ref: 994f5f0c289bac7791be212a1e5aae9ff4c6cc06
parent: 30791e0f686010b39c1ab2121df85da180960d53
author: ozan yigit <ozan.yigit@gmail.com>
date: Mon Sep 12 06:44:17 EDT 2022
adjbuf minlen error in cat, resulting in NULL pbuf. use-after-free issue with tempfree(x)
--- a/run.c
+++ b/run.c
@@ -1197,9 +1197,11 @@
x = execute(a[0]);
n1 = strlen(getsval(x));
- adjbuf(&s, &ssz, n1, recsize, 0, "cat1");
+ adjbuf(&s, &ssz, n1 + 1, recsize, 0, "cat1");
memcpy(s, x->sval, n1);
+ tempfree(x);
+
y = execute(a[1]);
n2 = strlen(getsval(y));
adjbuf(&s, &ssz, n1 + n2 + 1, recsize, 0, "cat2");
@@ -1206,7 +1208,6 @@
memcpy(s + n1, y->sval, n2);
s[n1 + n2] = '\0';
- tempfree(x);
tempfree(y);
z = gettemp();
--
⑨