artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 76a9da1)
Fix possible use after free with long lines
authortobias <tobias@openbsd.org>
Sat, 8 Jan 2022 11:07:51 +0000 (11:07 +0000)
committertobias <tobias@openbsd.org>
Sat, 8 Jan 2022 11:07:51 +0000 (11:07 +0000)
Files with very long lines on machines with tight memory restrictions
can provoke a failing realloc in expand_linebuf. This error condition
was improperly handled, which could lead to a user after free bug by
using the already freed linebuf variable again.

with input by and okay guenther@

usr.bin/less/line.c patch | blob | history

diff --git a/usr.bin/less/line.c b/usr.bin/less/line.c
index 9ce167b..ff5dd9e 100644 (file)
--- a/usr.bin/less/line.c
+++ b/usr.bin/less/line.c
@@ -96,16 +96,16 @@ expand_linebuf(void)
 
        /* Just realloc to expand the buffer, if we can. */
        char *new_buf = recallocarray(linebuf, size_linebuf, new_size, 1);
-       char *new_attr = recallocarray(attr, size_linebuf, new_size, 1);
-       if (new_buf == NULL || new_attr == NULL) {
-               free(new_attr);
-               free(new_buf);
-               return (1);
+       if (new_buf != NULL) {
+               char *new_attr = recallocarray(attr, size_linebuf, new_size, 1);
+               linebuf = new_buf;
+               if (new_attr != NULL) {
+                       attr = new_attr;
+                       size_linebuf = new_size;
+                       return (0);
+               }
        }
-       linebuf = new_buf;
-       attr = new_attr;
-       size_linebuf = new_size;
-       return (0);
+       return (1);
 }
 
 /*
OpenBSD src
by Ahmet Artu Yildirim