Tree
- Tree:
661cd5c34f8910117dfe3dd2da615bc6cc7fbb30
- Date:
- Message:
- avoid possible use after free `url' may be a pointer to a string of the buffer which gets corrupted upon tab_stop. This bug shows when loadfn is load_about_url, because in make_fs_request we first tab_stop, and then send the request, which ends up sending to the fs process a free'd string. At least on OpenBSD with Otto' malloc is (partially) corrupted and will either make the fs process abort or return a not found page. One solution may be to rework make_fs_request to process things in a different order, but that would only hide the problem. Instead, use the newly created history element as url given to the loadfns: that is guaranteed to be valid up to the next load_url call. Reported by Brian Callahan, thanks!
emoji.txt | commits | blame |