From 96c88663ce3b74fe04d483ad453f1dff504123ff Mon Sep 17 00:00:00 2001
From: Michael Budde <mbudde@gmail.com>
Date: Mon, 28 Jan 2019 18:43:08 +0100
Subject: Fix use-after-free when destroying filter chain

When using the `--gain` option the `temporaries_t` in
`changed_value_posts` filter stores a reference to the `<Revalued>` temp
account created in `display_filter_posts`. When destroying the filter
chain `display_filter_posts` is destroyed before `changed_value_posts`
and this can result in a use-after-free in `temporaries_t::clear()` when
`temps` in `changed_value_posts` is cleared during destruction if there
are any temp posts referencing the `<Revalued>` account.

Fix the issue by clearing the `temporaries_t` in `changed_value_posts`
before destroying the rest of the filter chain (which includes
`display_filter_posts`).

Fixes #541
---
 doc/NEWS | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'doc')

diff --git a/doc/NEWS b/doc/NEWS
index 39fce3d6..cb7a761c 100644
--- a/doc/NEWS
+++ b/doc/NEWS
@@ -54,6 +54,8 @@
 - Fix possible stack overflow in date parsing routine (bug #1224,
   CVE-2017-12482)
 
+- Fix use-after-free when using --gain (bug #541)
+
 - Python: Removed double quotes from Unicode values.
 
 - Python: Ensure that parse errors produce useful RuntimeErrors
-- 
cgit v1.2.3