Fix potential for heap corruption in (new function) strListModifyEach():

If the modify callback function returned a pointer *within* the list item's allocated buffer, the strcpy() would copy from potentialy free'd memory as realloc may change the location of the heap buffer when resizing. Fixed by allocating a copy of the returned pointer before freeing the original list item buffer and then just assign the allocated pointer (no copying needed). This likely will result in more heap fragmentation for modified list items are now newly-allocated buffers rather than reallocated existing buffers but the other option would have been to allocate a temporary copy of the string before reallocating and then copying and that would've been a lot more overhead than with this approach. This likely fixes any crashes seen in recent revs of v3.17c (e.g. when imported QWK or REP packets and text/*.can and the twitlist.cfg are parsed). The sighting on Vertrauen was only in the Windows build and appeared when importing QWK/REP packets.

Fix potential for heap corruption in (new function) strListModifyEach():
7c7a2c14 · rswindell · a3b2f9e2 · 7c7a2c14
Commit 7c7a2c14 authored 6 years ago by rswindell
--- a/src/xpdev/str_list.c
+++ b/src/xpdev/str_list.c
@@ -202,15 +202,14 @@ size_t DLLCALL strListModifyEach(const str_list_t list, char*(modify(size_t, cha
 {
 	size_t	i;
 	for(i = 0; list[i] != NULL; i++) {
-		char* p;
 		char* str = modify(i, list[i], cbdata);
-		if(str == NULL || str == list[i])	// Same old pointer (or NULL), no realloc() needed
+		if(str == NULL || str == list[i])	// Same old pointer (or NULL), no modification
 			continue;
-		p = realloc(list[i], strlen(str) + 1);
-		if(p == NULL)
+		str = strdup(str);
+		if(str == NULL)
 			break;
-		list[i] = p;
-		strcpy(p, str);
+		free(list[i]);
+		list[i] = str;
 	}
 	return i;
 }