Mercurial > hg > index.cgi
comparison lwlib/lw_expr.c @ 342:12e2453f8417
Fix potential memory access after free in lw_expr_simplify_go()
Thanks to Erik Gavriluk (erik@bombfactory.com) for spotting a missing "else"
when attempting to resolve a "special" reference. This could have led to
access to memory that had already been freed if a "special" resolved to an
expression that also referenced the same special (a circular reference).
Whether that can actually happen is questionable but the check must have
been added for a reason so it follows that it should be done correctly.
This also brings the code in line with similar code resolving symbol
references which makes a similar check.
| author | William Astle <lost@l-w.ca> |
|---|---|
| date | Sat, 14 Mar 2015 14:06:13 -0600 |
| parents | 6138e304ab9a |
| children | 433dbc18fb41 |
comparison
equal
deleted
inserted
replaced
| 341:48b1cc3991d8 | 342:12e2453f8417 |
|---|---|
| 575 lw_expr_t te; | 575 lw_expr_t te; |
| 576 | 576 |
| 577 te = evaluate_special(E -> value, E -> value2, priv); | 577 te = evaluate_special(E -> value, E -> value2, priv); |
| 578 if (lw_expr_contains(te, E)) | 578 if (lw_expr_contains(te, E)) |
| 579 lw_expr_destroy(te); | 579 lw_expr_destroy(te); |
| 580 if (te) | 580 else if (te) |
| 581 { | 581 { |
| 582 for (o = E -> operands; o; o = o -> next) | 582 for (o = E -> operands; o; o = o -> next) |
| 583 lw_expr_destroy(o -> p); | 583 lw_expr_destroy(o -> p); |
| 584 if (E -> type == lw_expr_type_var) | 584 if (E -> type == lw_expr_type_var) |
| 585 lw_free(E -> value2); | 585 lw_free(E -> value2); |