From 78c87b3f3b359fac5401f81a86dd9e2f5968220e Mon Sep 17 00:00:00 2001 From: Pino Toscano Date: Thu, 19 Jul 2018 15:43:21 +0200 Subject: [PATCH] * src/augtool.c: fix access to invalid memory When stripping the context from the result, readline_path_generator used to realloc the string to a shorter size, copying only the content after the prefix. This resulted in reading with strcpy from the previous memory, which is freed already. Avoid the issue, and simplify the code by using strdup, freeing the old string. This issue could be reproduced in augtool, trying to autocomplete files without the /files prefix, e.g.: augtool> ls (cherry picked from commit 05b5784b2029f198ea486738d33fb7b49ef23eb8) --- src/augtool.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/augtool.c b/src/augtool.c index ff097bd9..2745812c 100644 --- a/src/augtool.c +++ b/src/augtool.c @@ -153,15 +153,13 @@ static char *readline_path_generator(const char *text, int state) { /* strip off context if the user didn't give it */ if (ctx != NULL) { - char *c = realloc(child, strlen(child)-strlen(ctx)+1); - if (c == NULL) { - free(child); - return NULL; - } int ctxidx = strlen(ctx); if (child[ctxidx] == SEP) ctxidx++; - strcpy(c, &child[ctxidx]); + char *c = strdup(&child[ctxidx]); + free(child); + if (c == NULL) + return NULL; child = c; } -- 2.17.2