vim_strnsave(regmatch.startp[0],
 			regmatch.endp[0] - regmatch.startp[0]);
 		if (trig == NULL)
 		{
 		    vim_free(before_cursor);
+		    vim_regfree(regmatch.regprog);
 		    return;
 		}
 
+		bytepos = (int)(regmatch.startp[0] - before_cursor);
 		ret = add_match_to_list(rettv, trig, -1, bytepos);
 		vim_free(trig);
 		if (ret == FAIL)
 		{
-		    vim_free(trig);
+		    vim_free(before_cursor);
 		    vim_regfree(regmatch.regprog);
 		    return;
 		}