From e3582726bdae0e4a0271b6621be3993d1b1855ee Mon Sep 17 00:00:00 2001
From: deuce <>
Date: Sun, 10 Feb 2013 03:08:42 +0000
Subject: [PATCH] Fix crash caused by free()ing the allocated xp_sprintf()
 return value before returning it.  Free the allocated buffer instead.

---
 src/sbbs3/js_sprintf.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/sbbs3/js_sprintf.c b/src/sbbs3/js_sprintf.c
index 33c6e1942c..29d3e62e47 100644
--- a/src/sbbs3/js_sprintf.c
+++ b/src/sbbs3/js_sprintf.c
@@ -41,16 +41,18 @@
 char* DLLCALL
 js_sprintf(JSContext *cx, uint argn, uintN argc, jsval *argv)
 {
+	char*		op;
 	char*		p;
 	char		*p2=NULL;
 	size_t		p2_sz;
 
-	JSVALUE_TO_MSTRING(cx, argv[argn++], p, NULL);
+	JSVALUE_TO_MSTRING(cx, argv[argn++], op, NULL);
 	if(JS_IsExceptionPending(cx))
 		JS_ClearPendingException(cx);
 	if(p==NULL)
 		return(NULL);
 
+	p=op;
 	p=xp_asprintf_start(p);
     for(; argn<argc; argn++) {
 		if(JSVAL_IS_DOUBLE(argv[argn]))
@@ -74,7 +76,7 @@ js_sprintf(JSContext *cx, uint argn, uintN argc, jsval *argv)
 	if(p2)
 		free(p2);
 	p2=xp_asprintf_end(p, NULL);
-	free(p);
+	free(op);
 	return p2;
 }
 
-- 
GitLab