9front - general discussion about 9front
 help / color / mirror / Atom feed
From: boehm.igor@gmail.com
To: 9front@9front.org
Cc: boehm.igor@gmail.com
Subject: [9front] cmd/acme: fix user after free in wind.c (patch)
Date: Tue, 02 Feb 2021 02:03:17 +0100	[thread overview]
Message-ID: <F14FA853A4995DE12662C1AB21550855@gmail.com> (raw)

The function /sys/src/cmd/acme/wind.c:/^winaddincl contains a use
after free.

Below is a possible patch that also hopefully demonstrates the issue
where 'a' is freed but might be used later to format a warning:

diff -r 0b8c8ef6a3d4 sys/src/cmd/acme/wind.c
--- a/sys/src/cmd/acme/wind.c	Tue Jan 19 15:18:57 2021 -0800
+++ b/sys/src/cmd/acme/wind.c	Tue Feb 02 01:55:54 2021 +0100
@@ -610,13 +610,14 @@
 		r = runerealloc(r, n+1);
 		r[n] = 0;
 	}
-	free(a);
 	if((d->qid.type&QTDIR) == 0){
 		free(d);
 		warning(nil, "%s: not a directory\n", a);
 		free(r);
+		free(a);
 		return;
 	}
+	free(a);
 	free(d);
 	w->nincl++;
 	w->incl = realloc(w->incl, w->nincl*sizeof(Rune*));


             reply	other threads:[~2021-02-02  1:06 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-02  1:03 boehm.igor [this message]
2021-02-03  0:19 ` cinap_lenrek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=F14FA853A4995DE12662C1AB21550855@gmail.com \
    --to=boehm.igor@gmail.com \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).