From c1a6198802a4692dca6c84dbf1847fed8911e136 Mon Sep 17 00:00:00 2001
From: Arne Goedeke <el@laramies.com>
Date: Tue, 8 Mar 2016 17:36:59 +0100
Subject: [PATCH] ADT.CritBit: use after free in iterator

The tree iterator keeps the tree root node but did not update it
when the tree was modified during iteration. This could lead to
access in freed memory.
---
 src/post_modules/CritBit/iterator_source.H | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/post_modules/CritBit/iterator_source.H b/src/post_modules/CritBit/iterator_source.H
index 7a815b9fe1..46825e23a3 100644
--- a/src/post_modules/CritBit/iterator_source.H
+++ b/src/post_modules/CritBit/iterator_source.H
@@ -66,7 +66,10 @@
 	    if (THIS->lastrev == *THIS->revv) {
 		t = THIS->lastnode;
 	    } else {
+                struct object * tree = TREE_CLASSIFY(_get_iterator_find_parent)();
+
 		THIS->lastrev = * THIS->revv;
+                THIS->tree = cmod_OBJ2_TREE(tree)->tree.root;
 
 		if (THIS->tree) {
 		    t = cb_index(THIS->tree, THIS->lastkey);
-- 
GitLab