From b8ecedce79149ac6b994177e9a68979f86065cb1 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Wed, 8 May 2024 19:50:26 +0200
Subject: patch 9.1.0395: getregionpos() may leak memory on error

Problem:  regionpos may leak memory on error, coverity
          complains about dereferencing Null pointer
Solution: free all list pointers (after v9.1.394),
          return early if buflist_findnr() returns NULL

closes: #14731

Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/evalfunc.c | 15 ++++++++++++++-
 src/version.c  |  2 ++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/evalfunc.c b/src/evalfunc.c
index cca7e2ca4c..44c7d06761 100644
--- a/src/evalfunc.c
+++ b/src/evalfunc.c
@@ -5727,6 +5727,10 @@ add_regionpos_range(
     buf_T	*findbuf;
     int		max_col1, max_col2;
 
+    findbuf = bufnr != 0 ? buflist_findnr(bufnr) : curbuf;
+    if (findbuf == NULL || findbuf->b_ml.ml_mfp == NULL)
+	return;
+
     l1 = list_alloc();
     if (l1 == NULL)
 	return;
@@ -5739,25 +5743,34 @@ add_regionpos_range(
 
     l2 = list_alloc();
     if (l2 == NULL)
+    {
+	vim_free(l1);
 	return;
+    }
 
     if (list_append_list(l1, l2) == FAIL)
     {
+	vim_free(l1);
 	vim_free(l2);
 	return;
     }
 
     l3 = list_alloc();
     if (l3 == NULL)
+    {
+	vim_free(l1);
+	vim_free(l2);
 	return;
+    }
 
     if (list_append_list(l1, l3) == FAIL)
     {
+	vim_free(l1);
+	vim_free(l2);
 	vim_free(l3);
 	return;
     }
 
-    findbuf = bufnr != 0 ? buflist_findnr(bufnr) : curbuf;
 
     max_col1 = ml_get_buf_len(findbuf, lnum1);
     list_append_number(l2, bufnr);
diff --git a/src/version.c b/src/version.c
index 128197063f..0e6ac314ed 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    395,
 /**/
     394,
 /**/
-- 
cgit v1.2.3