RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 14:48:14 +00:00
Code Issues Activity Actions

xml: Avoid UAF in Error return from serenity_main()

Browse source 
ErrorOr<int> cannot own a string, and the string is scrubbed when freed,
so we'd get garbage when errors were printed.
This commit is contained in:
Ali Mohammad Pur 2022-05-08 12:57:36 +04:30 committed by Linus Groh
parent 0e9100e3c2
commit 1830996ac9
1 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

16
Userland/Utilities/xml.cpp
View file

@ -511,14 +511,14 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
auto xml_parser = parse(contents); auto xml_parser = parse(contents);
auto result = xml_parser.parse(); auto result = xml_parser.parse();
if (result.is_error()) { if (result.is_error()) {
// Technically this is a UAF, but the referenced string data won't be overwritten by anything at this point. if (xml_parser.parse_error_causes().is_empty()) {
if (xml_parser.parse_error_causes().is_empty()) warnln("{}", result.error());
return Error::from_string_literal(String::formatted("{}", result.error())); } else {
warnln("{}; caused by:", result.error());
StringBuilder builder; for (auto const& cause : xml_parser.parse_error_causes())
builder.join("\n", xml_parser.parse_error_causes(), " {}"); warnln(" {}", cause);
return Error::from_string_literal( }
String::formatted("{}; caused by:\n{}", result.error(), builder.string_view())); return 1;
} }
auto doc = result.release_value(); auto doc = result.release_value();