From baacf4bdda03fe9e916fbc1e3b480d8b161ad521 Mon Sep 17 00:00:00 2001
From: jsg <jsg@openbsd.org>
Date: Wed, 14 Feb 2024 03:07:58 +0000
Subject: [PATCH] avoid use after free of frp and frp->tname found by smatch,
 ok miod@ millert@

---
 usr.bin/vi/common/exf.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/usr.bin/vi/common/exf.c b/usr.bin/vi/common/exf.c
index 1d966db1823..9b62d32e045 100644
--- a/usr.bin/vi/common/exf.c
+++ b/usr.bin/vi/common/exf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: exf.c,v 1.48 2021/10/25 14:17:24 dv Exp $	*/
+/*	$OpenBSD: exf.c,v 1.49 2024/02/14 03:07:58 jsg Exp $	*/
 
 /*-
  * Copyright (c) 1992, 1993, 1994
@@ -207,6 +207,7 @@ file_init(SCR *sp, FREF *frp, char *rcv_name, int flags)
 		if ((frp->tname = strdup(tname)) == NULL ||
 		    (frp->name == NULL && (frp->name = strdup(tname)) == NULL)) {
 			free(frp->tname);
+			frp->tname = NULL;
 			msgq(sp, M_SYSERR, NULL);
 			(void)unlink(tname);
 			goto err;
@@ -666,6 +667,7 @@ file_end(SCR *sp, EXF *ep, int force)
 			TAILQ_REMOVE(&sp->gp->frefq, frp, q);
 			free(frp->name);
 			free(frp);
+			frp = NULL;
 		}
 		sp->frp = NULL;
 	}
@@ -676,7 +678,10 @@ file_end(SCR *sp, EXF *ep, int force)
 	 * Close the db structure.
 	 */
 	if (ep->db->close != NULL && ep->db->close(ep->db) && !force) {
-		msgq_str(sp, M_SYSERR, frp->name, "%s: close");
+		if (frp)
+			msgq_str(sp, M_SYSERR, frp->name, "%s: close");
+		else
+			msgq(sp, M_SYSERR, "close");
 		++ep->refcnt;
 		return (1);
 	}
-- 
2.20.1