From: Ben Pfaff Date: Sun, 26 Sep 2021 18:06:45 +0000 (-0700) Subject: lexer: Fix use-after-free error in lex_source_get_lookahead(). X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?p=pspp;a=commitdiff_plain;h=a91180ce13a1d95abed44b0c3cc12c94981bb5d6 lexer: Fix use-after-free error in lex_source_get_lookahead(). This code used local variable 'out' as if its value stayed the same from one iteration of the loop to the next, but in fact its scope meant that it became indeterminate on each new iteration. This commit fixes the problem by moving its declaration to an outer scope. Thanks to John Darrington for reporting the problem. --- diff --git a/src/language/lexer/lexer.c b/src/language/lexer/lexer.c index 6d9aec843a..2e6232afdc 100644 --- a/src/language/lexer/lexer.c +++ b/src/language/lexer/lexer.c @@ -1952,6 +1952,7 @@ static bool lex_source_get_lookahead (struct lex_source *src) { struct merger m = MERGER_INIT; + struct token out; for (size_t i = 0; ; i++) { while (lex_stage_count (&src->merge) <= i && !lex_source_get_merge (src)) @@ -1963,7 +1964,6 @@ lex_source_get_lookahead (struct lex_source *src) return false; } - struct token out; int retval = merger_add (&m, &lex_stage_nth (&src->merge, i)->token, &out); if (!retval)