From 7a2f217988afa1c35b9c093a9d3477198ea250b9 Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Sun, 24 Mar 2024 09:50:03 +0100 Subject: patch 9.1.0202: leaking memory in add_user() on failure Problem: leaking memory in add_user() (LuMingYinDetect) Solution: free user_copy pointer instead of the user ptr add_user() is called with a user pointer and the user pointer comes from these functions: - return value from the getpwent() function (Unix). - return value from the getpwnam() function (Unix). - return value from the NetUserEnum() function (MS Windows). For the first 2 callers, the man page for those functions directly says, one should not free the returned pointer (since it comes from static memory). For the third caller (on MS Windows), the returned buffer is already freed directly after calling the add_user() function in NetApiBufferFree(), so this would lead to a double free(). This all indicates, the user ptr is wrongly freed in the add_user() function and the intention was to free the user_copy pointer instead in case of an error. So let's just use that now. fixes: #14250 closes: #14260 Signed-off-by: Christian Brabandt --- src/misc1.c | 2 +- src/version.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/misc1.c b/src/misc1.c index 3085fc77fb..3b265be4fa 100644 --- a/src/misc1.c +++ b/src/misc1.c @@ -2092,7 +2092,7 @@ add_user(char_u *user, int need_copy) if (user_copy == NULL || *user_copy == NUL || ga_grow(&ga_users, 1) == FAIL) { if (need_copy) - vim_free(user); + vim_free(user_copy); return; } ((char_u **)(ga_users.ga_data))[ga_users.ga_len++] = user_copy; diff --git a/src/version.c b/src/version.c index b38b235a19..e074aebd0a 100644 --- a/src/version.c +++ b/src/version.c @@ -704,6 +704,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 202, /**/ 201, /**/ -- cgit v1.2.3