patch 9.0.2117: [security] use-after-free in qf_free_items Problem: [security] use-after-free in qf_free_items Solution: only access qfpnext, if it hasn't been freed Coverity discovered a possible use-after-free in qf_free_items. When freeing the qfline items, we may access freed memory, when qfp == qfpnext. So only access qfpnext, when it hasn't been freed. Signed-off-by: Christian Brabandt <cb@256bit.org>

commit: 567cae2630a51efddc07eacff3b38a295e1f5671 [log] [tgz]
author: Christian Brabandt <cb@256bit.org> Sun Nov 19 16:19:27 2023 +0100
committer: Christian Brabandt <cb@256bit.org> Tue Nov 21 19:52:12 2023 +0100
tree: 0b28c67873be22d270ca7e0a977f47148c99645b
parent: cb0c113ddc0101b05a27c040774cb7106fc74cd4 [diff] [blame]
diff --git a/src/quickfix.c b/src/quickfix.c
index 207331f..dd681ca 100644
--- a/src/quickfix.c
+++ b/src/quickfix.c

@@ -4000,8 +4000,9 @@
 		// to avoid crashing when it's wrong.
 		// TODO: Avoid qf_count being incorrect.
 		qfl->qf_count = 1;
+	    else
+		qfl->qf_start = qfpnext;
 	}
-	qfl->qf_start = qfpnext;
 	--qfl->qf_count;
     }
commit	567cae2630a51efddc07eacff3b38a295e1f5671	[log] [tgz]
author	Christian Brabandt <cb@256bit.org>	Sun Nov 19 16:19:27 2023 +0100
committer	Christian Brabandt <cb@256bit.org>	Tue Nov 21 19:52:12 2023 +0100
tree	0b28c67873be22d270ca7e0a977f47148c99645b
parent	cb0c113ddc0101b05a27c040774cb7106fc74cd4 [diff] [blame]