From 2e15e782a152867a445510a61a799c880372be78 Mon Sep 17 00:00:00 2001 From: Piotr Fusik Date: Mon, 26 Aug 2024 04:20:09 +0200 Subject: [PATCH] Fix use after free in `_stdio_closeall` (#364) While this was probably harmless because we are single-threaded, the allocator could generally store its internal structure in the freed block. --- mos-platform/common/c/stdio-full.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mos-platform/common/c/stdio-full.c b/mos-platform/common/c/stdio-full.c index 50668790..bdb3280c 100644 --- a/mos-platform/common/c/stdio-full.c +++ b/mos-platform/common/c/stdio-full.c @@ -81,8 +81,11 @@ asm(".section .fini.100,\"axR\",@progbits\n" " jsr _stdio_closeall\n"); void _stdio_closeall(void) { - for (FILE *f = filelist; f; f = f->next) + for (FILE *f = filelist; f;) { + FILE *next = f->next; fclose(f); + f = next; + } } /* A system call that writes a stream's buffer.