From 275230ceb1b09d2d62e436bd06e6a04a295d3a4d Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 8 Nov 2012 10:55:52 +0100 Subject: bugfix: potential segfault due to invalid param handling in comparisons This could happen in RainerScript comparisons (like contains); in some cases an unitialized variable was accessed, which could lead to an invalid free and in turn to a segfault. Closes: http://bugzilla.adiscon.com/show_bug.cgi?id=372 Thanks to Georgi Georgiev for reporting this bug and his great help in solving it. --- ChangeLog | 7 +++++++ grammar/rainerscript.c | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 6e789015..7136d46a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +- bugfix: potential segfault due to invalid param handling in comparisons + This could happen in RainerScript comparisons (like contains); in some + cases an unitialized variable was accessed, which could lead to an + invalid free and in turn to a segfault. + Closes: http://bugzilla.adiscon.com/show_bug.cgi?id=372 + Thanks to Georgi Georgiev for reporting this bug and his great help + in solving it. ---------------------------------------------------------------------------- Version 7.2.1 [v7-stable] 2012-10-29 - bugfix: ruleset()-object did only support a single statement diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c index 733ebef4..2420ef31 100644 --- a/grammar/rainerscript.c +++ b/grammar/rainerscript.c @@ -1231,7 +1231,7 @@ evalStrArrayCmp(es_str_t *estr_l, struct cnfarray* ar, int cmpop) #define FREE_TWO_STRINGS \ if(bMustFree) es_deleteStr(estr_r); \ - if(expr->r->nodetype != 'A' && r.datatype == 'S') es_deleteStr(r.d.estr); \ + if(expr->r->nodetype != 'S' && expr->r->nodetype != 'A' && r.datatype == 'S') es_deleteStr(r.d.estr); \ if(bMustFree2) es_deleteStr(estr_l); \ if(l.datatype == 'S') es_deleteStr(l.d.estr) -- cgit v1.2.3