From: Matthew Fernandez Date: Sun, 22 Jan 2023 18:43:41 +0000 (-0800) Subject: gv2gxl writeHdr: fix use after free X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b0cd1c489fe7237d1cc386307e5c768e81e255bb;p=graphviz gv2gxl writeHdr: fix use after free This call to `free` looked like it was deallocating the earlier allocation within this function. But at this point `bp` points to the return value of a call to `addid`. This return value is a `name` member of an item stored in the `idList` dictionary that is still in use. The original allocated memory of `bp` was and still is leaked. --- diff --git a/cmd/tools/gv2gxl.c b/cmd/tools/gv2gxl.c index e35b5a72b..e28a1e9bd 100644 --- a/cmd/tools/gv2gxl.c +++ b/cmd/tools/gv2gxl.c @@ -468,7 +468,6 @@ writeHdr(gxlstate_t * stp, Agraph_t * g, FILE * gxlFile, int top) tabover(gxlFile); fprintf(gxlFile, "\n", bp); - free(bp); Level++; } else { Tailport = agattr(g, AGEDGE, "tailport", NULL);