Fix `use after free in File#initilialize_copy`; fix #4001

The bug and the fix were reported by https://hackerone.com/pnoltof

Fix `use after free in File#initilialize_copy`; fix #4001
The bug and the fix were reported by https://hackerone.com/pnoltof
b51b21fc · Yukihiro "Matz" Matsumoto · fabc4608 · b51b21fc
Commit b51b21fc authored Apr 17, 2018 by Yukihiro "Matz" Matsumoto
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

mrbgems/mruby-io/src/io.c mrbgems/mruby-io/src/io.c +1 -1

No files found.
--- a/mrbgems/mruby-io/src/io.c
+++ b/mrbgems/mruby-io/src/io.c
@@ -561,13 +561,13 @@ mrb_io_initialize_copy(mrb_state *mrb, mrb_value copy)
  mrb_bool failed = TRUE;

  mrb_get_args(mrb, "o", &orig);
+  fptr_orig = io_get_open_fptr(mrb, orig);
  fptr_copy = (struct mrb_io *)DATA_PTR(copy);
  if (fptr_copy != NULL) {
    fptr_finalize(mrb, fptr_copy, FALSE);
    mrb_free(mrb, fptr_copy);
  }
  fptr_copy = (struct mrb_io *)mrb_io_alloc(mrb);
-  fptr_orig = io_get_open_fptr(mrb, orig);

  DATA_TYPE(copy) = &mrb_io_type;
  DATA_PTR(copy) = fptr_copy;