This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [Patch] fix use-after-free in dcigettext.c
- From: Roland McGrath <roland at hack dot frob dot com>
- To: Jeff Law <law at redhat dot com>
- Cc: libc-alpha <libc-alpha at sourceware dot org>
- Date: Thu, 21 Jun 2012 13:47:42 -0700 (PDT)
- Subject: Re: [Patch] fix use-after-free in dcigettext.c
- References: <4FE37B32.1010302@redhat.com>
While that fix looks like it can't be wrong, looking at the surrounding
code it looks like there's a better fix. The old value is always available
in the new copy, i.e. NEWMEM->next. But about 30 lines below, we have:
newmem->next = transmem_list;
transmem_list = newmem;
It popping the element off and then putting it back on is entirely redundant.
The addition is necessary in the malloc (not realloc) case. But it could
just be done inside that case.
Thanks,
Roland