Protect against an improper call to free in r_format_val.

2 files changed, 8 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 8c712c46..3f3541b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-06-27         Andrew J. Schorr     <aschorr@telemetry-investments.com>
+
+	* node.c (r_format_val): Do not free stptr unless STRCUR is set.
+	This is safer than testing for non-NULL stptr, since, for example,
+	pp_number copies a node and calls r_format_val, but does not bother
+	to set stptr to NULL beforehand.
+
 2016-06-26         Andrew J. Schorr     <aschorr@telemetry-investments.com>
 
 	* node.c (r_force_number): When checking for trailing spaces, protect
diff --git a/node.c b/node.c
index 58b54561..2c099bd6 100644
--- a/node.c
+++ b/node.c
@@ -272,7 +272,7 @@ r_format_val(const char *format, int index, NODE *s)
 			s->flags |= STRING;
 		}
 	}
-	if (s->stptr != NULL)
+	if ((s->flags & STRCUR) != 0)
 		efree(s->stptr);
 	emalloc(s->stptr, char *, s->stlen + 1, "format_val");
 	memcpy(s->stptr, sp, s->stlen + 1);