From 6c3f73bc536082fec38bd36e6c8a121033c68835 Mon Sep 17 00:00:00 2001
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Thu, 2 Oct 2014 08:26:06 +0800
Subject: [EVAL] Fix use-after-free in dotrap/evalstring

The function dotrap calls evalstring using the stored trap string.
If evalstring then unsets that exact trap string then we will end
up using freed memory.

This patch fixes it by making evalstring always duplicate the string
before using it.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 src/eval.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/eval.c')

diff --git a/src/eval.c b/src/eval.c
index c7358a6..3cfa1e5 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -160,6 +160,7 @@ evalstring(char *s, int flags)
 	struct stackmark smark;
 	int status;
 
+	s = sstrdup(s);
 	setinputstring(s);
 	setstackmark(&smark);
 
@@ -171,7 +172,9 @@ evalstring(char *s, int flags)
 		if (evalskip)
 			break;
 	}
+	popstackmark(&smark);
 	popfile();
+	stunalloc(s);
 
 	return status;
 }
-- 
cgit 1.4.1