commit 201077757b14041ebdf1946de3982f57b06652b0
from: Omar Polo <op@omarpolo.com>
date: Fri Mar 19 12:57:39 2021 UTC

fix a case of use-after-free in parser_set_buf

p->buf and buf almost always overlap.  This means that once we
free(p->buf), buf becomes invalid.  It probably never crashed on
memcpy since because the buffer is almost always quite small.

commit - 31753df0dc604c687f7fd962522b9032b1f354fc
commit + 201077757b14041ebdf1946de3982f57b06652b0
blob - e4e8a8cad0f95bcae2845f9672e6b231cbcbd851
blob + ade9c602f3c464de381fafd846a050bb67e1e8b7
--- parser.c
+++ parser.c
@@ -39,18 +39,23 @@ parser_append(struct parser *p, const char *buf, size_
 int
 parser_set_buf(struct parser *p, const char *buf, size_t len)
 {
-	free(p->buf);
-	p->buf = NULL;
+	char *tmp;
 
 	if (len == 0) {
 		p->len = 0;
+		free(p->buf);
+		p->buf = NULL;
 		return 1;
 	}
 
-	if ((p->buf = calloc(1, len)) == NULL)
+	/* p->buf and buf can (and probably almost always will)
+	 * overlap! */
+
+	if ((tmp = calloc(1, len)) == NULL)
 		return 0;
-	memcpy(p->buf, buf, len);
+	memcpy(tmp, buf, len);
+	free(p->buf);
+	p->buf = tmp;
 	p->len = len;
 	return 1;
 }
-