Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix use after free in File#initilialize_copy; fix #4001
The bug and the fix were reported by https://hackerone.com/pnoltof
  • Loading branch information
matz committed Apr 17, 2018
1 parent fabc460 commit b51b21f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion mrbgems/mruby-io/src/io.c
Expand Up @@ -561,13 +561,13 @@ mrb_io_initialize_copy(mrb_state *mrb, mrb_value copy)
mrb_bool failed = TRUE;

mrb_get_args(mrb, "o", &orig);
fptr_orig = io_get_open_fptr(mrb, orig);
fptr_copy = (struct mrb_io *)DATA_PTR(copy);
if (fptr_copy != NULL) {
fptr_finalize(mrb, fptr_copy, FALSE);
mrb_free(mrb, fptr_copy);
}
fptr_copy = (struct mrb_io *)mrb_io_alloc(mrb);
fptr_orig = io_get_open_fptr(mrb, orig);

DATA_TYPE(copy) = &mrb_io_type;
DATA_PTR(copy) = fptr_copy;
Expand Down

0 comments on commit b51b21f

Please sign in to comment.