blob: adbaaf0d026fbfd8d64ca847e3eac7f6196ad448 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
From 05a7e9e3f647cf77c2782f8f24b05a8d37117ccc Mon Sep 17 00:00:00 2001
From: joveeater <joveasarus@gmail.com>
Date: Sat, 27 Jan 2024 10:39:58 +0000
Subject: [PATCH] fix: uaf in safe references (#4165)
* Fixes a uaf in safe references
* style(autofix.ci): automated formatting
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
---
src/safe_reference.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/safe_reference.h b/src/safe_reference.h
index 7334885bc67..552aeb6e300 100644
--- a/src/safe_reference.h
+++ b/src/safe_reference.h
@@ -154,6 +154,7 @@ class safe_reference
} else {
rec->mem_count--;
rec = rec->target.redirect;
+ rec->mem_count++;
}
}
}
@@ -368,13 +369,12 @@ class safe_reference
if( sec_rec->id == ID_NONE ) {
sec_rec->id = REDIRECTED_MASK;
sec_rec->target.redirect = pri_rec;
- }
-
- //They both have an id
- if( pri_rec->id != ID_NONE && sec_rec->id != ID_NONE ) {
+ pri_rec->mem_count++;
+ } else {
//This is the worse case, we actually need a redirect
sec_rec->id = sec_rec->id | REDIRECTED_MASK;
sec_rec->target.redirect = pri_rec;
+ pri_rec->mem_count++;
}
}
--
2.43.0
|