summaryrefslogtreecommitdiff
path: root/hotfix-04_fix-uaf-in-safe-references-4165.patch
blob: adbaaf0d026fbfd8d64ca847e3eac7f6196ad448 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

From 05a7e9e3f647cf77c2782f8f24b05a8d37117ccc Mon Sep 17 00:00:00 2001
From: joveeater <joveasarus@gmail.com>
Date: Sat, 27 Jan 2024 10:39:58 +0000
Subject: [PATCH] fix: uaf in safe references (#4165)

* Fixes a uaf in safe references

* style(autofix.ci): automated formatting

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
---
 src/safe_reference.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/safe_reference.h b/src/safe_reference.h
index 7334885bc67..552aeb6e300 100644
--- a/src/safe_reference.h
+++ b/src/safe_reference.h
@@ -154,6 +154,7 @@ class safe_reference
                 } else {
                     rec->mem_count--;
                     rec = rec->target.redirect;
+                    rec->mem_count++;
                 }
             }
         }
@@ -368,13 +369,12 @@ class safe_reference
             if( sec_rec->id == ID_NONE ) {
                 sec_rec->id = REDIRECTED_MASK;
                 sec_rec->target.redirect = pri_rec;
-            }
-
-            //They both have an id
-            if( pri_rec->id != ID_NONE && sec_rec->id != ID_NONE ) {
+                pri_rec->mem_count++;
+            } else {
                 //This is the worse case, we actually need a redirect
                 sec_rec->id = sec_rec->id | REDIRECTED_MASK;
                 sec_rec->target.redirect = pri_rec;
+                pri_rec->mem_count++;
             }
         }
 
-- 
2.43.0
generated by cgit v1.2.1 (git 2.18.0) at 2024-05-15 11:03:56 +0000