Fix `use after free in File#initilialize_copy`; fix #4001

The bug and the fix were reported by https://hackerone.com/pnoltof
author: Yukihiro "Matz" Matsumoto <[email protected]> 2018-04-17 09:57:41 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2018-04-17 09:57:41 +0900
commit: b51b21fc63c9805862322551387d9036f2b63433 (patch)
tree: ef9e3ab162da6154225eb9e97428f5eb049fcc69
parent: fabc460880fbabd18369a7ef8715538c83ebffc9 (diff)
download: mruby-b51b21fc63c9805862322551387d9036f2b63433.tar.gz
mruby-b51b21fc63c9805862322551387d9036f2b63433.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/mrbgems/mruby-io/src/io.c b/mrbgems/mruby-io/src/io.c
index 58bcdd1ee..6ace9e167 100644
--- a/mrbgems/mruby-io/src/io.c
+++ b/mrbgems/mruby-io/src/io.c
@@ -561,13 +561,13 @@ mrb_io_initialize_copy(mrb_state *mrb, mrb_value copy)
   mrb_bool failed = TRUE;
 
   mrb_get_args(mrb, "o", &orig);
+  fptr_orig = io_get_open_fptr(mrb, orig);
   fptr_copy = (struct mrb_io *)DATA_PTR(copy);
   if (fptr_copy != NULL) {
     fptr_finalize(mrb, fptr_copy, FALSE);
     mrb_free(mrb, fptr_copy);
   }
   fptr_copy = (struct mrb_io *)mrb_io_alloc(mrb);
-  fptr_orig = io_get_open_fptr(mrb, orig);
 
   DATA_TYPE(copy) = &mrb_io_type;
   DATA_PTR(copy) = fptr_copy;
author	Yukihiro "Matz" Matsumoto <[email protected]>	2018-04-17 09:57:41 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2018-04-17 09:57:41 +0900
commit	b51b21fc63c9805862322551387d9036f2b63433 (patch)
tree	ef9e3ab162da6154225eb9e97428f5eb049fcc69
parent	fabc460880fbabd18369a7ef8715538c83ebffc9 (diff)
download	mruby-b51b21fc63c9805862322551387d9036f2b63433.tar.gz mruby-b51b21fc63c9805862322551387d9036f2b63433.zip