[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: use-after-free in rl_display_match_list
|
From: |
Grisha Levit |
|
Subject: |
Re: use-after-free in rl_display_match_list |
|
Date: |
Mon, 20 Mar 2023 16:39:30 -0400 |
On Mon, Mar 20, 2023 at 12:55 PM Grisha Levit <grishalevit@gmail.com> wrote:
>
> A SIGINT received during get_y_or_n in display_matches can leave
> rl_display_match_list working with an already-freed matches array.
Actually, the same thing can happen during calls to _rl_internal_pager
within rl_display_match_list.
So maybe also:
----
diff --git a/lib/readline/complete.c b/lib/readline/complete.c
index d6dd7dca..c7dcb82d 100644
--- a/lib/readline/complete.c
+++ b/lib/readline/complete.c
@@ -1630,7 +1630,7 @@ rl_display_match_list (char **matches, int len, int max)
if (_rl_page_completions && lines >= (_rl_screenheight - 1) && i < count)
{
lines = _rl_internal_pager (lines);
- if (lines < 0)
+ if (lines < 0 || _rl_complete_display_matches_interrupt)
return;
}
}
@@ -1658,7 +1658,7 @@ rl_display_match_list (char **matches, int len, int max)
if (_rl_page_completions && lines >= _rl_screenheight - 1)
{
lines = _rl_internal_pager (lines);
- if (lines < 0)
+ if (lines < 0 || _rl_complete_display_matches_interrupt)
return;
}
}