From cbe6be8f8f690b9c8e2eb19e13e9b7a7ebe28a81 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Sat, 1 Sep 2007 12:45:11 +0000
Subject: [PATCH] prevent a double free() when re-initing the parser

---
 gram.y | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/gram.y b/gram.y
index 5699303fb..a8dcaca59 100644
--- a/gram.y
+++ b/gram.y
@@ -592,7 +592,7 @@ init_parser(path, quiet)
     int quiet;
 {
     struct defaults *d;
-    struct member *m, *lastbinding;
+    struct member *m, *freed;
     struct userspec *us;
     struct privilege *priv;
     struct cmndspec *cs;
@@ -607,10 +607,14 @@ init_parser(path, quiet)
 		efree(m->name);
 		efree(m);
 	    }
+	    freed = NULL;
 	    while ((cs = lh_pop(&priv->cmndlist)) != NULL) {
-		while ((m = lh_pop(&cs->runaslist)) != NULL) {
-		    efree(m->name);
-		    efree(m);
+		if (lh_last(&cs->runaslist) != freed) {
+		    freed = lh_last(&cs->runaslist);
+		    while ((m = lh_pop(&cs->runaslist)) != NULL) {
+			efree(m->name);
+			efree(m);
+		    }
 		}
 		efree(cs->cmnd->name);
 		efree(cs->cmnd);
@@ -621,9 +625,10 @@ init_parser(path, quiet)
     }
     lh_init(&userspecs);
 
-    lastbinding = NULL;
+    freed = NULL;
     while ((d = lh_pop(&defaults)) != NULL) {
-	if (lh_pop(&d->binding) != lastbinding) {
+	if (lh_last(&d->binding) != freed) {
+	    freed = lh_last(&d->binding);
 	    while ((m = lh_pop(&d->binding)) != NULL) {
 		efree(m->name);
 		efree(m);
-- 
2.40.0