Hi Magnus,
On Sat, Jan 24, 2026 at 11:13:25AM -0800, Nopey Nope wrote:
Hello!
Find attached two patches, which each fix a use-after-free bug.
I've also attached a crashing html document for each, but please be
aware that these reproducer documents link urls from external web
servers.
The reproducers crash reliably on my x86_64 Void Linux laptop, but
I've not tested them elsewhere. I've also attached a crash log with
asan reporting of each.
Thank you
-Magnus L
p.s. I've also opened github PR 449 with these same changes, but
figured I should send the patches via email as well-- if only for
practice :)
Thanks a lot for the patches and reproducers!
I saw the PR but I only had time to look at the "Fix use-after-free in
openssl cert popup" commit which seems good. We are moving away from
GitHub so it would be nice to send future patches here (or a link to a
git repo/branch to fetch with git).
It would help to describe what is the condition that triggers the UAF in
the Http_server patch and why the change helps, so that it is easier to
review.
Perhaps it would be a good idea to put that information it in the commit
summary of both patches so we can see it via git blame.
Best,
Rodrigo.
_______________________________________________
Dillo-dev mailing list -- [email protected]
To unsubscribe send an email to [email protected]
