* [9front] cmd/acme: fix user after free in wind.c (patch)
@ 2021-02-02 1:03 boehm.igor
2021-02-03 0:19 ` cinap_lenrek
0 siblings, 1 reply; 2+ messages in thread
From: boehm.igor @ 2021-02-02 1:03 UTC (permalink / raw)
To: 9front; +Cc: boehm.igor
The function /sys/src/cmd/acme/wind.c:/^winaddincl contains a use
after free.
Below is a possible patch that also hopefully demonstrates the issue
where 'a' is freed but might be used later to format a warning:
diff -r 0b8c8ef6a3d4 sys/src/cmd/acme/wind.c
--- a/sys/src/cmd/acme/wind.c Tue Jan 19 15:18:57 2021 -0800
+++ b/sys/src/cmd/acme/wind.c Tue Feb 02 01:55:54 2021 +0100
@@ -610,13 +610,14 @@
r = runerealloc(r, n+1);
r[n] = 0;
}
- free(a);
if((d->qid.type&QTDIR) == 0){
free(d);
warning(nil, "%s: not a directory\n", a);
free(r);
+ free(a);
return;
}
+ free(a);
free(d);
w->nincl++;
w->incl = realloc(w->incl, w->nincl*sizeof(Rune*));
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [9front] cmd/acme: fix user after free in wind.c (patch)
2021-02-02 1:03 [9front] cmd/acme: fix user after free in wind.c (patch) boehm.igor
@ 2021-02-03 0:19 ` cinap_lenrek
0 siblings, 0 replies; 2+ messages in thread
From: cinap_lenrek @ 2021-02-03 0:19 UTC (permalink / raw)
To: 9front
applied.
thanks!
--
cinap
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-03 1:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 1:03 [9front] cmd/acme: fix user after free in wind.c (patch) boehm.igor
2021-02-03 0:19 ` cinap_lenrek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).