From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: zsh-workers-return-43789-ml=inbox.vuxu.org@zsh.org
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id e67e1173
	for <ml@inbox.vuxu.org>;
	Wed, 7 Nov 2018 13:10:51 +0000 (UTC)
Received: (qmail 4585 invoked by alias); 7 Nov 2018 13:10:38 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 43789
Received: (qmail 15641 invoked by uid 1010); 7 Nov 2018 13:10:38 -0000
X-Qmail-Scanner-Diagnostics: from mx1.redhat.com by f.primenet.com.au (envelope-from <kdudka@redhat.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1.  
 Clear:RC:0(209.132.183.28):SA:0(-6.9/5.0):. 
 Processed in 1.981625 secs); 07 Nov 2018 13:10:38 -0000
X-Envelope-From: kdudka@redhat.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
From: Kamil Dudka <kdudka@redhat.com>
To: zsh-workers@zsh.org
Subject: [PATCH 4/5] Src/module: fix use-after-free in setmathfuncs()
Date: Wed,  7 Nov 2018 14:04:55 +0100
Message-Id: <20181107130456.18901-4-kdudka@redhat.com>
In-Reply-To: <20181107130456.18901-1-kdudka@redhat.com>
References: <20181107130456.18901-1-kdudka@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Wed, 07 Nov 2018 13:05:00 +0000 (UTC)

Detected by Coverity Analysis:

Error: USE_AFTER_FREE (CWE-825):
zsh-5.5.1/Src/module.c:1390: freed_arg: "deletemathfunc" frees "f".
zsh-5.5.1/Src/module.c:1352:6: freed_arg: "zfree" frees parameter "f".
zsh-5.5.1/Src/mem.c:1888:5: freed_arg: "free" frees parameter "p".
zsh-5.5.1/Src/module.c:1394: deref_after_free: Dereferencing freed pointer "f".
1392|   		ret = 1;
1393|   	    } else {
1394|-> 		f->flags &= ~MFF_ADDED;
1395|   	    }
1396|   	}
---
 Src/module.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/Src/module.c b/Src/module.c
index 4ae78310f..33d75ebbd 100644
--- a/Src/module.c
+++ b/Src/module.c
@@ -1390,8 +1390,6 @@ setmathfuncs(char const *nam, MathFunc f, int size, int *e)
 	    if (deletemathfunc(f)) {
 		zwarnnam(nam, "math function `%s' already deleted", f->name);
 		ret = 1;
-	    } else {
-		f->flags &= ~MFF_ADDED;
 	    }
 	}
 	f++;
-- 
2.17.2