On Tuesday, July 31, 2018 11:09:13 AM CEST Sergey Poznyakoff wrote:
> Applied. Thank you.
Argh, sorry. There's now double free if iconv() fails, because assign_string
blindly frees already freed pointer; I haven't noticed before. Patch attached.
Pavel
>From 1900925af783ad413cb072cf7b8f46c2779571b8 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <prais...@redhat.com>
Date: Tue, 31 Jul 2018 12:57:59 +0200
Subject: [PATCH] Fix decode_string() double-free
Bug added by commit 577dc345653947a31.
* src/utf8.c (utf8_convert): Don't touch '*output' string pointer
if we return 'false', to avoid unexpected side-effects.
---
src/utf8.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/utf8.c b/src/utf8.c
index 168d636..abf26bc 100644
--- a/src/utf8.c
+++ b/src/utf8.c
@@ -65,7 +65,7 @@ bool
utf8_convert (bool to_utf, char const *input, char **output)
{
char ICONV_CONST *ib;
- char *ob;
+ char *ob, *ret;
size_t inlen;
size_t outlen;
iconv_t cd = utf8_init (to_utf);
@@ -80,14 +80,15 @@ utf8_convert (bool to_utf, char const *input, char **output)
inlen = strlen (input) + 1;
outlen = inlen * MB_LEN_MAX + 1;
- ob = *output = xmalloc (outlen);
+ ob = ret = xmalloc (outlen);
ib = (char ICONV_CONST *) input;
if (iconv (cd, &ib, &inlen, &ob, &outlen) == -1)
{
- free (*output);
+ free (ret);
return false;
}
*ob = 0;
+ *output = ret;
return true;
}
�
--
2.17.1
