From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: zsh-workers-return-43795-ml=inbox.vuxu.org@zsh.org X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 892997f4 for ; Wed, 7 Nov 2018 14:21:50 +0000 (UTC) Received: (qmail 16872 invoked by alias); 7 Nov 2018 14:21:36 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 43795 Received: (qmail 3289 invoked by uid 1010); 7 Nov 2018 14:21:36 -0000 X-Qmail-Scanner-Diagnostics: from mail-it1-f195.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(209.85.166.195):SA:0(-2.0/5.0):. Processed in 1.545105 secs); 07 Nov 2018 14:21:36 -0000 X-Envelope-From: mikachu@gmail.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VMaknuHPcioT3keoNs/Gdnr9q3zj9UJem4qx+bj9/vU=; b=qPSq84teIM4UPQkW9URptwud0TPHqqvi3EYIk5snR+FDviQ9nRBpiIUCSU25b7MhNd 8hy3xUR73x0hvyrWDAnNZ/q9s+TKF2SURt7DbwhbnhioZgCPeKuC8sYnLKx2Rw2NmuGF /9dTQh5wca3TMKhsNqS7dKBMZMDAEAYi3prxLtSo0aikr6eBO1nz/IPqatY+fdDFJXTr rRpnp3Cja6NVSZoGyiv4yAEEqY/B5BFnnvTX9/dWFIrgcJLGZ5Ptja9zqrRVfy6519fH OXwkxmfVlloHs2N2rR3RIsJuu4cle1FdNcwhDHBM0z2XF5zEoH3MCAT25lDhD8KG5oCG vOVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VMaknuHPcioT3keoNs/Gdnr9q3zj9UJem4qx+bj9/vU=; b=eJI4o82+QOHwkxBbCA0n855LtQXJsJ1pzTzVOiDVkv7zaDWQhMPbg2uLY3U1ci0OQA yVLO09RbJ1WLsClpTfzbM1hQh1L7K3M1K61YCTtFuywoeSWxzEd2zyb/TZd32dGplNkF R6Xh2FDJuwm0IvAMZxub0alvzvvCyDgTkDeuMvFB65CRNYDcyK0xvsbxsVLJYtfBNUP9 7IJUvBPuTxcQzRJZm6cWaAV2jOhIWXXyQ+5ZXUdOK2KfKiFEGMCgwAr4VTEVrxLNpweR IYUUBAVC7pHDubC6uYvOkYI3IFK4jr+cOd3RUbe+5zrWeQBfOdAbxaGjvTMJbWJyhtu5 RojQ== X-Gm-Message-State: AGRZ1gIhbLvKmSokXtSzpTjDnn/Xn8xkwUVAZ3RkEo1T968EmR+eUf4z J8XMHvostc0GKQRrikAfMJjORuOI05eDLwyrf42a6g== X-Google-Smtp-Source: AJdET5d41s3Oap2nkfswwZ3I3ikDMILgPjXvu925DpIrVfqov6iuMMbexsVlb2afDQxPH3c3yVJ3ziJsd+EVlwNM1uY= X-Received: by 2002:a24:8347:: with SMTP id d68-v6mr378637ite.158.1541600492501; Wed, 07 Nov 2018 06:21:32 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20181107130456.18901-4-kdudka@redhat.com> References: <20181107130456.18901-1-kdudka@redhat.com> <20181107130456.18901-4-kdudka@redhat.com> From: Mikael Magnusson Date: Wed, 7 Nov 2018 15:21:31 +0100 Message-ID: Subject: Re: [PATCH 4/5] Src/module: fix use-after-free in setmathfuncs() To: Kamil Dudka Cc: zsh-workers@zsh.org Content-Type: text/plain; charset="UTF-8" On 11/7/18, Kamil Dudka wrote: > Detected by Coverity Analysis: > > Error: USE_AFTER_FREE (CWE-825): > zsh-5.5.1/Src/module.c:1390: freed_arg: "deletemathfunc" frees "f". > zsh-5.5.1/Src/module.c:1352:6: freed_arg: "zfree" frees parameter "f". > zsh-5.5.1/Src/mem.c:1888:5: freed_arg: "free" frees parameter "p". > zsh-5.5.1/Src/module.c:1394: deref_after_free: Dereferencing freed pointer > "f". > 1392| ret = 1; > 1393| } else { > 1394|-> f->flags &= ~MFF_ADDED; > 1395| } > 1396| } > --- > Src/module.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/Src/module.c b/Src/module.c > index 4ae78310f..33d75ebbd 100644 > --- a/Src/module.c > +++ b/Src/module.c > @@ -1390,8 +1390,6 @@ setmathfuncs(char const *nam, MathFunc f, int size, > int *e) > if (deletemathfunc(f)) { > zwarnnam(nam, "math function `%s' already deleted", f->name); > ret = 1; > - } else { > - f->flags &= ~MFF_ADDED; > } > } > f++; > -- > 2.17.2 In the other branch, if f was already deleted, how can we use f->name there? -- Mikael Magnusson