From ce4290f48a18730c1de63600374003ec00a9102f Mon Sep 17 00:00:00 2001
From: Martin Stjernholm <mast@lysator.liu.se>
Date: Sat, 24 May 2008 14:28:58 +0200
Subject: [PATCH] Fixed a dereference of freed memory when popping catch
 contexts during throw.

Rev: src/error.c:1.155
---
 src/error.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/error.c b/src/error.c
index 99a085d765..abf39b52fe 100644
--- a/src/error.c
+++ b/src/error.c
@@ -2,7 +2,7 @@
 || This file is part of Pike. For copyright information see COPYRIGHT.
 || Pike is distributed under GPL, LGPL and MPL. See the file COPYING
 || for more information.
-|| $Id: error.c,v 1.154 2008/04/12 14:04:09 grubba Exp $
+|| $Id: error.c,v 1.155 2008/05/24 12:28:58 mast Exp $
 */
 
 #define NO_PIKE_SHORTHAND
@@ -129,14 +129,17 @@ PMOD_EXPORT DECLSPEC(noreturn) void pike_throw(void) ATTRIBUTE((noreturn))
       Pike_interpreter.recoveries->onerror=Pike_interpreter.recoveries->onerror->previous;
     }
 
-    if (Pike_interpreter.catch_ctx &&
-	&Pike_interpreter.catch_ctx->recovery == Pike_interpreter.recoveries) {
-      struct catch_context *cc = Pike_interpreter.catch_ctx;
-      Pike_interpreter.catch_ctx = cc->prev;
-      really_free_catch_context (cc);
+    {
+      JMP_BUF *prev_rec = Pike_interpreter.recoveries->previous;
+      if (Pike_interpreter.catch_ctx &&
+	  (&Pike_interpreter.catch_ctx->recovery ==
+	   Pike_interpreter.recoveries)) {
+	struct catch_context *cc = Pike_interpreter.catch_ctx;
+	Pike_interpreter.catch_ctx = cc->prev;
+	really_free_catch_context (cc);
+      }
+      Pike_interpreter.recoveries = prev_rec;
     }
-
-    Pike_interpreter.recoveries=Pike_interpreter.recoveries->previous;
   }
 
   if(!Pike_interpreter.recoveries)
-- 
GitLab