changeset 342:12e2453f8417

Fix potential memory access after free in lw_expr_simplify_go() Thanks to Erik Gavriluk (erik@bombfactory.com) for spotting a missing "else" when attempting to resolve a "special" reference. This could have led to access to memory that had already been freed if a "special" resolved to an expression that also referenced the same special (a circular reference). Whether that can actually happen is questionable but the check must have been added for a reason so it follows that it should be done correctly. This also brings the code in line with similar code resolving symbol references which makes a similar check.
author William Astle <lost@l-w.ca>
date Sat, 14 Mar 2015 14:06:13 -0600
parents 48b1cc3991d8
children 98f3e016cfd8
files lwlib/lw_expr.c
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/lwlib/lw_expr.c	Sun Nov 09 12:23:00 2014 -0700
+++ b/lwlib/lw_expr.c	Sat Mar 14 14:06:13 2015 -0600
@@ -577,7 +577,7 @@
 		te = evaluate_special(E -> value, E -> value2, priv);
 		if (lw_expr_contains(te, E))
 			lw_expr_destroy(te);
-		if (te)
+		else if (te)
 		{
 			for (o = E -> operands; o; o = o -> next)
 				lw_expr_destroy(o -> p);