From be3c3ed7dfd0182ea11468c8d4dffa465ce7a44f Mon Sep 17 00:00:00 2001
From: Tavian Barnes <tavianator@tavianator.com>
Date: Tue, 19 Oct 2021 12:11:11 -0400
Subject: parse: Fix UAF + double-free when ftruncate() fails

---
 parse.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/parse.c b/parse.c
index a7ee3ab..c257f4e 100644
--- a/parse.c
+++ b/parse.c
@@ -336,6 +336,7 @@ static int expr_open(struct parser_state *state, struct expr *expr, const char *
 
 	FILE *file = NULL;
 	CFILE *cfile = NULL;
+	CFILE *dedup = NULL;
 
 	file = xfopen(path, O_WRONLY | O_CREAT | O_CLOEXEC);
 	if (!file) {
@@ -347,7 +348,7 @@ static int expr_open(struct parser_state *state, struct expr *expr, const char *
 		goto fail;
 	}
 
-	CFILE *dedup = bfs_ctx_dedup(ctx, cfile, path);
+	dedup = bfs_ctx_dedup(ctx, cfile, path);
 	if (!dedup) {
 		goto fail;
 	}
@@ -367,10 +368,12 @@ static int expr_open(struct parser_state *state, struct expr *expr, const char *
 
 fail:
 	parse_error(state, "${blu}%s${rs} ${bld}%s${rs}: %m.\n", expr->argv[0], path);
-	if (cfile) {
-		cfclose(cfile);
-	} else if (file) {
-		fclose(file);
+	if (!dedup) {
+		if (cfile) {
+			cfclose(cfile);
+		} else if (file) {
+			fclose(file);
+		}
 	}
 	return -1;
 }
-- 
cgit v1.2.3