diff options
author | Michael Budde <mbudde@gmail.com> | 2019-01-28 18:43:08 +0100 |
---|---|---|
committer | Michael Budde <mbudde@gmail.com> | 2019-01-28 18:59:16 +0100 |
commit | 96c88663ce3b74fe04d483ad453f1dff504123ff (patch) | |
tree | e6cbcb5e8be58aa5506301fe07489145671f399d | |
parent | 28c8f3bbd90d10ae52556c28460b421fd0c77168 (diff) | |
download | fork-ledger-96c88663ce3b74fe04d483ad453f1dff504123ff.tar.gz fork-ledger-96c88663ce3b74fe04d483ad453f1dff504123ff.tar.bz2 fork-ledger-96c88663ce3b74fe04d483ad453f1dff504123ff.zip |
Fix use-after-free when destroying filter chain
When using the `--gain` option the `temporaries_t` in
`changed_value_posts` filter stores a reference to the `<Revalued>` temp
account created in `display_filter_posts`. When destroying the filter
chain `display_filter_posts` is destroyed before `changed_value_posts`
and this can result in a use-after-free in `temporaries_t::clear()` when
`temps` in `changed_value_posts` is cleared during destruction if there
are any temp posts referencing the `<Revalued>` account.
Fix the issue by clearing the `temporaries_t` in `changed_value_posts`
before destroying the rest of the filter chain (which includes
`display_filter_posts`).
Fixes #541
-rw-r--r-- | doc/NEWS | 2 | ||||
-rw-r--r-- | src/filters.h | 1 |
2 files changed, 3 insertions, 0 deletions
@@ -54,6 +54,8 @@ - Fix possible stack overflow in date parsing routine (bug #1224, CVE-2017-12482) +- Fix use-after-free when using --gain (bug #541) + - Python: Removed double quotes from Unicode values. - Python: Ensure that parse errors produce useful RuntimeErrors diff --git a/src/filters.h b/src/filters.h index c1dc2e04..cf053a24 100644 --- a/src/filters.h +++ b/src/filters.h @@ -604,6 +604,7 @@ public: virtual ~changed_value_posts() { TRACE_DTOR(changed_value_posts); + temps.clear(); handler.reset(); } |