From 96c88663ce3b74fe04d483ad453f1dff504123ff Mon Sep 17 00:00:00 2001 From: Michael Budde Date: Mon, 28 Jan 2019 18:43:08 +0100 Subject: Fix use-after-free when destroying filter chain When using the `--gain` option the `temporaries_t` in `changed_value_posts` filter stores a reference to the `` temp account created in `display_filter_posts`. When destroying the filter chain `display_filter_posts` is destroyed before `changed_value_posts` and this can result in a use-after-free in `temporaries_t::clear()` when `temps` in `changed_value_posts` is cleared during destruction if there are any temp posts referencing the `` account. Fix the issue by clearing the `temporaries_t` in `changed_value_posts` before destroying the rest of the filter chain (which includes `display_filter_posts`). Fixes #541 --- src/filters.h | 1 + 1 file changed, 1 insertion(+) (limited to 'src/filters.h') diff --git a/src/filters.h b/src/filters.h index c1dc2e04..cf053a24 100644 --- a/src/filters.h +++ b/src/filters.h @@ -604,6 +604,7 @@ public: virtual ~changed_value_posts() { TRACE_DTOR(changed_value_posts); + temps.clear(); handler.reset(); } -- cgit v1.2.3