adjbuf minlen error in cat, resulting in NULL pbuf.

use-after-free issue with tempfree(x)
author: ozan yigit <ozan.yigit@gmail.com> 2022-09-12 10:44:17 -0400
committer: ozan yigit <ozan.yigit@gmail.com> 2022-09-12 10:44:17 -0400
commit: 994f5f0c289bac7791be212a1e5aae9ff4c6cc06 (patch)
tree: deea0e8e51f0ed0594cf55484c4cb1ed90267e3f
parent: 30791e0f686010b39c1ab2121df85da180960d53 (diff)
download: one-true-awk-994f5f0c289bac7791be212a1e5aae9ff4c6cc06.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/run.c b/run.c
index d753e42..483b9d9 100644
--- a/run.c
+++ b/run.c
@@ -1197,16 +1197,17 @@ Cell *cat(Node **a, int q)	/* a[0] cat a[1] */
 
 	x = execute(a[0]);
 	n1 = strlen(getsval(x));
-	adjbuf(&s, &ssz, n1, recsize, 0, "cat1");
+	adjbuf(&s, &ssz, n1 + 1, recsize, 0, "cat1");
 	memcpy(s, x->sval, n1);
 
+	tempfree(x);
+
 	y = execute(a[1]);
 	n2 = strlen(getsval(y));
 	adjbuf(&s, &ssz, n1 + n2 + 1, recsize, 0, "cat2");
 	memcpy(s + n1, y->sval, n2);
 	s[n1 + n2] = '\0';
 
-	tempfree(x);
 	tempfree(y);
 
 	z = gettemp();
author	ozan yigit <ozan.yigit@gmail.com>	2022-09-12 10:44:17 -0400
committer	ozan yigit <ozan.yigit@gmail.com>	2022-09-12 10:44:17 -0400
commit	994f5f0c289bac7791be212a1e5aae9ff4c6cc06 (patch)
tree	deea0e8e51f0ed0594cf55484c4cb1ed90267e3f
parent	30791e0f686010b39c1ab2121df85da180960d53 (diff)
download	one-true-awk-994f5f0c289bac7791be212a1e5aae9ff4c6cc06.tar.gz