When processing a TEP_PRINT_OP type arg, the original arg was copied to the left arg and resets itself. But it misses the reset the right in some places and it could result in a use-after-free. A fuzzer test found out that something like below can trigger it print fmt: "", c * ((3 * t)[ At the time it sees the "[" token, the arg would have like arg->type = TEP_PRINT_OP arg->op.op = "*" arg->op.left = (arg of 3) arg->op.right = (arg of t) and it creates a new left and copies the contents. Also it resets itself with arg->op.op = "[" arg->op.left = (new left) But it can have the same arg->op.right if the process_array() fails before setting it. It should reset the right pointer as it passed the ownership before. The same thing can happend for process_cond(). Signed-off-by: Namhyung Kim <namhyung@xxxxxxxxxx> --- src/event-parse.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/event-parse.c b/src/event-parse.c index 8b839cb..8f4fb59 100644 --- a/src/event-parse.c +++ b/src/event-parse.c @@ -2317,6 +2317,7 @@ process_op(struct tep_event *event, struct tep_print_arg *arg, char **tok) arg->type = TEP_PRINT_OP; arg->op.op = token; arg->op.left = left; + arg->op.right = NULL; arg->op.prio = 0; /* it will set arg->op.right */ @@ -2422,6 +2423,7 @@ process_op(struct tep_event *event, struct tep_print_arg *arg, char **tok) arg->type = TEP_PRINT_OP; arg->op.op = token; arg->op.left = left; + arg->op.right = NULL; arg->op.prio = 0; -- 2.36.1.255.ge46751e96f-goog