From e784a994b5f3759ffcc0d8c581c4ec09170a3067 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Helleu?= Date: Sun, 7 Jun 2020 09:11:24 +0200 Subject: [PATCH] api: fix use of pointer after free in function key_unbind --- ChangeLog.adoc | 1 + src/gui/gui-key.c | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog.adoc b/ChangeLog.adoc index 558615276..be4485e23 100644 --- a/ChangeLog.adoc +++ b/ChangeLog.adoc @@ -58,6 +58,7 @@ Bug fixes:: * core: fix WEECHAT_SHAREDIR with CMake build (issue #1461) * core: fix memory leak in calculation of expression on FreeBSD (issue #1469) * core: fix resize of a bar when its size is 0 (automatic) (issue #1470) + * api: fix use of pointer after free in function key_unbind * api: replace plugin and buffer name by buffer pointer in argument "modifier_data" sent to weechat_print modifier callback (issue #42) * exec: fix use of same task id for different tasks (issue #1491) * fifo: fix errors when writing in the FIFO pipe (issue #713) diff --git a/src/gui/gui-key.c b/src/gui/gui-key.c index 6737f8033..73fb3f42f 100644 --- a/src/gui/gui-key.c +++ b/src/gui/gui-key.c @@ -921,7 +921,7 @@ gui_key_unbind_plugin (const char *context, const char *key) { int ctxt, num_keys, area_type; char *area_name; - struct t_gui_key *ptr_key; + struct t_gui_key *ptr_key, *ptr_next_key; ctxt = gui_key_search_context (context); if (ctxt < 0) @@ -944,8 +944,11 @@ gui_key_unbind_plugin (const char *context, const char *key) gui_key_set_area_type_name (key + 5, &area_type, &area_name); if (area_name) { - for (ptr_key = gui_keys[ctxt]; ptr_key; ptr_key = ptr_key->next_key) + ptr_key = gui_keys[ctxt]; + while (ptr_key) { + ptr_next_key = ptr_key->next_key; + if (((ptr_key->area_type[0] == area_type) && ptr_key->area_name[0] && (strcmp (ptr_key->area_name[0], area_name) == 0)) @@ -955,6 +958,8 @@ gui_key_unbind_plugin (const char *context, const char *key) { num_keys += gui_key_unbind (NULL, ctxt, ptr_key->key); } + + ptr_key = ptr_next_key; } free (area_name); }