patch 9.1.0202: leaking memory in add_user() on failurev9.1.0202

Problem:  leaking memory in add_user() (LuMingYinDetect)
Solution: free user_copy pointer instead of the user ptr

add_user() is called with a user pointer and the user pointer comes
from these functions:
- return value from the getpwent() function (Unix).
- return value from the getpwnam() function (Unix).
- return value from the NetUserEnum() function (MS Windows).

For the first 2 callers, the man page for those functions directly says,
one should not free the returned pointer (since it comes from static
memory).
For the third caller (on MS Windows), the returned buffer is already
freed directly after calling the add_user() function in
NetApiBufferFree(), so this would lead to a double free().

This all indicates, the user ptr is wrongly freed in the add_user()
function and the intention was to free the user_copy pointer instead in
case of an error.

So let's just use that now.

fixes: #14250
closes: #14260

Signed-off-by: Christian Brabandt <cb@256bit.org>

2 files changed, 3 insertions, 1 deletions

diff --git a/src/misc1.c b/src/misc1.c
index 3085fc77fb..3b265be4fa 100644
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -2092,7 +2092,7 @@ add_user(char_u *user, int need_copy)
     if (user_copy == NULL || *user_copy == NUL || ga_grow(&ga_users, 1) == FAIL)
     {
 	if (need_copy)
-	    vim_free(user);
+	    vim_free(user_copy);
 	return;
     }
     ((char_u **)(ga_users.ga_data))[ga_users.ga_len++] = user_copy;
diff --git a/src/version.c b/src/version.c
index b38b235a19..e074aebd0a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    202,
+/**/
     201,
 /**/
     200,