Fixed a use after free bug

Fixed a -Wuse-after-free warning that identified a call to realloc() in find_tty_state() could move the fd_setup array. Thanks goes to <GitHub user mattdm> for reporting this bug!
2025-08-19 01:13:27 +03:00 · 2022-12-03 10:10:21 -08:00
parent 74b833977b
commit 3aaad95443
2 changed files with 27 additions and 6 deletions
--- a/13
+++ b/13
@@ -1,3 +1,16 @@
+The following are the changes from calc version 2.14.2.0 to date:
+
+    Attempted to address a paranoid compiler warning -Wmaybe-uninitialized
+    in swap_HALF_in_ZVALUE() where the gcc compiler seems to ignore the
+    fact that calling not_reached() above the call to zcopyval()
+    should prevent dest from being NULL to the 1st zcopyval() call.
+    Thanks to <GitHub user mattdm> for raising this potential concern.
+
+    Fixed a -Wuse-after-free warning that identified a call to realloc()
+    in find_tty_state() could move the fd_setup array.  Thanks goes to
+    <GitHub user mattdm> for reporting this bug!
+
+
 The following are the changes from calc version 2.14.1.2 to date:

    Restored use of the #define FPOS_POS_LEN symbol.  This refers to
--- a/lib_calc.c
+++ b/lib_calc.c
@@ -693,7 +693,7 @@ calc_strdup(CONST char *s1)
 #else /* HAVE_STRDUP */

 	char *ret;	/* return string */
-	size_t s1_len; 	/* length of string to duplicate */
+	size_t s1_len;	/* length of string to duplicate */

 	/*
 	 * firewall
@@ -737,7 +737,7 @@ S_FUNC int
 find_tty_state(int fd)
 {
 	int *new_fd_setup;		/* new fd_setup array */
-	ttystruct *new_fd_orig; /* new fd_orig array */
+	ttystruct *new_fd_orig;		/* new fd_orig array */
 	ttystruct *new_fd_cur;		/* new fd_cur array */
 	int i;

@@ -764,7 +764,7 @@ find_tty_state(int fd)
 		if (fd_orig == NULL) {
 			return -1;
 		}
-		fd_cur = (ttystruct *)malloc(sizeof(fd_orig[0]));
+		fd_cur = (ttystruct *)malloc(sizeof(fd_cur[0]));
 		if (fd_cur == NULL) {
 			return -1;
 		}
@@ -796,26 +796,34 @@ find_tty_state(int fd)
 	/*
 	 * no empty slots exist, realloc another slot
 	 */
+	/* expand fd_setup */
 	new_fd_setup = (int *)realloc(fd_setup, sizeof(fd_setup[0]) *
 				      (fd_setup_len+1));
 	if (new_fd_setup == NULL) {
 		return -1;
 	}
+	fd_setup = new_fd_setup;
 	new_fd_setup[fd_setup_len] = -1;
-	new_fd_orig = (ttystruct *)realloc(fd_setup, sizeof(fd_orig[0]) *
+
+	/* expand fd_orig */
+	new_fd_orig = (ttystruct *)realloc(fd_orig, sizeof(fd_orig[0]) *
 					    (fd_setup_len+1));
 	if (new_fd_orig == NULL) {
 		return -1;
 	}
+	fd_orig = new_fd_orig;
+
+	/* expand fd_cur */
 	new_fd_cur = (ttystruct *)realloc(fd_cur, sizeof(fd_cur[0]) *
 					  (fd_setup_len+1));
 	if (new_fd_cur == NULL) {
 		return -1;
 	}
-	fd_setup = new_fd_setup;
-	fd_orig = new_fd_orig;
 	fd_cur = new_fd_cur;
+
+	/* expand fd setup length */
 	++fd_setup_len;
+
 	/* return the new slot */
 	return fd_setup_len-1;
 }