bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

uninorm/filter: fix use-after-free bug


From: Bruno Haible
Subject: uninorm/filter: fix use-after-free bug
Date: Fri, 07 Jul 2017 00:21:23 +0200
User-agent: KMail/5.1.3 (Linux/4.4.0-83-generic; KDE/5.18.0; x86_64; ; )

2017-07-06  Bruno Haible  <address@hidden>

        uninorm/filter: Fix use-after-free bug.
        * lib/uninorm/uninorm-filter.c (uninorm_filter_write): Maintain
        sortbuf == filter->sortbuf invariant.
        Reported by Coverity.

diff --git a/lib/uninorm/uninorm-filter.c b/lib/uninorm/uninorm-filter.c
index 1e12713..d7f3bff 100644
--- a/lib/uninorm/uninorm-filter.c
+++ b/lib/uninorm/uninorm-filter.c
@@ -131,7 +131,7 @@ uninorm_filter_write (struct uninorm_filter *filter, ucs4_t 
uc_arg)
 
   {
     /* Cache sortbuf and sortbuf_count in local register variables.  */
-    struct ucs4_with_ccc * const sortbuf = filter->sortbuf;
+    struct ucs4_with_ccc *sortbuf = filter->sortbuf;
     size_t sortbuf_count = filter->sortbuf_count;
     int i;
 
@@ -252,9 +252,11 @@ uninorm_filter_write (struct uninorm_filter *filter, 
ucs4_t uc_arg)
             if (filter->sortbuf != filter->sortbuf_preallocated)
               free (filter->sortbuf);
             filter->sortbuf = new_sortbuf;
+            /* Update cache of filter->sortbuf.  */
+            sortbuf = filter->sortbuf;
           }
-        filter->sortbuf[sortbuf_count].code = uc;
-        filter->sortbuf[sortbuf_count].ccc = ccc;
+        sortbuf[sortbuf_count].code = uc;
+        sortbuf[sortbuf_count].ccc = ccc;
         sortbuf_count++;
       }
 




reply via email to

[Prev in Thread] Current Thread [Next in Thread]