Fix the use after free which causes a segv (#8664)

* Fix the use after free by removing instruction which was overriding 'r_cons_instance.num' struct by a new mallocated struct which is free at the end * Fix new segv by saving old num and restore it before free is called * spaces to tabs
2025-02-12 09:38:20 +00:00 · 2017-10-08 21:34:00 +02:00 · 2017-10-08 21:34:00 +02:00 · 2138aa2209
commit 2138aa2209
parent 41ce16b314
2 changed files with 10 additions and 0 deletions
--- a/libr/core/core.c
+++ b/libr/core/core.c
@ -1722,6 +1722,9 @@ R_API bool r_core_init(RCore *core) {
 	}
 	core->print->cons = core->cons;
 	r_cons_bind (&core->print->consbind);
+
+	// We save the old num, in order to restore it after free
+	core->old_num = core->cons->num;
 	core->cons->num = core->num;
 	core->lang = r_lang_new ();
 	core->lang->cmd_str = (char *(*)(void *, const char *))r_core_cmd_str;
@ -1836,6 +1839,12 @@ R_API RCore *r_core_fini(RCore *c) {
 	free (c->lastcmd);
 	free (c->block);
 	r_io_free (c->io);
+
+	// Check if the old num is saved. If yes, we restore it.
+	if (c->cons != NULL && c->old_num != NULL) { 
+		c->cons->num = c->old_num;
+		c->old_num   = NULL;
+	}
 	r_num_free (c->num);
 	// TODO: sync or not? sdb_sync (c->sdb);
 	// TODO: sync all dbs?
--- a/libr/include/r_core.h
+++ b/libr/include/r_core.h
@ -132,6 +132,7 @@ typedef struct r_core_t {
 	RCoreFile *file;
 	RList *files;
 	RNum *num;
+	RNum *old_num;
 	RLib *lib;
 	RCmd *rcmd;
 	RCmdDescriptor root_cmd_descriptor;