summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog7
-rw-r--r--grammar/rainerscript.c2
2 files changed, 8 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 6e789015..7136d46a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+- bugfix: potential segfault due to invalid param handling in comparisons
+ This could happen in RainerScript comparisons (like contains); in some
+ cases an unitialized variable was accessed, which could lead to an
+ invalid free and in turn to a segfault.
+ Closes: http://bugzilla.adiscon.com/show_bug.cgi?id=372
+ Thanks to Georgi Georgiev for reporting this bug and his great help
+ in solving it.
----------------------------------------------------------------------------
Version 7.2.1 [v7-stable] 2012-10-29
- bugfix: ruleset()-object did only support a single statement
diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c
index 733ebef4..2420ef31 100644
--- a/grammar/rainerscript.c
+++ b/grammar/rainerscript.c
@@ -1231,7 +1231,7 @@ evalStrArrayCmp(es_str_t *estr_l, struct cnfarray* ar, int cmpop)
#define FREE_TWO_STRINGS \
if(bMustFree) es_deleteStr(estr_r); \
- if(expr->r->nodetype != 'A' && r.datatype == 'S') es_deleteStr(r.d.estr); \
+ if(expr->r->nodetype != 'S' && expr->r->nodetype != 'A' && r.datatype == 'S') es_deleteStr(r.d.estr); \
if(bMustFree2) es_deleteStr(estr_l); \
if(l.datatype == 'S') es_deleteStr(l.d.estr)
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-21 13:44:44 +0000