From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <fw@sourceware.org>
Received: by sourceware.org (Postfix, from userid 2178)
	id 729BC384BC3A; Fri, 11 Nov 2022 16:29:15 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 729BC384BC3A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1668184155;
	bh=huaLHTYg650ViFxlxPtxnkiu+mb8dF6MKRfY1plitKg=;
	h=From:To:Subject:Date:From;
	b=amGQXbT/rstVDrUN2SLAbNujRuVK6Zj07asYkRvrxNa+rbP3X82hkPIkXM1kFHGPc
	 7aAK2HisRIuWNWdezi0gyucEo0vEaAI4HeR+XQhCLXKJbkQtdU5LfHie0uVRLIvtzZ
	 K6w/swyaGGKH50CSDrgRUVTcmkOuFcKRS+r0gLE0=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Florian Weimer <fw@sourceware.org>
To: glibc-cvs@sourceware.org
Subject: [glibc/release/2.34/master] io: Fix use-after-free in ftw [BZ #26779]
X-Act-Checkin: glibc
X-Git-Author: Martin Sebor <msebor@redhat.com>
X-Git-Refname: refs/heads/release/2.34/master
X-Git-Oldrev: 06afa5e09fbd984ed45ae6fc6ca050d544aba780
X-Git-Newrev: deea6ab1bcb2696be514e579f3263c234ecc1683
Message-Id: <20221111162915.729BC384BC3A@sourceware.org>
Date: Fri, 11 Nov 2022 16:29:15 +0000 (GMT)
List-Id: <glibc-cvs.sourceware.org>

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=deea6ab1bcb2696be514e579f3263c234ecc1683

commit deea6ab1bcb2696be514e579f3263c234ecc1683
Author: Martin Sebor <msebor@redhat.com>
Date:   Tue Jan 25 17:39:02 2022 -0700

    io: Fix use-after-free in ftw [BZ #26779]
    
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
    (cherry picked from commit ee52ab25ba875f458981fce22c54e3c04c7a17d3)

Diff:
---
 io/ftw.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/io/ftw.c b/io/ftw.c
index cf08d9f101..91a4e8e6de 100644
--- a/io/ftw.c
+++ b/io/ftw.c
@@ -324,8 +324,9 @@ open_dir_stream (int *dfdp, struct ftw_data *data, struct dir_data *dirp)
 	  buf[actsize++] = '\0';
 
 	  /* Shrink the buffer to what we actually need.  */
-	  data->dirstreams[data->actdir]->content = realloc (buf, actsize);
-	  if (data->dirstreams[data->actdir]->content == NULL)
+	  void *content = realloc (buf, actsize);
+	  data->dirstreams[data->actdir]->content = content;
+	  if (content == NULL)
 	    {
 	      int save_err = errno;
 	      free (buf);