From b2f6cc19eec3ce3f40e2c77751b47cec9c0e8fe3 Mon Sep 17 00:00:00 2001 From: tobias Date: Sat, 8 Jan 2022 11:07:51 +0000 Subject: [PATCH] Fix possible use after free with long lines Files with very long lines on machines with tight memory restrictions can provoke a failing realloc in expand_linebuf. This error condition was improperly handled, which could lead to a user after free bug by using the already freed linebuf variable again. with input by and okay guenther@ --- usr.bin/less/line.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/usr.bin/less/line.c b/usr.bin/less/line.c index 9ce167b38e6..ff5dd9e8a7d 100644 --- a/usr.bin/less/line.c +++ b/usr.bin/less/line.c @@ -96,16 +96,16 @@ expand_linebuf(void) /* Just realloc to expand the buffer, if we can. */ char *new_buf = recallocarray(linebuf, size_linebuf, new_size, 1); - char *new_attr = recallocarray(attr, size_linebuf, new_size, 1); - if (new_buf == NULL || new_attr == NULL) { - free(new_attr); - free(new_buf); - return (1); + if (new_buf != NULL) { + char *new_attr = recallocarray(attr, size_linebuf, new_size, 1); + linebuf = new_buf; + if (new_attr != NULL) { + attr = new_attr; + size_linebuf = new_size; + return (0); + } } - linebuf = new_buf; - attr = new_attr; - size_linebuf = new_size; - return (0); + return (1); } /* -- 2.20.1