The function /sys/src/cmd/acme/wind.c:/^winaddincl contains a use
after free.
Below is a possible patch that also hopefully demonstrates the issue
where 'a' is freed but might be used later to format a warning:
diff -r 0b8c8ef6a3d4 sys/src/cmd/acme/wind.c
--- a/sys/src/cmd/acme/wind.c Tue Jan 19 15:18:57 2021 -0800
+++ b/sys/src/cmd/acme/wind.c Tue Feb 02 01:55:54 2021 +0100
@@ -610,13 +610,14 @@
r = runerealloc(r, n+1);
r[n] = 0;
}
- free(a);
if((d->qid.type&QTDIR) == 0){
free(d);
warning(nil, "%s: not a directory\n", a);
free(r);
+ free(a);
return;
}
+ free(a);
free(d);
w->nincl++;
w->incl = realloc(w->incl, w->nincl*sizeof(Rune*));