- Omar Polo <email@example.com>
- avoid possible use after free `url' may be a pointer to a string of the buffer which gets corrupted upon tab_stop. This bug shows when loadfn is load_about_url, because in make_fs_request we first tab_stop, and then send the request, which ends up sending to the fs process a free'd string. At least on OpenBSD with Otto' malloc is (partially) corrupted and will either make the fs process abort or return a not found page. One solution may be to rework make_fs_request to process things in a different order, but that would only hide the problem. Instead, use the newly created history element as url given to the loadfns: that is guaranteed to be valid up to the next load_url call. Reported by Brian Callahan, thanks!
- Patch | Tree
--- telescope.c +++ telescope.c @@ -943,7 +943,7 @@ do_load_url(struct tab *tab, const char *url, const ch strlcpy(tab->uri.port, p->port, sizeof(tab->uri.port)); - return p->loadfn(tab, url); + return p->loadfn(tab, tab->hist_cur->h); } }