From 07c8b4712f84daa5cfd0c96f134710e6f4865b95 Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Sun, 24 May 2026 15:25:03 +0000 Subject: [PATCH] patch 9.2.0527: Possible double free in fill_partial_and_closure() Problem: Possible double free in fill_partial_and_closure() (xuqing yang) Solution: Let the caller handle the free() Signed-off-by: Christian Brabandt --- src/version.c | 2 ++ src/vim9execute.c | 7 ++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/version.c b/src/version.c index 91bfa5761c..708cd1746b 100644 --- a/src/version.c +++ b/src/version.c @@ -729,6 +729,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 527, /**/ 526, /**/ diff --git a/src/vim9execute.c b/src/vim9execute.c index e1ddb7c1de..68ca777d06 100644 --- a/src/vim9execute.c +++ b/src/vim9execute.c @@ -2157,10 +2157,8 @@ fill_partial_and_closure( // and local variables) so that the closure can use it later. // Store a reference to the partial so we can handle that. if (GA_GROW_FAILS(&ectx->ec_funcrefs, 1)) - { - vim_free(pt); + // caller needs to free pt return FAIL; - } // Extra variable keeps the count of closures created in the current // function call. ++(((typval_T *)ectx->ec_stack.ga_data) + ectx->ec_frame_idx @@ -5123,7 +5121,10 @@ exec_instructions(ectx_T *ectx) if (fill_partial_and_closure(pt, ufunc, extra == NULL ? NULL : &extra->fre_loopvar_info, ectx) == FAIL) + { + vim_free(pt); goto theend; + } tv = STACK_TV_BOT(0); ++ectx->ec_stack.ga_len; tv->vval.v_partial = pt;