[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
double-free in bashline.c
|
From: |
Grisha Levit |
|
Subject: |
double-free in bashline.c |
|
Date: |
Thu, 16 Mar 2023 03:44:40 -0400 |
A few functions in bashline.c free static variables but do not assign
to them until after calling bash_tilde_expand, which may
throw_to_top_level. If SIGINT is received at an inopportune time,
these variables may be free-d again.
diff --git a/bashline.c b/bashline.c
index 2745c4dd..b5c0a49f 100644
--- a/bashline.c
+++ b/bashline.c
@@ -1970,6 +1970,7 @@ command_word_completion_function (const char
*hint_text, int state)
free (dequoted_hint);
if (hint)
free (hint);
+ dequoted_hint = hint = (char *)NULL;
mapping_over = searching_path = 0;
hint_is_dir = CMD_IS_DIR (hint_text);
@@ -2252,6 +2253,7 @@ globword:
free (fnhint);
if (filename_hint)
free (filename_hint);
+ fnhint = filename_hint = (char *)NULL;
filename_hint = sh_makepath (current_path, hint, 0);
/* Need a quoted version (though it doesn't matter much in most
@@ -2397,7 +2399,10 @@ command_subst_completion_function (const char
*text, int state)
start_len = text - orig_start;
filename_text = savestring (text);
if (matches)
- free (matches);
+ {
+ free (matches);
+ matches = (char **)NULL;
+ }
/*
* At this point we can entertain the idea of re-parsing
@@ -3873,9 +3878,11 @@ glob_complete_word (const char *text, int state)
{
rl_filename_completion_desired = 1;
FREE (matches);
+ matches = (char **)NULL;
if (globorig != globtext)
FREE (globorig);
FREE (globtext);
+ globorig = globtext = (char *)NULL;
ttext = bash_tilde_expand (text, 0);
- double-free in bashline.c,
Grisha Levit <=