Skip to content
Snippets Groups Projects
Commit e3582726 authored by deuce's avatar deuce
Browse files

Fix crash caused by free()ing the allocated xp_sprintf() return value before

returning it.  Free the allocated buffer instead.
parent 2b969a4f
Branches
Tags
No related merge requests found
...@@ -41,16 +41,18 @@ ...@@ -41,16 +41,18 @@
char* DLLCALL char* DLLCALL
js_sprintf(JSContext *cx, uint argn, uintN argc, jsval *argv) js_sprintf(JSContext *cx, uint argn, uintN argc, jsval *argv)
{ {
char* op;
char* p; char* p;
char *p2=NULL; char *p2=NULL;
size_t p2_sz; size_t p2_sz;
JSVALUE_TO_MSTRING(cx, argv[argn++], p, NULL); JSVALUE_TO_MSTRING(cx, argv[argn++], op, NULL);
if(JS_IsExceptionPending(cx)) if(JS_IsExceptionPending(cx))
JS_ClearPendingException(cx); JS_ClearPendingException(cx);
if(p==NULL) if(p==NULL)
return(NULL); return(NULL);
p=op;
p=xp_asprintf_start(p); p=xp_asprintf_start(p);
for(; argn<argc; argn++) { for(; argn<argc; argn++) {
if(JSVAL_IS_DOUBLE(argv[argn])) if(JSVAL_IS_DOUBLE(argv[argn]))
...@@ -74,7 +76,7 @@ js_sprintf(JSContext *cx, uint argn, uintN argc, jsval *argv) ...@@ -74,7 +76,7 @@ js_sprintf(JSContext *cx, uint argn, uintN argc, jsval *argv)
if(p2) if(p2)
free(p2); free(p2);
p2=xp_asprintf_end(p, NULL); p2=xp_asprintf_end(p, NULL);
free(p); free(op);
return p2; return p2;
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment