[SV 45838] When invoking w32 programs, don't use free'd memory.

* w32/subproc/sub_proc.c (process_begin): Freeing argv[0] makes
the other argv[i] pointers invalid, so need to allocate a new
array and copy argv[i] for i != 0 first, replacing argv[0] with
the batch file name, before we can free argv[0].

diff --git a/w32/subproc/sub_proc.c b/w32/subproc/sub_proc.c
index 5496c7ebcf2b2789849d76bf898df950c8acb77a..3ce7ad3e1321a92754f32e92a3cdcb6dafc3af28 100644 (file)
--- a/w32/subproc/sub_proc.c
+++ b/w32/subproc/sub_proc.c
@@ -721,9 +721,26 @@ process_begin(
                 if (!shell_name
                     && batch_file_with_spaces(exec_fname)
                     && _stricmp(exec_path, argv[0]) == 0) {
+                        char *new_argv, *p;
+                        char **argvi;
+                        int arglen, i;
                         pass_null_exec_path = 1;
+                        /* Rewrite argv[] replacing argv[0] with exec_fname.  */
+                        for (argvi = argv + 1, arglen = strlen(exec_fname) + 1;
+                             *argvi;
+                             argvi++) {
+                                arglen += strlen(*argvi) + 1;
+                        }
+                        new_argv = xmalloc(arglen);
+                        p = strcpy(new_argv, exec_fname) + strlen(exec_fname) + 1;
+                        for (argvi = argv + 1, i = 1; *argvi; argvi++, i++) {
+                                strcpy(p, *argvi);
+                                argv[i] = p;
+                                p += strlen(*argvi) + 1;
+                        }
+                        argv[i] = NULL;
                         free (argv[0]);
-                        argv[0] = xstrdup(exec_fname);
+                        argv[0] = new_argv;
                 }
                 command_line = make_command_line( shell_name, exec_fname, argv);
         }