From 6f10c70b59fa4e56aa479345fb0caeaac7429bfb Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 20 Aug 2019 22:58:37 +0200
Subject: patch 8.1.1895: using NULL pointer when out of memory

Problem:    Using NULL pointer when out of memory.
Solution:   Bail out or skip the code using the pointer. (Zu-Ming Jiang,
            closes #4805, closes #4843, closes #4939, closes #4844)
---
 src/buffer.c    |  7 ++++++-
 src/highlight.c | 10 +++++++++-
 src/message.c   | 23 +++++++++++++----------
 src/ops.c       |  5 +++++
 src/version.c   |  2 ++
 5 files changed, 35 insertions(+), 12 deletions(-)

(limited to 'src')

diff --git a/src/buffer.c b/src/buffer.c
index 78801a8121..f9686a7bd8 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -181,14 +181,19 @@ open_buffer(
 	    if (curbuf->b_ml.ml_mfp != NULL)
 		break;
 	/*
-	 * if there is no memfile at all, exit
+	 * If there is no memfile at all, exit.
 	 * This is OK, since there are no changes to lose.
 	 */
 	if (curbuf == NULL)
 	{
 	    emsg(_("E82: Cannot allocate any buffer, exiting..."));
+
+	    // Don't try to do any saving, with "curbuf" NULL almost nothing
+	    // will work.
+	    v_dying = 2;
 	    getout(2);
 	}
+
 	emsg(_("E83: Cannot allocate buffer, using other one..."));
 	enter_buffer(curbuf);
 #ifdef FEAT_SYN_HL
diff --git a/src/highlight.c b/src/highlight.c
index db65ffca71..f32081d8ab 100644
--- a/src/highlight.c
+++ b/src/highlight.c
@@ -3016,6 +3016,7 @@ syn_check_group(char_u *pp, int len)
 syn_add_group(char_u *name)
 {
     char_u	*p;
+    char_u	*name_up;
 
     // Check that the name is ASCII letters, digits and underscore.
     for (p = name; *p != NUL; ++p)
@@ -3061,9 +3062,16 @@ syn_add_group(char_u *name)
 	return 0;
     }
 
+    name_up = vim_strsave_up(name);
+    if (name_up == NULL)
+    {
+	vim_free(name);
+	return 0;
+    }
+
     vim_memset(&(HL_TABLE()[highlight_ga.ga_len]), 0, sizeof(hl_group_T));
     HL_TABLE()[highlight_ga.ga_len].sg_name = name;
-    HL_TABLE()[highlight_ga.ga_len].sg_name_u = vim_strsave_up(name);
+    HL_TABLE()[highlight_ga.ga_len].sg_name_u = name_up;
 #if defined(FEAT_GUI) || defined(FEAT_TERMGUICOLORS)
     HL_TABLE()[highlight_ga.ga_len].sg_gui_bg = INVALCOLOR;
     HL_TABLE()[highlight_ga.ga_len].sg_gui_fg = INVALCOLOR;
diff --git a/src/message.c b/src/message.c
index da81fa0157..387a142a22 100644
--- a/src/message.c
+++ b/src/message.c
@@ -2588,16 +2588,19 @@ msg_puts_printf(char_u *str, int maxlen)
 		int n = (int)(s - p);
 
 		buf = alloc(n + 3);
-		memcpy(buf, p, n);
-		if (!info_message)
-		    buf[n++] = CAR;
-		buf[n++] = NL;
-		buf[n++] = NUL;
-		if (info_message)   // informative message, not an error
-		    mch_msg((char *)buf);
-		else
-		    mch_errmsg((char *)buf);
-		vim_free(buf);
+		if (buf != NULL)
+		{
+		    memcpy(buf, p, n);
+		    if (!info_message)
+			buf[n++] = CAR;
+		    buf[n++] = NL;
+		    buf[n++] = NUL;
+		    if (info_message)   // informative message, not an error
+			mch_msg((char *)buf);
+		    else
+			mch_errmsg((char *)buf);
+		    vim_free(buf);
+		}
 		p = s + 1;
 	    }
 	}
diff --git a/src/ops.c b/src/ops.c
index 7ede1f73a2..7b1d9ede7a 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -4556,6 +4556,11 @@ do_join(
 
     /* allocate the space for the new line */
     newp = alloc(sumsize + 1);
+    if (newp == NULL)
+    {
+	ret = FAIL;
+	goto theend;
+    }
     cend = newp + sumsize;
     *cend = 0;
 
diff --git a/src/version.c b/src/version.c
index 019ce2524b..2b9a0c6374 100644
--- a/src/version.c
+++ b/src/version.c
@@ -765,6 +765,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1895,
 /**/
     1894,
 /**/
-- 
cgit v1.2.3