From 717766da8926e36cf86015c4a49554baa854e8e6 Mon Sep 17 00:00:00 2001 From: Bruno Haible Date: Fri, 17 Jan 2020 21:56:01 +0100 Subject: glob: Fix use-after-free bug. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported by Tim Rühsen in . * lib/glob.c (__glob): Delay freeing dirname until after the use of end_name. --- lib/glob.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'lib/glob.c') diff --git a/lib/glob.c b/lib/glob.c index a67cbb67e0..add5d939d2 100644 --- a/lib/glob.c +++ b/lib/glob.c @@ -843,10 +843,11 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), { size_t home_len = strlen (p->pw_dir); size_t rest_len = end_name == NULL ? 0 : strlen (end_name); + /* dirname contains end_name; we can't free it now. */ + char *prev_dirname = + (__glibc_unlikely (malloc_dirname) ? dirname : NULL); char *d; - if (__glibc_unlikely (malloc_dirname)) - free (dirname); malloc_dirname = 0; if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) @@ -857,6 +858,7 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), dirname = malloc (home_len + rest_len + 1); if (dirname == NULL) { + free (prev_dirname); scratch_buffer_free (&pwtmpbuf); retval = GLOB_NOSPACE; goto out; @@ -868,6 +870,8 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), d = mempcpy (d, end_name, rest_len); *d = '\0'; + free (prev_dirname); + dirlen = home_len + rest_len; dirname_modified = 1; } -- cgit v1.2.1