From 568190f493b140e08bfab97271038f924f4ce412 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Tue, 16 Feb 2021 17:13:22 -0500 Subject: url: fix possible use-after-free in default protocol Prior to this change if the user specified a default protocol and a separately allocated non-absolute URL was used then it was freed prematurely, before it was then used to make the replacement URL. Bug: https://github.com/curl/curl/issues/6604#issuecomment-780138219 Reported-by: arvids-kokins-bidstack@users.noreply.github.com Closes https://github.com/curl/curl/pull/6613 --- lib/url.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/url.c b/lib/url.c index ae6c8e9c1..a1818466c 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1901,13 +1901,12 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, if(data->set.str[STRING_DEFAULT_PROTOCOL] && !Curl_is_absolute_url(data->change.url, NULL, MAX_SCHEME_LEN)) { - char *url; - if(data->change.url_alloc) - free(data->change.url); - url = aprintf("%s://%s", data->set.str[STRING_DEFAULT_PROTOCOL], - data->change.url); + char *url = aprintf("%s://%s", data->set.str[STRING_DEFAULT_PROTOCOL], + data->change.url); if(!url) return CURLE_OUT_OF_MEMORY; + if(data->change.url_alloc) + free(data->change.url); data->change.url = url; data->change.url_alloc = TRUE; } -- cgit v1.2.1