Potential use-after-free issue at src/color.c #855
Description
Our code scanner has reported a use-after-free issue, I was wondering is there a chance that we could construct a configuration file to meet the following two points:
match = list_find (pair_list, find_pair_in_list, pair)returns NULL (can't find a pair in pair_list) andlist_find (color_list, find_color_in_list, color)returns a valid color (found a valid color in color_list),
so the execution from step 1 to step 2 can be actually happened, step 2 would use the freed color at step 1.
Finally, even we could construct a configuration file to trigger this execution path, I believe the use-after-free problem can only bring misbehavior in multi-threaded environment, though I still would suggest we could reorder the code to avoid it.
could anyone have a look on this?
if (pair_list == NULL) {
pair_list = list_create (pair);
} else if ((match = list_find (pair_list, find_pair_in_list, pair))) {
free (pair);
pair = (GColorPair *) match->data;
} else {
pair->idx += list_count (pair_list);
pair_list = list_insert_prepend (pair_list, pair);
}
color->pair = pair;
if (color_list == NULL)
color_list = list_create (color);
else if (list_find (color_list, find_color_in_list, color))
free (color); // Step 1: freeing color
else
color_list = list_insert_prepend (color_list, color);
if (!match) {
init_pair (color->pair->idx, color->pair->fg, color->pair->bg); // Step 2: use color
}Regards,
Alex, SourceBrella Inc.