lexer: Fix use-after-free error in lex_source_get_lookahead().

This code used local variable 'out' as if its value stayed the same from
one iteration of the loop to the next, but in fact its scope meant that
it became indeterminate on each new iteration.  This commit fixes the
problem by moving its declaration to an outer scope.

Thanks to John Darrington for reporting the problem.

diff --git a/src/language/lexer/lexer.c b/src/language/lexer/lexer.c
index 6d9aec843ab80e94c197a8a7ee825b0e180bf2c1..2e6232afdc4ab6bee345ac0a2238e99d28ff6503 100644 (file)
--- a/src/language/lexer/lexer.c
+++ b/src/language/lexer/lexer.c
@@ -1952,6 +1952,7 @@ static bool
 lex_source_get_lookahead (struct lex_source *src)
 {
   struct merger m = MERGER_INIT;
+  struct token out;
   for (size_t i = 0; ; i++)
     {
       while (lex_stage_count (&src->merge) <= i && !lex_source_get_merge (src))
@@ -1963,7 +1964,6 @@ lex_source_get_lookahead (struct lex_source *src)
           return false;
         }
 
-      struct token out;
       int retval = merger_add (&m, &lex_stage_nth (&src->merge, i)->token,
                                &out);
       if (!retval)