[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-cssc] [bug #63488] use after free bug in writesubst.cc
|
From: |
anonymous |
|
Subject: |
[Bug-cssc] [bug #63488] use after free bug in writesubst.cc |
|
Date: |
Thu, 8 Dec 2022 06:43:45 -0500 (EST) |
URL:
<https://savannah.gnu.org/bugs/?63488>
Summary: use after free bug in writesubst.cc
Project: GNU CSSC
Submitter: None
Submitted: Thu 08 Dec 2022 11:43:43 AM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Thu 08 Dec 2022 11:43:43 AM UTC By: Anonymous
Around line 109 we're doing expansion of the %M% keyword:
case 'M':
{
const char *mod = get_module_name().c_str();
err = fputs_failed(fputs(mod, out));
}
break;
Problem is that by the time the fputs is done the temporary holding the return
from get_module_name has been freed, so using mod is a use after free. This
can show up as garbage being substituted in for %M%, especially when the
module name is long.
A quick fix is:
case 'M':
{
- const char *mod = get_module_name().c_str();
- err = fputs_failed(fputs(mod, out));
+ string mod = get_module_name();
+ err = fputs_failed(fputs(mod.c_str(), out));
}
(Debian bug 998642)
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?63488>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug-cssc] [bug #63488] use after free bug in writesubst.cc,
anonymous <=