On Mon, 6 Jun 2022 12:58:59 -0700 Namhyung Kim <namhyung@xxxxxxxxxx> wrote: > When processing a TEP_PRINT_OP type arg, the original arg was copied > to the left arg and resets itself. But it misses the reset the right > in some places and it could result in a use-after-free. > > A fuzzer test found out that something like below can trigger it > > print fmt: "", c * ((3 * t)[ > > At the time it sees the "[" token, the arg would have like > > arg->type = TEP_PRINT_OP > arg->op.op = "*" > arg->op.left = (arg of 3) > arg->op.right = (arg of t) > > and it creates a new left and copies the contents. Also it resets > itself with > > arg->op.op = "[" > arg->op.left = (new left) > > But it can have the same arg->op.right if the process_array() fails > before setting it. It should reset the right pointer as it passed the > ownership before. The same thing can happend for process_cond(). > > Signed-off-by: Namhyung Kim <namhyung@xxxxxxxxxx> > --- > src/event-parse.c | 2 ++ > 1 file changed, 2 insertions(+) Applied. Thanks Namhyung! -- Steve
|