commit 9e531db4264918f88e229172edb0d96219ee7aa9
parent 50a91d39e8e87d66f334e40528c61687c1bab60d
Author: Roberto E. Vargas Caballero <k0ga@shike2.com>
Date: Mon, 4 Apr 2022 20:36:38 +0200
cc1: Fix a use after free bug in setloc()
When setloc() is called in delinput() we pass to setloc() a pointer
to the file nameof the current input, then we free that pointer and
we use it to allocate a new buffer with the content that the file
name pointer of the current input had.
Diffstat:
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/cmd/cc/cc1/lex.c b/src/cmd/cc/cc1/lex.c
@@ -34,8 +34,15 @@ setloc(char *fname, unsigned line)
memmove(filenam, fname, len);
filenam[len] = '\0';
- free(input->filenam);
- input->filenam = xstrdup(fname);
+ /*
+ * There are cases where we want to call setloc()
+ * with the data in input, and then we have t be
+ * careful about freeing input->filenam
+ */
+ if (fname != input->filenam) {
+ free(input->filenam);
+ input->filenam = xstrdup(fname);
+ }
}
lineno = input->lineno = line;
