From 6c3f73bc536082fec38bd36e6c8a121033c68835 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Thu, 2 Oct 2014 08:26:06 +0800 Subject: [EVAL] Fix use-after-free in dotrap/evalstring The function dotrap calls evalstring using the stored trap string. If evalstring then unsets that exact trap string then we will end up using freed memory. This patch fixes it by making evalstring always duplicate the string before using it. Signed-off-by: Herbert Xu --- src/eval.c | 3 +++ src/histedit.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/eval.c b/src/eval.c index c7358a6..3cfa1e5 100644 --- a/src/eval.c +++ b/src/eval.c @@ -160,6 +160,7 @@ evalstring(char *s, int flags) struct stackmark smark; int status; + s = sstrdup(s); setinputstring(s); setstackmark(&smark); @@ -171,7 +172,9 @@ evalstring(char *s, int flags) if (evalskip) break; } + popstackmark(&smark); popfile(); + stunalloc(s); return status; } diff --git a/src/histedit.c b/src/histedit.c index b27d629..94465d7 100644 --- a/src/histedit.c +++ b/src/histedit.c @@ -372,8 +372,7 @@ histcmd(int argc, char **argv) out2str(s); } - evalstring(strcpy(stalloc(strlen(s) + 1), s), - 0); + evalstring(s, 0); if (displayhist && hist) { /* * XXX what about recursive and -- cgit 1.4.1