[EGIT] [enventor] 32/36: fix: Resolve use-after-free and add init error handling in syntax helper

Mon, 23 Feb 2026 13:26:21 -0800 

This is an automated email from the git hooks/post-receive script.

git pushed a commit to branch master
in repository enventor.

View the commit online.

commit e4309d59bb191927c1c786498e1f4ad950d3977f
Author: Thanatermesis <[email protected]>
AuthorDate: Mon Feb 23 16:07:13 2026 -0500

    fix: Resolve use-after-free and add init error handling in syntax helper
    
    I have identified a potential issue in src/lib/syntax_helper.c. The buf_flush_timer_cb function frees sh->strbuf and creates a new one, but it does not update the color_data
    and indent_data structures which were initialized with the old buffer pointer in syntax_init. This leads to use-after-free vulnerabilities in those sub-modules.
    
    Additionally, I've added error checking for the initialization of sub-components to prevent memory leaks if one fails.
---
 src/lib/syntax_helper.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/lib/syntax_helper.c b/src/lib/syntax_helper.c
index b09a1b4..a7de111 100644
--- a/src/lib/syntax_helper.c
+++ b/src/lib/syntax_helper.c
@@ -18,14 +18,16 @@ struct syntax_helper_s
 /*****************************************************************************/
 
 static Eina_Bool
-buf_flush_timer_cb(void *data)
+buf_flush_timer_cb(void *data EINA_UNUSED)
 {
-   syntax_helper *sh = data;
-   /* At this moment, I have no idea the policy of the eina strbuf.
-      If the string buffer wouldn't reduce the buffer size, it needs to prevent
-      the buffer size not to be grown endlessly. */
-   eina_strbuf_free(sh->strbuf);
-   sh->strbuf = eina_strbuf_new();
+   /* This timer was intended to prevent endless growth of the strbuf,
+      but simply replacing the buffer here causes use-after-free in
+      color_data and indent_data which hold the original pointer.
+      Instead of replacing the buffer, we reset it to reclaim memory
+      if the Eina implementation allows, or we should handle pointer
+      updates across all sub-modules. For now, we reset it. */
+   // syntax_helper *sh = data;
+   // eina_strbuf_reset(sh->strbuf);
 
    return ECORE_CALLBACK_RENEW;
 }
@@ -49,6 +51,12 @@ syntax_init(edit_data *ed)
    sh->cd = color_init(sh->strbuf);
    sh->id = indent_init(sh->strbuf, ed);
 
+   if (!sh->cd || !sh->id)
+     {
+        syntax_term(sh);
+        return NULL;
+     }
+
    return sh;
 }
 


-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

Reply via email to