url: fix possible use-after-free in default protocol

Prior to this change if the user specified a default protocol and a separately allocated non-absolute URL was used then it was freed prematurely, before it was then used to make the replacement URL. Bug: https://github.com/curl/curl/issues/6604#issuecomment-780138219 Reported-by: arvids-kokins-bidstack@users.noreply.github.com Closes https://github.com/curl/curl/pull/6613
author: Jay Satiro <raysatiro@yahoo.com> 2021-02-16 17:13:22 -0500
committer: Jay Satiro <raysatiro@yahoo.com> 2021-02-17 16:15:11 -0500
commit: 568190f493b140e08bfab97271038f924f4ce412 (patch)
tree: 0eab78f40f17aced60bfd8735b9554477b7fa737
parent: 94719e7285bb3d63d67129e2529def8f1bf1c5a8 (diff)
download: curl-568190f493b140e08bfab97271038f924f4ce412.tar.gz
1 files changed, 4 insertions, 5 deletions
diff --git a/lib/url.c b/lib/url.c
index ae6c8e9c1..a1818466c 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1901,13 +1901,12 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
 
   if(data->set.str[STRING_DEFAULT_PROTOCOL] &&
      !Curl_is_absolute_url(data->change.url, NULL, MAX_SCHEME_LEN)) {
-    char *url;
-    if(data->change.url_alloc)
-      free(data->change.url);
-    url = aprintf("%s://%s", data->set.str[STRING_DEFAULT_PROTOCOL],
-                  data->change.url);
+    char *url = aprintf("%s://%s", data->set.str[STRING_DEFAULT_PROTOCOL],
+                        data->change.url);
     if(!url)
       return CURLE_OUT_OF_MEMORY;
+    if(data->change.url_alloc)
+      free(data->change.url);
     data->change.url = url;
     data->change.url_alloc = TRUE;
   }
author	Jay Satiro <raysatiro@yahoo.com>	2021-02-16 17:13:22 -0500
committer	Jay Satiro <raysatiro@yahoo.com>	2021-02-17 16:15:11 -0500
commit	568190f493b140e08bfab97271038f924f4ce412 (patch)
tree	0eab78f40f17aced60bfd8735b9554477b7fa737
parent	94719e7285bb3d63d67129e2529def8f1bf1c5a8 (diff)
download	curl-568190f493b140e08bfab97271038f924f4ce412.tar.gz