rs: Fix a use after free.

Using a pointer passed to realloc() after realloc() even for pointer arithmetic is UB. It also breaks in practice on CHERI systems as the updated value of 'sp' in this case would have had the bounds from the old allocation. This would be much cleaner if elem were a std::vector<char *>. Reviewed by: brooks, emaste Reported by: GCC -Wuse-after-free Differential Revision: https://reviews.freebsd.org/D36831 (cherry picked from commit e5f2d5b35e79ddf995a8a5c782a7940ca2e05fdf)
author: John Baldwin <jhb@FreeBSD.org> 2022-10-06 02:47:40 +0300
committer: John Baldwin <jhb@FreeBSD.org> 2022-11-11 21:18:54 +0300
commit: 59c1904fc214a5c883e5b6d947f0673b53c8f155 (patch)
tree: a5a1e9fffe5290930f2906170bafe035438fc8dc
parent: 068c9d3de7c95903d7827d18327219d6be02db04 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/usr.bin/rs/rs.c b/usr.bin/rs/rs.c
index 99e48194b3c7..557c5b9f56c0 100644
--- a/usr.bin/rs/rs.c
+++ b/usr.bin/rs/rs.c
@@ -38,6 +38,7 @@
 #include <err.h>
 #include <ctype.h>
 #include <limits.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -365,13 +366,15 @@ static char **
 getptrs(char **sp)
 {
 	char **p;
+	ptrdiff_t offset;
 
+	offset = sp - elem;
 	allocsize += allocsize;
 	p = (char **)realloc(elem, allocsize * sizeof(char *));
 	if (p == NULL)
 		err(1, "no memory");
 
-	sp += (p - elem);
+	sp = p + offset;
 	endelem = (elem = p) + allocsize;
 	return(sp);
 }
author	John Baldwin <jhb@FreeBSD.org>	2022-10-06 02:47:40 +0300
committer	John Baldwin <jhb@FreeBSD.org>	2022-11-11 21:18:54 +0300
commit	59c1904fc214a5c883e5b6d947f0673b53c8f155 (patch)
tree	a5a1e9fffe5290930f2906170bafe035438fc8dc
parent	068c9d3de7c95903d7827d18327219d6be02db04 (diff)