Avoid use after free when retrying the -o file
authortb <tb@openbsd.org>
Fri, 20 Sep 2024 12:52:37 +0000 (12:52 +0000)
committertb <tb@openbsd.org>
Fri, 20 Sep 2024 12:52:37 +0000 (12:52 +0000)
This is horrible code and at least file leaks in various paths, but that's
for someone else to fix.

found by & ok jsg

games/fortune/fortune/fortune.c

index 6f17c4d..6524228 100644 (file)
@@ -1,4 +1,4 @@
-/*     $OpenBSD: fortune.c,v 1.64 2024/05/21 05:00:47 jsg Exp $        */
+/*     $OpenBSD: fortune.c,v 1.65 2024/09/20 12:52:37 tb Exp $ */
 /*     $NetBSD: fortune.c,v 1.8 1995/03/23 08:28:40 cgd Exp $  */
 
 /*-
@@ -413,6 +413,7 @@ add_file(int percent, char *file, char *dir, FILEDESC **head, FILEDESC **tail,
                        if (was_malloc)
                                free(path);
                        path = offensive;
+                       offensive = NULL;
                        file = off_name(file);
                        was_malloc = true;
                }
@@ -430,9 +431,9 @@ over:
                 * we'll pick up the -o file anyway.
                 */
                if (All_forts && offensive != NULL) {
-                       path = offensive;
                        if (was_malloc)
                                free(path);
+                       path = offensive;
                        offensive = NULL;
                        was_malloc = true;
                        DPRINTF(1, (stderr, "\ttrying \"%s\"\n", path));