From 5f25da4d376a12db2fce5016925bbb1b6a78434c Mon Sep 17 00:00:00 2001
From: condret <condr3t@protonmail.com>
Date: Mon, 25 Oct 2021 15:06:20 +0200
Subject: [PATCH] Fix UAF io bank map deletion

---
 libr/io/io_bank.c      |  1 +
 libr/util/new_rbtree.c | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/libr/io/io_bank.c b/libr/io/io_bank.c
index 2ebd1ee061..c3756e184c 100644
--- a/libr/io/io_bank.c
+++ b/libr/io/io_bank.c
@@ -884,6 +884,7 @@ R_API void r_io_bank_del_map(RIO *io, const ut32 bankid, const ut32 mapid) {
 			break;
 		}
 	}
+	bank->last_used = NULL;
 	// map is not referenced by this bank; nothing to do
 }
 
diff --git a/libr/util/new_rbtree.c b/libr/util/new_rbtree.c
index 0bec6fa52e..802c841590 100644
--- a/libr/util/new_rbtree.c
+++ b/libr/util/new_rbtree.c
@@ -352,10 +352,12 @@ R_API bool r_crbtree_delete(RRBTree *tree, void *data, RRBComparator cmp, void *
 		free (q);
 #else
 		_set_link (p, q->link[q->link[0] == NULL], p->link[1] == q);
-		q->link[0] = NULL;
-		q->link[1] = NULL;
-		q->parent = NULL;
-		_exchange_nodes (found, q);
+		if (q != found) {
+			q->link[0] = NULL;
+			q->link[1] = NULL;
+			q->parent = NULL;
+			_exchange_nodes (found, q);
+		}		
 		if (tree->free) {
 			tree->free (found->data);
 		}