The memory provided by `buf` is still reference by `path` and used after the free call. Delay the freeing until after using it. --- src/realpath.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/realpath.c b/src/realpath.c index 1cf7eaf..9133605 100644 --- a/src/realpath.c +++ b/src/realpath.c @@ -64,6 +64,7 @@ private_realpath(const char *path, char *resolved_path, int maxreslth) { char link_path[PATH_MAX+1]; int n; char *buf = NULL; + char *oldbuf = NULL; npath = resolved_path; @@ -141,12 +142,19 @@ private_realpath(const char *path, char *resolved_path, int maxreslth) { /* Insert symlink contents into path. */ m = strlen(path); - if (buf) - free(buf); + if (buf) { + /* Delay freeing of 'buf', as 'path' might + * still be pointing to it. */ + oldbuf = buf; + } buf = xmalloc(m + n + 1); memcpy(buf, link_path, n); memcpy(buf + n, path, m + 1); path = buf; + if (oldbuf) { + free(oldbuf); + oldbuf = NULL; + } #endif } *npath++ = '/'; -- 2.31.1