diff options
| author | Colomban Wendling <[email protected]> | 2024-09-03 16:32:35 +0200 |
|---|---|---|
| committer | Luke from DC <[email protected]> | 2024-09-03 23:51:29 +0000 |
| commit | 7ef327f6f269c7a49357e001cd41d7aaf5807749 (patch) | |
| tree | 98df9ae16ca338f365e12e0d47cc62d8383ec61a /src/parserfunc.c | |
| parent | fe495df3ec39c155eacecbfbfbdd3d6ad45c46ec (diff) | |
| download | mate-calc-7ef327f6f269c7a49357e001cd41d7aaf5807749.tar.bz2 mate-calc-7ef327f6f269c7a49357e001cd41d7aaf5807749.tar.xz | |
Fix invalid memory access with invalid powers
The ParseNode's value must be valid to pass to `free()`, as it's done
unconditionally if the expression is invalid. However, for some
functions a shortuct was taken avoiding duplicating memory. This was
OK in case the expression is valid because the evaluation function
would convert it and set the pointer back to NULL; but it's not OK if
the expression is invalid as the evaluation doesn't happen and the
pointer is not reset before being freed.
Fixes #226.
Diffstat (limited to 'src/parserfunc.c')
| -rw-r--r-- | src/parserfunc.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/src/parserfunc.c b/src/parserfunc.c index 6f27daf..dc28e7e 100644 --- a/src/parserfunc.c +++ b/src/parserfunc.c @@ -230,9 +230,9 @@ pf_get_variable_with_power(ParseNode* self) MPNumber t = mp_new(); MPNumber* ans = mp_new_ptr(); - pow = super_atoi(((LexerToken*) self->value)->string); + pow = super_atoi(self->value); - /* No need to free the memory. It is allocated and freed somewhere else. */ + free(self->value); self->value = NULL; if(!(self->state->get_variable)) @@ -344,10 +344,11 @@ pf_apply_func_with_power(ParseNode* self) set_error(self->state, PARSER_ERR_UNKNOWN_FUNCTION, self->token->string); return NULL; } - pow = super_atoi(((LexerToken*) self->value)->string); + pow = super_atoi(self->value); mp_xpowy_integer(tmp, pow, ans); mp_free(val); mp_free(tmp); + free(self->value); self->value = NULL; return ans; } @@ -391,11 +392,12 @@ pf_apply_func_with_npower(ParseNode* self) set_error(self->state, PARSER_ERR_UNKNOWN_FUNCTION, self->token->string); return NULL; } - pow = super_atoi(((LexerToken*) self->value)->string); + pow = super_atoi(self->value); mp_xpowy_integer(tmp, -pow, ans); mp_free(val); mp_free(tmp); free(inv_name); + free(self->value); self->value = NULL; return ans; } @@ -407,7 +409,8 @@ pf_do_nth_root(ParseNode* self) MPNumber* val; gint pow; MPNumber* ans = mp_new_ptr(); - pow = sub_atoi(((LexerToken*) self->value)->string); + pow = sub_atoi(self->value); + free(self->value); self->value = NULL; val = (MPNumber*) (*(self->right->evaluate))(self->right); if(!val) |