URL: <https://savannah.gnu.org/bugs/?66445>
Summary: Use after free in change_to_directory function
Group: The GNU Bourne-Again SHell
Submitter: None
Submitted: Fri 15 Nov 2024 10:48:54 AM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Fri 15 Nov 2024 10:48:54 AM UTC By: Anonymous
There two places, where use after free occurs in change_to_directory function
defined in cd.def file.
1. First place:
assign: Assigning: tdir = nolinks ? sh_physpath(t, 0) : sh_canonpath(t, 3).
571 tdir = nolinks ? sh_physpath (t, 0)
572 : sh_canonpath (t, PATH_CHECKDOTDOT|PATH_CHECKEXISTS);
573
574 ndlen = strlen (newdir);
575
576 /* Use the canonicalized version of NEWDIR, or, if canonicalization
577 failed, use the non-canonical form. */
578 canon_failed = 0;
6. Condition tdir, taking true branch.
7. Condition *tdir, taking false branch.
579 if (tdir && *tdir)
580 free (t);
581 else
582 {
8. Condition tdir, taking true branch.
9. freed_arg: free frees tdir.
583 FREE (tdir);
CID 6159462: (#1 of 1): Use after free (USE_AFTER_FREE)
10. use_after_free: Using freed pointer t.
584 tdir = t;
585 canon_failed = 1;
2. Second place:
CID 6159485: (#1 of 1): Use after free (USE_AFTER_FREE)
14. use_after_free: Using freed pointer tdir.
628 r = chdir (nolinks ? newdir : tdir);
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?66445>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
