Use-after-free in _nc_free_and

bug-ncurses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Use-after-free in _nc_free_and_exit()

From:	Miroslav Lichvar
Subject:	Use-after-free in _nc_free_and_exit()
Date:	Wed, 17 Mar 2021 16:20:39 +0100

I'm looking at a report from a static analyser and there seems to be
one issue that looks like an actual bug, which in a test is reported
by valgrind too. In the "leaky" configuration of ncurses there is:

NCURSES_SP_NAME(_nc_free_and_exit) (NCURSES_SP_DCLx int code)
{
    if (SP_PARM) {
        delscreen(SP_PARM);
        if (SP_PARM->_term)
            NCURSES_SP_NAME(del_curterm) (NCURSES_SP_ARGx SP_PARM->_term);
    }

delscreen() frees SP_PARM, so it shouldn't be accessed after that
point. The _term seems to be freed in delscreen(), so maybe those two
lines following the delscreen() could be removed?

-- 
Miroslav Lichvar

[Prev in Thread]

Current Thread

[Next in Thread]

Use-after-free in _nc_free_and_exit(), Miroslav Lichvar <=
- Re: Use-after-free in _nc_free_and_exit(), Thomas Dickey, 2021/03/17

Prev by Date: Re: Ncurses build error
Next by Date: Re: Use-after-free in _nc_free_and_exit()
Previous by thread: [PATCH] terminfo: add hterm entry
Next by thread: Re: Use-after-free in _nc_free_and_exit()
Index(es):
- Date
- Thread