From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-25926-mason-zsh=primenet.com.au@sunsite.dk>
Received: (qmail 26347 invoked from network); 23 Oct 2008 00:46:52 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.5 required=5.0 tests=AWL,BAYES_00 autolearn=ham
	version=3.2.5
Received: from news.dotsrc.org (HELO a.mx.sunsite.dk) (130.225.247.88)
  by ns1.primenet.com.au with SMTP; 23 Oct 2008 00:46:52 -0000
Received-SPF: none (ns1.primenet.com.au: domain at sunsite.dk does not designate permitted sender hosts)
Received: (qmail 85034 invoked from network); 23 Oct 2008 00:46:46 -0000
Received: from sunsite.dk (130.225.247.90)
  by a.mx.sunsite.dk with SMTP; 23 Oct 2008 00:46:46 -0000
Received: (qmail 28594 invoked by alias); 23 Oct 2008 00:46:40 -0000
Mailing-List: contact zsh-workers-help@sunsite.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 25926
Received: (qmail 28585 invoked from network); 23 Oct 2008 00:46:40 -0000
Received: from bifrost.dotsrc.org (130.225.254.106)
  by sunsite.dk with SMTP; 23 Oct 2008 00:46:40 -0000
Received: from cork.scru.org (cork.scru.org [209.20.67.2])
	by bifrost.dotsrc.org (Postfix) with ESMTPS id 1E3DB80524C0
	for <zsh-workers@sunsite.dk>; Thu, 23 Oct 2008 02:46:35 +0200 (CEST)
Received: by cork.scru.org (Postfix, from userid 1000)
	id C688C1040BE; Thu, 23 Oct 2008 00:46:32 +0000 (UTC)
Date: Thu, 23 Oct 2008 00:46:32 +0000
From: Clint Adams <clint@zsh.org>
To: zsh-workers@sunsite.dk
Subject: Re: PATCH: use after free in setstrvalue
Message-ID: <20081023004632.GA30506@scru.org>
Mail-Followup-To: zsh-workers@sunsite.dk
References: <20080913081628.GA25022@scru.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20080913081628.GA25022@scru.org>
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Virus-Scanned: ClamAV 0.92.1/8470/Wed Oct 22 17:13:42 2008 on bifrost
X-Virus-Status: Clean

On Sat, Sep 13, 2008 at 08:16:28AM +0000, Clint Adams wrote:
> -	    zsfree(val);
>  	    if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) &&
>  		!v->pm->width)
>  		v->pm->width = strlen(val);
> +	    zsfree(val);

Should have done this one too..

Index: Src/params.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/params.c,v
retrieving revision 1.149
diff -u -r1.149 params.c
--- Src/params.c	9 Oct 2008 13:46:45 -0000	1.149
+++ Src/params.c	23 Oct 2008 00:45:00 -0000
@@ -2253,10 +2253,10 @@
 	    mnumber mn = matheval(val);
 	    v->pm->gsu.f->setfn(v->pm, (mn.type & MN_FLOAT) ? mn.u.d :
 			       (double)mn.u.l);
-	    zsfree(val);
 	    if ((v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) &&
 		!v->pm->width)
 		v->pm->width = strlen(val);
+	    zsfree(val);
 	}
 	break;
     case PM_ARRAY: