shithub: scc

Info  •  Files  •  Log  •  Branches

cc1: Fix a use after free bug in setloc()

When setloc() is called in delinput() we pass to setloc() a pointer
to the file nameof the current input, then we free that pointer and
we use it to allocate a new buffer with the content that the file
name pointer of the current input had.

--- a/src/cmd/cc/cc1/lex.c

+++ b/src/cmd/cc/cc1/lex.c

@@ -34,8 +34,15 @@

 		memmove(filenam, fname, len);

 		filenam[len] = '\0';

-		free(input->filenam);

-		input->filenam = xstrdup(fname);

+		/*

+		 * There are cases where we want to call setloc()

+		 * with the data in input, and then we have t be

+		 * careful about freeing input->filenam

+		 */

+		if (fname != input->filenam) {

+			free(input->filenam);

+			input->filenam = xstrdup(fname);

+		}

 	}

 	lineno = input->lineno = line;