fixup a bad OpenBSD reaction on a bug afl showed:
set source to NULL only if the memory backing source is actually reclaimed; fixes segfault due to NULL(+24) pointer dereference reported by Score_Under (simplified testcase added; thanks!)
This commit is contained in:
tg
17
main.c
17
main.c
@ -34,7 +34,7 @@
|
||||
#include <locale.h>
|
||||
#endif
|
||||
|
||||
__RCSID("$MirOS: src/bin/mksh/main.c,v 1.316 2016/08/04 20:32:14 tg Exp $");
|
||||
__RCSID("$MirOS: src/bin/mksh/main.c,v 1.317 2016/08/04 20:51:35 tg Exp $");
|
||||
|
||||
extern char **environ;
|
||||
|
||||
@ -913,13 +913,6 @@ unwind(int i)
|
||||
/* FALLTHROUGH */
|
||||
default:
|
||||
quitenv(NULL);
|
||||
/*
|
||||
* quitenv() may have reclaimed the memory
|
||||
* used by source which will end badly when
|
||||
* we jump to a function that expects it to
|
||||
* be valid
|
||||
*/
|
||||
source = NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1090,6 +1083,14 @@ reclaim(void)
|
||||
|
||||
remove_temps(e->temps);
|
||||
e->temps = NULL;
|
||||
|
||||
/*
|
||||
* if the memory backing source is reclaimed, things
|
||||
* will end up badly when a function expecting it to
|
||||
* be valid is run; a NULL pointer is easily debugged
|
||||
*/
|
||||
if (source && source->areap == &e->area)
|
||||
source = NULL;
|
||||
afreeall(&e->area);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user