nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
Code Issues Projects Releases Wiki Activity

Fix use-after-free in locale-based stripctrl.

Browse Source 
We call setlocale() at the start of the function to get the current
LC_CTYPE locale, then set it to what we need during the function, and
then call setlocale() at the end to put it back again. But the middle
call is allowed to invalidate the pointer returned from the first, so
we have to save it in our own allocated storage until the end of the
function.

This bit me during development just now, and I was surprised that it
hadn't come up before! But I suppose this is one of those things
that's only _allowed_ to fail, and need not in all circumstances -
perhaps it depends on what your LC_CTYPE was set to before.
This commit is contained in:
Simon Tatham 2022-04-22 15:19:25 +01:00
parent bc7e06c494
commit 5388e5f7ee
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
utils/stripctrl.c
View File

@ -305,7 +305,7 @@ static void stripctrl_locale_BinarySink_write(
container_of(sccpub, StripCtrlCharsImpl, public);
const char *p = (const char *)vp;
const char *previous_locale = setlocale(LC_CTYPE, NULL);
char *previous_locale = dupstr(setlocale(LC_CTYPE, NULL));
setlocale(LC_CTYPE, "");
/*
@ -391,6 +391,7 @@ static void stripctrl_locale_BinarySink_write(
out:
setlocale(LC_CTYPE, previous_locale);
sfree(previous_locale);
}
static void stripctrl_term_BinarySink_write(