BUG/MEDIUM: arg: ensure that we properly unlink unresolved arguments on error

If make_arg_list() fails to process an argument after having queued an unresolvable one, it frees the allocated argument list but doesn't remove the referenced args from the arg list. This causes a use after free or a double free if the same location was reused, during the deinit phase upon exit after reporting the error. Since it's not easy to properly unlinked all elements, we only release the args block if none of them was queued in the list.
2026-01-19 00:51:37 +01:00 · 2017-04-12 22:32:04 +02:00 · 2017-04-12 22:32:04 +02:00 · 0622f02b5a
commit 0622f02b5a
parent 266b1a8336
1 changed files with 8 additions and 2 deletions
--- a/src/arg.c
+++ b/src/arg.c
@ -104,6 +104,7 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp,
 	char *word = NULL;
 	const char *ptr_err = NULL;
 	int min_arg;
+	struct arg_list *new_al = al;

 	*argp = NULL;

@ -165,7 +166,7 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp,
 			 * parsing then resolved later.
 			 */
 			arg->unresolved = 1;
-			arg_list_add(al, arg, pos);
+			new_al = arg_list_add(al, arg, pos);

 			/* fall through */
 		case ARGT_STR:
@ -282,7 +283,12 @@ int make_arg_list(const char *in, int len, uint64_t mask, struct arg **argp,

 err:
 	free(word);
-	free(*argp);
+	if (new_al == al) {
+		/* only free the arg area if we have not queued unresolved args
+		 * still pointing to it.
+		 */
+		free(*argp);
+	}
 	*argp = NULL;
 	if (err_arg)
 		*err_arg = pos;