diff options
| author | Samar Sunkaria <sameesunkaria@me.com> | 2024-06-05 06:19:08 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-05 13:19:08 +0900 |
| commit | 7be6870751c2ab3f49365a955c51ce5ba1f1b752 (patch) | |
| tree | 9e5ff9d3b48d4dd2be562e42ea21c450cfd1d991 /src/lexer.c | |
| parent | 5208a4425f24f5c366dfed2eae85f1935199d683 (diff) | |
`jq_reset` calls `jv_free` on the `exit_code` and the `error_message` stored on the jq state.
However, it doesn't replace the actual instance of those members. This means that subsequent
calls to `jq_reset` will call `jv_free` again on those members, which in turn may call `free`
on the same pointer multiple times. Freeing the same pointer multiple times is undefined
behavior and can cause heap corruption, which is how I spotted this issue.
In practice, this issue only occurs when using a program that may `halt_error`, because that
is when the `exit_code` and `error_message` are set to values other than `jv_invalid`.
Subsequent attempts to call `jq_start` (which calls `jq_reset` internally) after hitting a
`halt_error` can cause you to run into this issue.
The changes simply reset the `exit_code` and the `error_message` to `jv_invalid` (the initial
value set in `jq_init`) after they are freed.
Diffstat (limited to 'src/lexer.c')
0 files changed, 0 insertions, 0 deletions