From 5388e5f7eed8f145493e221e3349c150e6081246 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Fri, 22 Apr 2022 15:19:25 +0100 Subject: [PATCH] Fix use-after-free in locale-based stripctrl. We call setlocale() at the start of the function to get the current LC_CTYPE locale, then set it to what we need during the function, and then call setlocale() at the end to put it back again. But the middle call is allowed to invalidate the pointer returned from the first, so we have to save it in our own allocated storage until the end of the function. This bit me during development just now, and I was surprised that it hadn't come up before! But I suppose this is one of those things that's only _allowed_ to fail, and need not in all circumstances - perhaps it depends on what your LC_CTYPE was set to before. --- utils/stripctrl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/utils/stripctrl.c b/utils/stripctrl.c index 58289b10..d723a079 100644 --- a/utils/stripctrl.c +++ b/utils/stripctrl.c @@ -305,7 +305,7 @@ static void stripctrl_locale_BinarySink_write( container_of(sccpub, StripCtrlCharsImpl, public); const char *p = (const char *)vp; - const char *previous_locale = setlocale(LC_CTYPE, NULL); + char *previous_locale = dupstr(setlocale(LC_CTYPE, NULL)); setlocale(LC_CTYPE, ""); /* @@ -391,6 +391,7 @@ static void stripctrl_locale_BinarySink_write( out: setlocale(LC_CTYPE, previous_locale); + sfree(previous_locale); } static void stripctrl_term_BinarySink_write(