diff options
| author | Tobias Stoeckmann <tobias@cvs.openbsd.org> | 2022-01-08 11:07:52 +0000 |
|---|---|---|
| committer | Tobias Stoeckmann <tobias@cvs.openbsd.org> | 2022-01-08 11:07:52 +0000 |
| commit | 7e466bb3b15785532c8ece456b7b2b50522aba56 (patch) | |
| tree | 4bc1624367cc637308c4a3ad133619e710e05151 /usr.bin | |
| parent | 3f9189277726967cb26a52de205443aae217e248 (diff) | |
Fix possible use after free with long lines
Files with very long lines on machines with tight memory restrictions
can provoke a failing realloc in expand_linebuf. This error condition
was improperly handled, which could lead to a user after free bug by
using the already freed linebuf variable again.
with input by and okay guenther@
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/less/line.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/usr.bin/less/line.c b/usr.bin/less/line.c index 9ce167b38e6..ff5dd9e8a7d 100644 --- a/usr.bin/less/line.c +++ b/usr.bin/less/line.c @@ -96,16 +96,16 @@ expand_linebuf(void) /* Just realloc to expand the buffer, if we can. */ char *new_buf = recallocarray(linebuf, size_linebuf, new_size, 1); - char *new_attr = recallocarray(attr, size_linebuf, new_size, 1); - if (new_buf == NULL || new_attr == NULL) { - free(new_attr); - free(new_buf); - return (1); + if (new_buf != NULL) { + char *new_attr = recallocarray(attr, size_linebuf, new_size, 1); + linebuf = new_buf; + if (new_attr != NULL) { + attr = new_attr; + size_linebuf = new_size; + return (0); + } } - linebuf = new_buf; - attr = new_attr; - size_linebuf = new_size; - return (0); + return (1); } /* |