From f735e4d1d566cac3caa4a5e248179d07f0babefd Mon Sep 17 00:00:00 2001
From: Joachim Wiberg <troglobit@gmail.com>
Date: Sat, 24 May 2025 14:40:38 +0200
Subject: [PATCH] Fix possible out-of-bounds call to free()

The rl_filename_completion_function() may theoretically step out of
bounds and call free on random pointers.  Found by Coverity Scan.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
---
 src/complete.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/complete.c b/src/complete.c
index 4bd0d07..c335149 100644
--- a/src/complete.c
+++ b/src/complete.c
@@ -273,13 +273,21 @@ char *rl_filename_completion_function(const char *text, int state)
 	}
     }
 
-    do {
+    while (i > 0)
 	free(av[--i]);
-    } while (i > 0);
 
-    free(av);
-    free(dir);
-    free(file);
+    if (av) {
+	free(av);
+	av = NULL;
+    }
+    if (dir) {
+	free(dir);
+	dir = NULL;
+    }
+    if (file) {
+	free(file);
+	file = NULL;
+    }
 
     return NULL;
 }