From a91180ce13a1d95abed44b0c3cc12c94981bb5d6 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Sun, 26 Sep 2021 11:06:45 -0700 Subject: [PATCH] lexer: Fix use-after-free error in lex_source_get_lookahead(). This code used local variable 'out' as if its value stayed the same from one iteration of the loop to the next, but in fact its scope meant that it became indeterminate on each new iteration. This commit fixes the problem by moving its declaration to an outer scope. Thanks to John Darrington for reporting the problem. --- src/language/lexer/lexer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/language/lexer/lexer.c b/src/language/lexer/lexer.c index 6d9aec843a..2e6232afdc 100644 --- a/src/language/lexer/lexer.c +++ b/src/language/lexer/lexer.c @@ -1952,6 +1952,7 @@ static bool lex_source_get_lookahead (struct lex_source *src) { struct merger m = MERGER_INIT; + struct token out; for (size_t i = 0; ; i++) { while (lex_stage_count (&src->merge) <= i && !lex_source_get_merge (src)) @@ -1963,7 +1964,6 @@ lex_source_get_lookahead (struct lex_source *src) return false; } - struct token out; int retval = merger_add (&m, &lex_stage_nth (&src->merge, i)->token, &out); if (!retval) -- 2.30.2