diff options
author | Christian Brabandt <cb@256bit.org> | 2023-11-19 16:19:27 +0100 |
---|---|---|
committer | Christian Brabandt <cb@256bit.org> | 2023-11-21 19:52:12 +0100 |
commit | 567cae2630a51efddc07eacff3b38a295e1f5671 (patch) | |
tree | 0b28c67873be22d270ca7e0a977f47148c99645b /src | |
parent | cb0c113ddc0101b05a27c040774cb7106fc74cd4 (diff) |
patch 9.0.2117: [security] use-after-free in qf_free_itemsv9.0.2117
Problem: [security] use-after-free in qf_free_items
Solution: only access qfpnext, if it hasn't been freed
Coverity discovered a possible use-after-free in qf_free_items. When
freeing the qfline items, we may access freed memory, when qfp ==
qfpnext.
So only access qfpnext, when it hasn't been freed.
Signed-off-by: Christian Brabandt <cb@256bit.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/quickfix.c | 3 | ||||
-rw-r--r-- | src/version.c | 2 |
2 files changed, 4 insertions, 1 deletions
diff --git a/src/quickfix.c b/src/quickfix.c index 207331f9b5..dd681ca239 100644 --- a/src/quickfix.c +++ b/src/quickfix.c @@ -4000,8 +4000,9 @@ qf_free_items(qf_list_T *qfl) // to avoid crashing when it's wrong. // TODO: Avoid qf_count being incorrect. qfl->qf_count = 1; + else + qfl->qf_start = qfpnext; } - qfl->qf_start = qfpnext; --qfl->qf_count; } diff --git a/src/version.c b/src/version.c index ed11338127..6994b3402c 100644 --- a/src/version.c +++ b/src/version.c @@ -705,6 +705,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 2117, +/**/ 2116, /**/ 2115, |