URL: <https://savannah.gnu.org/bugs/?66444>
Summary: Use after free in expand_string_dollar_quote
function
Group: The GNU Bourne-Again SHell
Submitter: None
Submitted: Fri 15 Nov 2024 09:26:31 AM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Fri 15 Nov 2024 09:26:31 AM UTC By: Anonymous
The static analyzer showed an error in function expand_string_dollar_quote
(file: subst.c), where t variable is used after free:
freed_arg: free frees t.
4290 free (t);
CID 6159498: (#1 of 1): Read from pointer after free (USE_AFTER_FREE)
212. use_after_free: Using freed pointer t.
4291 if (singlequote_translations &&
4292 ((news-sindex-1) != translen || STREQN (t, trans,
translen) == 0))
4293 t = sh_single_quote (trans);
4294 else
4295 t = sh_mkdoublequoted (trans, translen, 0);
4296 sindex = news;
4297 }
This is clearly a bug, we have free(t) and in the next instruction the t
variable is used directly:
4291 if (singlequote_translations &&
4292 ((news-sindex-1) != translen || STREQN (t, trans,
translen) == 0))
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?66444>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
