From 2eee100c371af36b0d766923c029aea8a424ab90 Mon Sep 17 00:00:00 2001 From: Thomas Preud'homme Date: Fri, 16 Mar 2012 19:21:29 +0100 Subject: [PATCH] Fix use after free for linker_arg elements in linker_arg are used in TCCState structure and must thus not be freed when option parsing is finished. Declare linker_arg as a global static variable and free it after tcc_delete has been called on TCCState structure. This fix commit 7fb0482a4645d59068ccefe44a3a022b649e5a3a --- tcc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tcc.c b/tcc.c index 03fac0b3..467ef880 100644 --- a/tcc.c +++ b/tcc.c @@ -35,6 +35,7 @@ static int do_bench = 0; static int gen_deps; static const char *deps_outfile; static const char *m_option; +static char *linker_arg; #define TCC_OPTION_HAS_ARG 0x0001 #define TCC_OPTION_NOSEP 0x0002 /* cannot have space before option and arg */ @@ -280,7 +281,6 @@ static int parse_args(TCCState *s, int argc, char **argv) const char *optarg, *p1, *r1; char *r; int was_pthread; - char *linker_arg = NULL; unsigned long linker_argsize = 0; was_pthread = 0; /* is set if commandline contains -pthread key */ @@ -478,7 +478,6 @@ static int parse_args(TCCState *s, int argc, char **argv) } if ((r = (char *) tcc_set_linker(s, (char *)linker_arg, TRUE))) tcc_error("unsupported linker option '%s'", r); - tcc_free(linker_arg); /* fixme: these options could be different on your platform */ if (was_pthread && output_type != TCC_OUTPUT_OBJ) { dynarray_add((void ***)&files, &nb_files, "-lpthread"); @@ -611,6 +610,7 @@ int main(int argc, char **argv) } tcc_delete(s); + tcc_free(linker_arg); tcc_free(outfile); #ifdef MEM_DEBUG