From 3b03b435a29391ded301fa2f377141db3c8093b7 Mon Sep 17 00:00:00 2001
From: John Marriott <basilisk@internode.on.net>
Date: Sat, 28 Jun 2025 20:41:54 +0200
Subject: [PATCH] patch 9.1.1491: missing out-of-memory checks in cmdexpand.c

Problem:  missing out-of-memory checks in cmdexpand.c
Solution: add out-of-memory checks for expand_files_and_dirs(),
          ExpandUserDefined() and ExpandUserList()
          (John Marriott)

closes: #17570

Signed-off-by: John Marriott <basilisk@internode.on.net>
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
 src/cmdexpand.c | 31 +++++++++++++++++++++++++------
 src/version.c   |  2 ++
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/src/cmdexpand.c b/src/cmdexpand.c
index 2a23607229..4615aafac9 100644
--- a/src/cmdexpand.c
+++ b/src/cmdexpand.c
@@ -2991,6 +2991,9 @@ expand_files_and_dirs(
     {
 	free_pat = TRUE;
 	pat = vim_strsave(pat);
+	if (pat == NULL)
+	    return ret;
+
 	for (i = 0; pat[i]; ++i)
 	    if (pat[i] == '\\')
 	    {
@@ -3902,16 +3905,24 @@ ExpandUserDefined(
 
 	if (match)
 	{
-	    if (ga_grow(&ga, 1) == FAIL)
+	    char_u  *p = vim_strnsave(s, (size_t)(e - s));
+	    if (p == NULL)
 		break;
+
+	    if (ga_grow(&ga, 1) == FAIL)
+	    {
+		vim_free(p);
+		break;
+	    }
+
 	    if (!fuzzy)
-		((char_u **)ga.ga_data)[ga.ga_len] = vim_strnsave(s, e - s);
+		((char_u **)ga.ga_data)[ga.ga_len] = p;
 	    else
 	    {
 		fuzmatch_str_T  *fuzmatch =
 				&((fuzmatch_str_T  *)ga.ga_data)[ga.ga_len];
 		fuzmatch->idx = ga.ga_len;
-		fuzmatch->str = vim_strnsave(s, e - s);
+		fuzmatch->str = p;
 		fuzmatch->score = score;
 	    }
 	    ++ga.ga_len;
@@ -3963,14 +3974,22 @@ ExpandUserList(
     // Loop over the items in the list.
     FOR_ALL_LIST_ITEMS(retlist, li)
     {
+	char_u	*p;
+
 	if (li->li_tv.v_type != VAR_STRING || li->li_tv.vval.v_string == NULL)
 	    continue;  // Skip non-string items and empty strings
 
-	if (ga_grow(&ga, 1) == FAIL)
+	p = vim_strsave(li->li_tv.vval.v_string);
+	if (p == NULL)
 	    break;
 
-	((char_u **)ga.ga_data)[ga.ga_len] =
-					 vim_strsave(li->li_tv.vval.v_string);
+	if (ga_grow(&ga, 1) == FAIL)
+	{
+	    vim_free(p);
+	    break;
+	}
+
+	((char_u **)ga.ga_data)[ga.ga_len] = p;
 	++ga.ga_len;
     }
     list_unref(retlist);
diff --git a/src/version.c b/src/version.c
index ff3c348564..42a3450329 100644
--- a/src/version.c
+++ b/src/version.c
@@ -719,6 +719,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1491,
 /**/
     1490,
 /**/