Always return either a dynamically allocated string or NULL from

expand(). Never return the name parameter, which could be a the buf[] buffer which is allocated on the stack by getdeadletter() and which would then be used after getdeadletter() has returned. Reported by: Coverity CID: 1199383 MFC after: 1 week
2016-05-13 06:15:05 +00:00 · 2016-05-13 06:15:05 +00:00 · 090fc1c839
parent dde1276e8e
commit 090fc1c839
1 changed files with 2 additions and 2 deletions
--- a/usr.bin/mail/fio.c
+++ b/usr.bin/mail/fio.c
@ -367,10 +367,10 @@ expand(char *name)
 		name = savestr(xname);
 	}
 	if (!strpbrk(name, "~{[*?$`'\"\\"))
-		return (name);
+		return (savestr(name));
 	if (pipe(pivec) < 0) {
 		warn("pipe");
-		return (name);
+		return (NULL);
 	}
 	(void)snprintf(cmdbuf, sizeof(cmdbuf), "echo %s", name);
 	if ((sh = value("SHELL")) == NULL)