summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog4
-rw-r--r--src/eval.c3
-rw-r--r--src/histedit.c3
3 files changed, 8 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index f161a13..a56fc5e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2014-10-02  Herbert Xu <herbert@gondor.apana.org.au>
+
+	* Fix use-after-free in dotrap/evalstring.
+
 2014-09-29  Herbert Xu <herbert@gondor.apana.org.au>
 
 	* Kill pgetc_macro.
diff --git a/src/eval.c b/src/eval.c
index c7358a6..3cfa1e5 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -160,6 +160,7 @@ evalstring(char *s, int flags)
 	struct stackmark smark;
 	int status;
 
+	s = sstrdup(s);
 	setinputstring(s);
 	setstackmark(&smark);
 
@@ -171,7 +172,9 @@ evalstring(char *s, int flags)
 		if (evalskip)
 			break;
 	}
+	popstackmark(&smark);
 	popfile();
+	stunalloc(s);
 
 	return status;
 }
diff --git a/src/histedit.c b/src/histedit.c
index b27d629..94465d7 100644
--- a/src/histedit.c
+++ b/src/histedit.c
@@ -372,8 +372,7 @@ histcmd(int argc, char **argv)
 					out2str(s);
 				}
 
-				evalstring(strcpy(stalloc(strlen(s) + 1), s),
-					   0);
+				evalstring(s, 0);
 				if (displayhist && hist) {
 					/*
 					 *  XXX what about recursive and
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-10-20 03:16:17 +0000