From 2dbbc88d0b78c3fc2fb8e63fba67119c5aa456fc Mon Sep 17 00:00:00 2001
From: Mikael Magnusson <mikachu@gmail.com>
Date: Tue, 10 Feb 2015 07:54:18 +0100
Subject: 34488: Fix use-after-free for print -zf and print -sf

---
 ChangeLog     |  5 +++++
 Src/builtin.c | 18 ++++++++++++------
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6729881b8..3bef21a02 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2015-02-10  Mikael Magnusson  <mikachu@gmail.com>
+
+	* 34488: Src/builtin.c: Fix use-after-free for print -zf and
+	print -sf
+
 2015-02-09  Peter Stephenson  <p.stephenson@samsung.com>
 
 	* 34485: Src/exec.c, Src/parse.c, Test/E01options.ztst:
diff --git a/Src/builtin.c b/Src/builtin.c
index 08be1acdd..e093cbe32 100644
--- a/Src/builtin.c
+++ b/Src/builtin.c
@@ -4527,7 +4527,8 @@ bin_print(char *name, char **args, Options ops, int func)
     if (OPT_ISSET(ops,'z') || OPT_ISSET(ops,'s')) {
 #ifdef HAVE_OPEN_MEMSTREAM
 	putc(0, fout);
-	fflush(fout);
+	fclose(fout);
+	fout = NULL;
 #else
 	rewind(fout);
 	buf = (char *)zalloc(count + 1);
@@ -4548,11 +4549,16 @@ bin_print(char *name, char **args, Options ops, int func)
 	unqueue_signals();
     }
 
-    /* Testing EBADF special-cases >&- redirections */
-    if ((fout != stdout) ? (fclose(fout) != 0) :
-	(fflush(fout) != 0 && errno != EBADF)) {
-	zwarnnam(name, "write error: %e", errno);
-	ret = 1;
+#ifdef HAVE_OPEN_MEMSTREAM
+    if (fout)
+#endif
+    {
+	/* Testing EBADF special-cases >&- redirections */
+	if ((fout != stdout) ? (fclose(fout) != 0) :
+	    (fflush(fout) != 0 && errno != EBADF)) {
+	    zwarnnam(name, "write error: %e", errno);
+	    ret = 1;
+	}
     }
     return ret;
 }
-- 
cgit 1.4.1