mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 01:02:24 +00:00
Fix use-after-free in locale-based stripctrl.
We call setlocale() at the start of the function to get the current LC_CTYPE locale, then set it to what we need during the function, and then call setlocale() at the end to put it back again. But the middle call is allowed to invalidate the pointer returned from the first, so we have to save it in our own allocated storage until the end of the function. This bit me during development just now, and I was surprised that it hadn't come up before! But I suppose this is one of those things that's only _allowed_ to fail, and need not in all circumstances - perhaps it depends on what your LC_CTYPE was set to before.
This commit is contained in:
parent
bc7e06c494
commit
5388e5f7ee
@ -305,7 +305,7 @@ static void stripctrl_locale_BinarySink_write(
|
||||
container_of(sccpub, StripCtrlCharsImpl, public);
|
||||
const char *p = (const char *)vp;
|
||||
|
||||
const char *previous_locale = setlocale(LC_CTYPE, NULL);
|
||||
char *previous_locale = dupstr(setlocale(LC_CTYPE, NULL));
|
||||
setlocale(LC_CTYPE, "");
|
||||
|
||||
/*
|
||||
@ -391,6 +391,7 @@ static void stripctrl_locale_BinarySink_write(
|
||||
|
||||
out:
|
||||
setlocale(LC_CTYPE, previous_locale);
|
||||
sfree(previous_locale);
|
||||
}
|
||||
|
||||
static void stripctrl_term_BinarySink_write(
|
||||
|
Loading…
Reference in New Issue
Block a user