commit 52a99c568d70787741ab72597d29960acb78c738
from: Omar Polo <op@omarpolo.com>
date: Sat Jan 15 08:29:10 2022 UTC

avoid possible use after free

`url' may be a pointer to a string of the buffer which gets corrupted
upon tab_stop.

This bug shows when loadfn is load_about_url, because in
make_fs_request we first tab_stop, and then send the request, which
ends up sending to the fs process a free'd string.  At least on
OpenBSD with Otto' malloc is (partially) corrupted and will either
make the fs process abort or return a not found page.

One solution may be to rework make_fs_request to process things in a
different order, but that would only hide the problem.  Instead, use
the newly created history element as url given to the loadfns: that is
guaranteed to be valid up to the next load_url call.

Reported by Brian Callahan, thanks!

commit - 2122686bb1ab8ef51c4a4c94189be287c5512dff
commit + 52a99c568d70787741ab72597d29960acb78c738
blob - 1df83839d0b7d61a919a349743632403e1dd7993
blob + 3e22d7d2696d2b5de7f3822206fbf29b0077adf0
--- telescope.c
+++ telescope.c
@@ -943,7 +943,7 @@ do_load_url(struct tab *tab, const char *url, const ch
 				strlcpy(tab->uri.port, p->port,
 				    sizeof(tab->uri.port));
 
-			return p->loadfn(tab, url);
+			return p->loadfn(tab, tab->hist_cur->h);
 		}
 	}