Browse code

core: fix fixup_spve_* reuse after free

- fixup_spve_* functions have an optimization that checks if a
a parsed format is a simple string and if this happens it frees
the fixed param an re-does the fixup with type==string.
However when freeing the result of the first fixup the original
string was freed too and the next string fixup would be
called with freed memory instead of a valid string.
(this bug was hidden before the memleak fix in af8f3e1536d)

Andrei Pelinescu-Onciul authored on 15/10/2009 15:58:05
Showing 1 changed files
... ...
@@ -197,7 +197,6 @@ FIXUP_F2FP_T(igp_pvar_pvar, 1, 3, 1, FPARAM_INT|FPARAM_PVS, FPARAM_PVS)
197 197
 		int ret; \
198 198
 		char * bkp; \
199 199
 		fparam_t* fp; \
200
-		bkp=*param; \
201 200
 		if (param_no<=(no1)){ \
202 201
 			if ((ret=fix_param_types(FPARAM_PVE, param))<0){ \
203 202
 				ERR("Cannot convert function parameter %d to" #type2 "\n", \
... ...
@@ -206,6 +205,8 @@ FIXUP_F2FP_T(igp_pvar_pvar, 1, 3, 1, FPARAM_INT|FPARAM_PVS, FPARAM_PVS)
206 205
 			} else{ \
207 206
 				fp=(fparam_t*)*param; \
208 207
 				if ((ret==0) && (fp->v.pve->spec.getf==0)){ \
208
+					bkp=fp->orig; \
209
+					fp->orig=0; /* make sure orig string is not freed */ \
209 210
 					fparam_free_contents(fp); \
210 211
 					pkg_free(fp); \
211 212
 					*param=bkp; \