From 5f076e9e0510e04f1826946356e444ccff16f418 Mon Sep 17 00:00:00 2001 From: Andreas Mohr Date: Wed, 25 Nov 2015 16:55:47 +0000 Subject: [PATCH] Ticket #3567: fix heap-use-after-free bug when accessing already freed widget object Accessing widget object (at g_array_index loop) which was freed already (item->quick_widget->u.input.label before at loop). Signed-off-by: Andreas Mohr Signed-off-by: Andrew Borodin --- lib/widget/quick.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/lib/widget/quick.c b/lib/widget/quick.c index a47a59cc2a..3d24bae88d 100644 --- a/lib/widget/quick.c +++ b/lib/widget/quick.c @@ -181,6 +181,7 @@ quick_dialog_skip (quick_dialog_t * quick_dlg, int nskip) quick_widget_t *quick_widget; WGroupbox *g = NULL; WDialog *dd; + GList *input_labels = NULL; /* Widgets not directly requested by the user. */ int return_val; len = str_term_width1 (I18N (quick_dlg->title)) + 6; @@ -235,7 +236,10 @@ quick_dialog_skip (quick_dialog_t * quick_dlg, int nskip) *quick_widget->u.input.result = NULL; y++; if (quick_widget->u.input.label_location != input_label_none) + { quick_create_labeled_input (widgets, &y, x, quick_widget, &width); + input_labels = g_list_prepend (input_labels, quick_widget->u.input.label); + } else { item.widget = WIDGET (quick_create_input (y, x, quick_widget)); @@ -606,16 +610,7 @@ quick_dialog_skip (quick_dialog_t * quick_dlg, int nskip) dlg_destroy (dd); - /* destroy input labels created before */ - for (i = 0; i < widgets->len; i++) - { - quick_widget_item_t *item; - - item = &g_array_index (widgets, quick_widget_item_t, i); - if (item->quick_widget->widget_type == quick_input) - g_free (item->quick_widget->u.input.label); - } - + g_list_free_full (input_labels, g_free); /* destroy input labels created before */ g_array_free (widgets, TRUE); return return_val;