Fix a double free. (#3918)

If the operand is rw, av gets assigned to op->src[i] and op->dst. Later when op is freed, op->src[i] and op->dst are freed both and so we run into the double free.
rizinorg · Oct 16, 2023 · 51c8be0 · 51c8be0
1 parent 7c4ceb3
commit 51c8be0
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/librz/analysis/p/analysis_tricore_cs.c b/librz/analysis/p/analysis_tricore_cs.c
@@ -1018,6 +1018,9 @@ static void rz_analysis_tricore_fillval(RzAnalysis *a, RzAnalysisOp *op, csh han
 			if (op->dst) {
 				rz_warn_if_reached();
 			}
+			if (av == op->src[srci - 1]) {
+				av = rz_mem_dup(av, sizeof(RzAnalysisValue));
+			}
 			op->dst = av;
 		}
 	}