ITS#9249 librewrite: fix malloc/free corruption

author Howard Chu <hyc@openldap.org>

Sat, 22 Aug 2020 11:38:10 +0000 (12:38 +0100)

committer Quanah Gibson-Mount <quanah@openldap.org>

Wed, 26 Aug 2020 15:01:51 +0000 (15:01 +0000)
author Howard Chu <hyc@openldap.org>
Sat, 22 Aug 2020 11:38:10 +0000 (12:38 +0100)
committer Quanah Gibson-Mount <quanah@openldap.org>
Wed, 26 Aug 2020 15:01:51 +0000 (15:01 +0000)
diff --git a/libraries/librewrite/subst.c b/libraries/librewrite/subst.c

index c07452b6cea928a768c6a2d115b0cf152ba1a2ae..ba0d2108738edfee05414258f3b9028d21c71d3f 100644 (file)
--- a/libraries/librewrite/subst.c
+++ b/libraries/librewrite/subst.c
@@ -32,7 +32,7 @@ rewrite_subst_compile(
  {
         size_t subs_len;
         struct berval *subs = NULL, *tmps;
-       struct rewrite_submatch *submatch = NULL;
+       struct rewrite_submatch *submatch = NULL, *tmpsm;
  
         struct rewrite_subst *s = NULL;
  
@@ -71,7 +71,16 @@ rewrite_subst_compile(
                         goto cleanup;
                 }
                 subs = tmps;
-               
+               subs[ nsub ].bv_val = NULL;
+
+               tmpsm = ( struct rewrite_submatch * )realloc( submatch,
+                               sizeof( struct rewrite_submatch )*( nsub + 1 ) );
+               if ( tmpsm == NULL ) {
+                       goto cleanup;
+               }
+               submatch = tmpsm;
+               submatch[ nsub ].ls_map = NULL;
+
                 /*
                  * I think an `if l > 0' at runtime is better outside than
                  * inside a function call ...
@@ -95,19 +104,12 @@ rewrite_subst_compile(
                  * Substitution pattern
                  */
                 if ( isdigit( (unsigned char) p[ 1 ] ) ) {
-                       struct rewrite_submatch *tmpsm;
                         int d = p[ 1 ] - '0';
  
                         /*
                          * Add a new value substitution scheme
                          */
  
-                       tmpsm = ( struct rewrite_submatch * )realloc( submatch,
-                                       sizeof( struct rewrite_submatch )*( nsub + 1 ) );
-                       if ( tmpsm == NULL ) {
-                               goto cleanup;
-                       }
-                       submatch = tmpsm;
                         submatch[ nsub ].ls_submatch = d;
  
                         /*
@@ -140,7 +142,6 @@ rewrite_subst_compile(
                  */
                 } else if ( p[ 1 ] == '{' ) {
                         struct rewrite_map *map;
-                       struct rewrite_submatch *tmpsm;
  
                         map = rewrite_map_parse( info, p + 2,
                                         (const char **)&begin );
@@ -152,13 +153,6 @@ rewrite_subst_compile(
                         /*
                          * Add a new value substitution scheme
                          */
-                       tmpsm = ( struct rewrite_submatch * )realloc( submatch,
-                                       sizeof( struct rewrite_submatch )*( nsub + 1 ) );
-                       if ( tmpsm == NULL ) {
-                               rewrite_map_destroy( &map );
-                               goto cleanup;
-                       }
-                       submatch = tmpsm;
                         submatch[ nsub ].ls_type =
                                 REWRITE_SUBMATCH_MAP_W_ARG;
                         submatch[ nsub ].ls_map = map;
author	Howard Chu <hyc@openldap.org>
	Sat, 22 Aug 2020 11:38:10 +0000 (12:38 +0100)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Wed, 26 Aug 2020 15:01:51 +0000 (15:01 +0000)