From 2dbbc88d0b78c3fc2fb8e63fba67119c5aa456fc Mon Sep 17 00:00:00 2001
From: Mikael Magnusson <mikachu@gmail.com>
Date: Tue, 10 Feb 2015 07:54:18 +0100
Subject: 34488: Fix use-after-free for print -zf and print -sf

---
 Src/builtin.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

(limited to 'Src')

diff --git a/Src/builtin.c b/Src/builtin.c
index 08be1acdd..e093cbe32 100644
--- a/Src/builtin.c
+++ b/Src/builtin.c
@@ -4527,7 +4527,8 @@ bin_print(char *name, char **args, Options ops, int func)
     if (OPT_ISSET(ops,'z') || OPT_ISSET(ops,'s')) {
 #ifdef HAVE_OPEN_MEMSTREAM
 	putc(0, fout);
-	fflush(fout);
+	fclose(fout);
+	fout = NULL;
 #else
 	rewind(fout);
 	buf = (char *)zalloc(count + 1);
@@ -4548,11 +4549,16 @@ bin_print(char *name, char **args, Options ops, int func)
 	unqueue_signals();
     }
 
-    /* Testing EBADF special-cases >&- redirections */
-    if ((fout != stdout) ? (fclose(fout) != 0) :
-	(fflush(fout) != 0 && errno != EBADF)) {
-	zwarnnam(name, "write error: %e", errno);
-	ret = 1;
+#ifdef HAVE_OPEN_MEMSTREAM
+    if (fout)
+#endif
+    {
+	/* Testing EBADF special-cases >&- redirections */
+	if ((fout != stdout) ? (fclose(fout) != 0) :
+	    (fflush(fout) != 0 && errno != EBADF)) {
+	    zwarnnam(name, "write error: %e", errno);
+	    ret = 1;
+	}
     }
     return ret;
 }
-- 
cgit 1.4.1