diff options
| author | John Baldwin <jhb@FreeBSD.org> | 2022-10-05 23:47:40 +0000 |
|---|---|---|
| committer | John Baldwin <jhb@FreeBSD.org> | 2022-10-05 23:47:40 +0000 |
| commit | e5f2d5b35e79ddf995a8a5c782a7940ca2e05fdf (patch) | |
| tree | 7a1f4277b6628bee749c24ca780ae8c0f46afc53 /usr.bin/rs | |
| parent | bb31e1bbf2ade7abd38eb29391e1ba0718723480 (diff) | |
| download | src-e5f2d5b35e79ddf995a8a5c782a7940ca2e05fdf.tar.gz src-e5f2d5b35e79ddf995a8a5c782a7940ca2e05fdf.zip | |
rs: Fix a use after free.
Using a pointer passed to realloc() after realloc() even for pointer
arithmetic is UB. It also breaks in practice on CHERI systems as
the updated value of 'sp' in this case would have had the bounds from
the old allocation.
This would be much cleaner if elem were a std::vector<char *>.
Reviewed by: brooks, emaste
Reported by: GCC -Wuse-after-free
Differential Revision: https://reviews.freebsd.org/D36831
Diffstat (limited to 'usr.bin/rs')
| -rw-r--r-- | usr.bin/rs/rs.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/usr.bin/rs/rs.c b/usr.bin/rs/rs.c index 99e48194b3c7..557c5b9f56c0 100644 --- a/usr.bin/rs/rs.c +++ b/usr.bin/rs/rs.c @@ -38,6 +38,7 @@ #include <err.h> #include <ctype.h> #include <limits.h> +#include <stddef.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -365,13 +366,15 @@ static char ** getptrs(char **sp) { char **p; + ptrdiff_t offset; + offset = sp - elem; allocsize += allocsize; p = (char **)realloc(elem, allocsize * sizeof(char *)); if (p == NULL) err(1, "no memory"); - sp += (p - elem); + sp = p + offset; endelem = (elem = p) + allocsize; return(sp); } |