# HG changeset patch
# User William Astle <lost@l-w.ca>
# Date 1426363573 21600
# Node ID 12e2453f8417f4d75b27894aab522a410f3c606d
# Parent  48b1cc3991d80797e1b4003feb7f55efc4e9706c
Fix potential memory access after free in lw_expr_simplify_go()

Thanks to Erik Gavriluk (erik@bombfactory.com) for spotting a missing "else"
when attempting to resolve a "special" reference. This could have led to
access to memory that had already been freed if a "special" resolved to an
expression that also referenced the same special (a circular reference).
Whether that can actually happen is questionable but the check must have
been added for a reason so it follows that it should be done correctly.

This also brings the code in line with similar code resolving symbol
references which makes a similar check.

diff -r 48b1cc3991d8 -r 12e2453f8417 lwlib/lw_expr.c
--- a/lwlib/lw_expr.c	Sun Nov 09 12:23:00 2014 -0700
+++ b/lwlib/lw_expr.c	Sat Mar 14 14:06:13 2015 -0600
@@ -577,7 +577,7 @@
 		te = evaluate_special(E -> value, E -> value2, priv);
 		if (lw_expr_contains(te, E))
 			lw_expr_destroy(te);
-		if (te)
+		else if (te)
 		{
 			for (o = E -> operands; o; o = o -> next)
 				lw_expr_destroy(o -> p);