From: Jay Satiro Date: Tue, 16 Feb 2021 22:13:22 +0000 (-0500) Subject: url: fix possible use-after-free in default protocol X-Git-Tag: curl-7_76_0~145 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=568190f493b140e08bfab97271038f924f4ce412;p=thirdparty%2Fcurl.git url: fix possible use-after-free in default protocol Prior to this change if the user specified a default protocol and a separately allocated non-absolute URL was used then it was freed prematurely, before it was then used to make the replacement URL. Bug: https://github.com/curl/curl/issues/6604#issuecomment-780138219 Reported-by: arvids-kokins-bidstack@users.noreply.github.com Closes https://github.com/curl/curl/pull/6613 --- diff --git a/lib/url.c b/lib/url.c index ae6c8e9c19..a1818466c4 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1901,13 +1901,12 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, if(data->set.str[STRING_DEFAULT_PROTOCOL] && !Curl_is_absolute_url(data->change.url, NULL, MAX_SCHEME_LEN)) { - char *url; - if(data->change.url_alloc) - free(data->change.url); - url = aprintf("%s://%s", data->set.str[STRING_DEFAULT_PROTOCOL], - data->change.url); + char *url = aprintf("%s://%s", data->set.str[STRING_DEFAULT_PROTOCOL], + data->change.url); if(!url) return CURLE_OUT_OF_MEMORY; + if(data->change.url_alloc) + free(data->change.url); data->change.url = url; data->change.url_alloc = TRUE; }