Stale expression reference causing use-after-free
diff mbox

Message ID AANLkTinMZj-_neS4jNM+b6-Dk7qzVMsR6DwyX2SHk3kt@mail.gmail.com
State New, archived
Headers show

Commit Message

Arnaud Lacombe Sept. 20, 2010, 2:54 a.m. UTC
None

Patch
diff mbox

diff --git a/scripts/kconfig/expr.c b/scripts/kconfig/expr.c
index ccd6563..e2b7f01 100644
--- a/scripts/kconfig/expr.c
+++ b/scripts/kconfig/expr.c
@@ -63,12 +59,18 @@  struct expr *expr_alloc_or(struct expr *e1, struct expr *e2)
 	return e2 ? expr_alloc_two(E_OR, e1, e2) : e1;
 }
 
+int expr_copy_nest = 0;
+
 struct expr *expr_copy(struct expr *org)
 {
 	struct expr *e;
 
-	if (!org)
-		return NULL;
+	expr_copy_nest++;
+
+	if (!org) {
+		e = NULL;
+		goto bail_out;
+	}
 
 	e = malloc(sizeof(*org));
 	memcpy(e, org, sizeof(*org));
@@ -97,6 +99,9 @@  struct expr *expr_copy(struct expr *org)
 		break;
 	}
 
+bail_out:
+	expr_copy_nest--;
+
 	return e;
 }