diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2021-02-16 17:13:22 -0500 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2021-02-17 16:15:11 -0500 |
commit | 568190f493b140e08bfab97271038f924f4ce412 (patch) | |
tree | 0eab78f40f17aced60bfd8735b9554477b7fa737 /lib | |
parent | 94719e7285bb3d63d67129e2529def8f1bf1c5a8 (diff) | |
download | curl-568190f493b140e08bfab97271038f924f4ce412.tar.gz |
url: fix possible use-after-free in default protocol
Prior to this change if the user specified a default protocol and a
separately allocated non-absolute URL was used then it was freed
prematurely, before it was then used to make the replacement URL.
Bug: https://github.com/curl/curl/issues/6604#issuecomment-780138219
Reported-by: arvids-kokins-bidstack@users.noreply.github.com
Closes https://github.com/curl/curl/pull/6613
Diffstat (limited to 'lib')
-rw-r--r-- | lib/url.c | 9 |
1 files changed, 4 insertions, 5 deletions
@@ -1901,13 +1901,12 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, if(data->set.str[STRING_DEFAULT_PROTOCOL] && !Curl_is_absolute_url(data->change.url, NULL, MAX_SCHEME_LEN)) { - char *url; - if(data->change.url_alloc) - free(data->change.url); - url = aprintf("%s://%s", data->set.str[STRING_DEFAULT_PROTOCOL], - data->change.url); + char *url = aprintf("%s://%s", data->set.str[STRING_DEFAULT_PROTOCOL], + data->change.url); if(!url) return CURLE_OUT_OF_MEMORY; + if(data->change.url_alloc) + free(data->change.url); data->change.url = url; data->change.url_alloc = TRUE; } |