avoid use after free of frp and frp->tname

found by smatch, ok miod@ millert@

diff --git a/usr.bin/vi/common/exf.c b/usr.bin/vi/common/exf.c
index 1d966db..9b62d32 100644 (file)
--- a/usr.bin/vi/common/exf.c
+++ b/usr.bin/vi/common/exf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: exf.c,v 1.48 2021/10/25 14:17:24 dv Exp $     */
+/*     $OpenBSD: exf.c,v 1.49 2024/02/14 03:07:58 jsg Exp $    */
 
 /*-
  * Copyright (c) 1992, 1993, 1994
@@ -207,6 +207,7 @@ file_init(SCR *sp, FREF *frp, char *rcv_name, int flags)
                if ((frp->tname = strdup(tname)) == NULL ||
                    (frp->name == NULL && (frp->name = strdup(tname)) == NULL)) {
                        free(frp->tname);
+                       frp->tname = NULL;
                        msgq(sp, M_SYSERR, NULL);
                        (void)unlink(tname);
                        goto err;
@@ -666,6 +667,7 @@ file_end(SCR *sp, EXF *ep, int force)
                        TAILQ_REMOVE(&sp->gp->frefq, frp, q);
                        free(frp->name);
                        free(frp);
+                       frp = NULL;
                }
                sp->frp = NULL;
        }
@@ -676,7 +678,10 @@ file_end(SCR *sp, EXF *ep, int force)
         * Close the db structure.
         */
        if (ep->db->close != NULL && ep->db->close(ep->db) && !force) {
-               msgq_str(sp, M_SYSERR, frp->name, "%s: close");
+               if (frp)
+                       msgq_str(sp, M_SYSERR, frp->name, "%s: close");
+               else
+                       msgq(sp, M_SYSERR, "close");
                ++ep->refcnt;
                return (1);
        }