BUG/MEDIUM: pattern: fixup use_after_free in the pat_ref_delete_by_id

I found there is use_after_free bug in the pat_ref_delete_by_id.

[wt: it seems this fix must be backported to 1.5 as well]

diff --git a/src/pattern.c b/src/pattern.c
index 07e1a524d93dbefd5eaa14039a5b826f2f023fe5..254c10650ed2967c76611357b86a736f4a1ec977 100644 (file)
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -1540,14 +1540,13 @@ int pat_ref_delete_by_id(struct pat_ref *ref, struct pat_ref_elt *refelt)
        /* delete pattern from reference */
        list_for_each_entry_safe(elt, safe, &ref->head, list) {
                if (elt == refelt) {
+                       list_for_each_entry(expr, &ref->pat, list)
+                               pattern_delete(expr, elt);
+
                        LIST_DEL(&elt->list);
                        free(elt->sample);
                        free(elt->pattern);
                        free(elt);
-
-                       list_for_each_entry(expr, &ref->pat, list)
-                               pattern_delete(expr, elt);
-
                        return 1;
                }
        }