(In reply to fkrenzel from comment #3) > Hey, thanks for catching the PORT_Free(), > > As to the libParams on the line 3398. This shouldn't be a problem as libParams is a pointer (char* if I recall correctly) and the operation just assigns the static address of LIB_PARAM_DEFAULT to it. > > This is what happens: > libParams → PR_GetEnvSecure("NSS_LIB_PARAMS"); //Points to the Environmental variable > libParams → Array[len + 1] //Point to newly allocated memory > libParams → NULL // freed the array > libParams → LIB_PARAM_DEFAULT // Point tho the statically allocated memory I don't see where `libParams` gets assigned `NULL`. Line 3385 just frees the memory, so the condition on line 3397 is `false` and line 3398 never gets executed. Then line 3405 uses the freed memory. `PR_Free()` does not null its argument, and in fact cannot, because the argument isa `void *` and not a `void **`. https://searchfox.org/mozilla-central/source/nsprpub/pr/src/malloc/prmem.c#470 .
Bug 1894572 Comment 4 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to fkrenzel from comment #3) > Hey, thanks for catching the PORT_Free(), > > As to the libParams on the line 3398. This shouldn't be a problem as libParams is a pointer (char* if I recall correctly) and the operation just assigns the static address of LIB_PARAM_DEFAULT to it. > > This is what happens: > libParams → PR_GetEnvSecure("NSS_LIB_PARAMS"); //Points to the Environmental variable > libParams → Array[len + 1] //Point to newly allocated memory > libParams → NULL // freed the array > libParams → LIB_PARAM_DEFAULT // Point tho the statically allocated memory I don't see where `libParams` gets assigned `NULL`. Line 3385 just frees the memory, so the condition on line 3397 is `false` and line 3398 never gets executed. Then line 3405 uses the freed memory. `PR_Free()` does not null its argument, and in fact cannot, because the argument isa `void *` and not a `void **` or `void*&`. https://searchfox.org/mozilla-central/source/nsprpub/pr/src/malloc/prmem.c#470 .
(In reply to fkrenzel from comment #3) > Hey, thanks for catching the PORT_Free(), > > As to the libParams on the line 3398. This shouldn't be a problem as libParams is a pointer (char* if I recall correctly) and the operation just assigns the static address of LIB_PARAM_DEFAULT to it. > > This is what happens: > libParams → PR_GetEnvSecure("NSS_LIB_PARAMS"); //Points to the Environmental variable > libParams → Array[len + 1] //Point to newly allocated memory > libParams → NULL // freed the array > libParams → LIB_PARAM_DEFAULT // Point tho the statically allocated memory I don't see where `libParams` gets assigned `NULL`. Line 3385 just frees the memory, so the condition on line 3397 is `false` and line 3398 never gets executed. Then line 3405 uses the freed memory. `PR_Free()` does not null its argument, and in fact cannot, because the argument isa `void *` and not a `void **` or `void *&`. https://searchfox.org/mozilla-central/source/nsprpub/pr/src/malloc/prmem.c#470 .