Fix potential memory access after free in lw_expr_simplify_go() Thanks to Erik Gavriluk (erik@bombfactory.com) for spotting a missing "else" when attempting to resolve a "special" reference. This could have led to access to memory that had already been freed if a "special" resolved to an expression that also referenced the same special (a circular reference). Whether that can actually happen is questionable but the check must have been added for a reason so it follows that it should be done correctly. This also brings the code in line with similar code resolving symbol references which makes a similar check.

--- a/lwlib/lw_expr.c	Sun Nov 09 12:23:00 2014 -0700
+++ b/lwlib/lw_expr.c	Sat Mar 14 14:06:13 2015 -0600
@@ -577,7 +577,7 @@
 		te = evaluate_special(E -> value, E -> value2, priv);
 		if (lw_expr_contains(te, E))
 			lw_expr_destroy(te);
-		if (te)
+		else if (te)
 		{
 			for (o = E -> operands; o; o = o -> next)
 				lw_expr_destroy(o -> p);