From 3accf046ec3d0ee4a762d15452ae46596e1a0540 Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Fri, 25 Apr 2025 19:01:06 +0200
Subject: [PATCH] patch 9.1.1344: double free in f_complete_match() (after
 v9.1.1341)

Problem:  double free in f_complete_match() (after v9.1.1341)
Solution: remove additional free of trig pointer, correctly free
          regmatch.regprog and before_cursor in the error case

closes: #17203

Signed-off-by: glepnir <glephunter@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/insexpand.c | 8 ++++----
 src/version.c   | 2 ++
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/insexpand.c b/src/insexpand.c
index 77c98311d2..94901f133f 100644
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -3592,7 +3592,6 @@ f_complete_match(typval_T *argvars, typval_T *rettv)
     regmatch_T  regmatch;
     char_u      *before_cursor = NULL;
     char_u      *cur_end = NULL;
-    char_u      *trig = NULL;
     int          bytepos = 0;
     char_u	part[MAXPATHL];
     int		ret;
@@ -3643,20 +3642,21 @@ f_complete_match(typval_T *argvars, typval_T *rettv)
 	{
 	    if (vim_regexec_nl(&regmatch, before_cursor, (colnr_T)0))
 	    {
-		bytepos = (int)(regmatch.startp[0] - before_cursor);
-		trig = vim_strnsave(regmatch.startp[0],
+		char_u	*trig = vim_strnsave(regmatch.startp[0],
 			regmatch.endp[0] - regmatch.startp[0]);
 		if (trig == NULL)
 		{
 		    vim_free(before_cursor);
+		    vim_regfree(regmatch.regprog);
 		    return;
 		}
 
+		bytepos = (int)(regmatch.startp[0] - before_cursor);
 		ret = add_match_to_list(rettv, trig, -1, bytepos);
 		vim_free(trig);
 		if (ret == FAIL)
 		{
-		    vim_free(trig);
+		    vim_free(before_cursor);
 		    vim_regfree(regmatch.regprog);
 		    return;
 		}
diff --git a/src/version.c b/src/version.c
index cd66bef574..1e8d8e3508 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1344,
 /**/
     1343,
 /**/