Details
-
Type:
Bug
-
Status: Open (View Workflow)
-
Priority:
Critical
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: core
-
Labels:None
Description
In SWMgr::createAllModules() if a module of the same name already exists it is deleted, but not removed from the underlying container (either Modules or utilModules). If the new module is not inserted into the exact same underlying container, this results in a dangling pointer being retained, potentially leading to use-after-free issues/vulnerabilities during runtime. It seems this can for example be caused by SWMgr::augmentModules() when loading a utility module "KJV" when a regular module named "KJV" is already loaded.
Possible fix:
diff --git a/src/mgr/swmgr.cpp b/src/mgr/swmgr.cpp index 9b0f139f..37cf5b4c 100644 --- a/src/mgr/swmgr.cpp +++ b/src/mgr/swmgr.cpp @@ -1510,10 +1510,7 @@ SWLOGD("libsword: SWMgr::createAllModules"); // place our module in module container, removing first if one // already exists by our same name - SWModule *oldmod = getModule(newmod->getName()); - if (oldmod) { - delete oldmod; - } + deleteModule(newmod->getName()); // if it's not a utility module save it to Modules if ( SWBuf("Utility") != newmod->getType() &&
PS: Happy new year! 