RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-14 08:44:58 +00:00
Code Issues Activity Actions

xml: Avoid UAF in Error return from serenity_main()

Browse source 
ErrorOr<int> cannot own a string, and the string is scrubbed when freed,
so we'd get garbage when errors were printed.
This commit is contained in:
Ali Mohammad Pur 2022-05-08 12:57:36 +04:30 committed by Linus Groh
parent 0e9100e3c2
commit 1830996ac9
1 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

16
Userland/Utilities/xml.cpp
View file

@ -511,14 +511,14 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
auto xml_parser = parse(contents);
auto result = xml_parser.parse();
if (result.is_error()) {
// Technically this is a UAF, but the referenced string data won't be overwritten by anything at this point.
if (xml_parser.parse_error_causes().is_empty())
return Error::from_string_literal(String::formatted("{}", result.error()));
StringBuilder builder;
builder.join("\n", xml_parser.parse_error_causes(), " {}");
return Error::from_string_literal(
String::formatted("{}; caused by:\n{}", result.error(), builder.string_view()));
if (xml_parser.parse_error_causes().is_empty()) {
warnln("{}", result.error());
} else {
warnln("{}; caused by:", result.error());
for (auto const& cause : xml_parser.parse_error_causes())
warnln(" {}", cause);
}
return 1;
}
auto doc = result.release_value();