From: Han Boetes <hboetes@gmail.com>
Subject: fix 2 leaks in word.c
To: tech@openbsd.org
Date: Sun, 22 Feb 2026 19:48:58 +0100

While reviewing word.c I noticed two memory leaks triggered by 
transposing words with M-t.

First, in grabword(), the old *word buffer is never freed before 
asprintf() overwrites the pointer on each iteration. This leaks every 
previously allocated buffer except the last one.

Second, in transposeword(), word2 is set to NULL before it is freed, 
making the free(word2) at the end of the function a no-op.

Both leaks are confirmed by valgrind, they trigger on every successful 
M-t invocation, no OOM required.

--- a/word.c
+++ b/word.c
@@ -206,14 +206,20 @@
      int c;

      while (inword() == TRUE) {
+        char *newword;
          c = lgetc(curwp->w_dotp, curwp->w_doto);
          if (*word == NULL) {
-            if (asprintf(word, "%c", c) == -1)
+            if (asprintf(&newword, "%c", c) == -1)
                  return (errno);
          } else {
-            if (asprintf(word, "%s%c", *word, c) == -1)
+            if (asprintf(&newword, "%s%c", *word, c) == -1) {
+                free(*word);
+                *word = NULL;
                  return (errno);
+            }
+            free(*word);
          }
+        *word = newword;
          (void)forwdel(FFRAND, 1);
      }
      if (*word == NULL)

--- a/word.c
+++ b/word.c
@@ -176,6 +176,7 @@
          curwp->w_dotline = tmp2_w_dotline;
          curwp->w_dotp = tmp2_w_dotp;

+        free(word2);
          word2 = NULL;
      }
      curwp->w_doto = tmp2_w_doto;