From daeb0bb257f6e80d69e74ccffc2aa412d03bf16d Mon Sep 17 00:00:00 2001 From: Timo Kreuzer Date: Mon, 19 Jan 2026 19:21:10 +0200 Subject: [PATCH] [FTP] Fix invalid call to free() While our glob is a dummy anyway and always returns NULL, the basic idea is that glob returns a NULL terminated array of pointers. The original code only calls blkfree to free any allocation in the array after the first one and doesn't free the array itself. Our code tried to be "smart" and free the array as well, but the array pointer was already changed by a "globbed++", resulting in trying to free an invalid address. Also the free was only called, when glob returned more than one result. This is now fixed by removing the "++", doing the blkfree on "&globbed[1]" and calling free on the originally returned array in all cases. Fixes GCC 13 warning: C:/ReactOS/reactos/base/applications/network/ftp/cmds.c: In function 'globulize': C:/ReactOS/reactos/base/applications/network/ftp/cmds.c:1684:25: error: 'free' called on pointer 'globbed' with nonzero offset 4 [-Werror=free-nonheap-object] 1684 | free((char *)globbed); | ^~~~~~~~~~~~~~~~~~~~~ C:/ReactOS/reactos/base/applications/network/ftp/cmds.c:1669:19: note: returned from 'glob' 1669 | globbed = glob(*cpp); | ^~~~~~~~~~ In our port glob is a dummy that always returns NULL, and the original code does not have a free here, either. --- base/applications/network/ftp/cmds.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/base/applications/network/ftp/cmds.c b/base/applications/network/ftp/cmds.c index d77982da6c0..6ee1a4b9e34 100644 --- a/base/applications/network/ftp/cmds.c +++ b/base/applications/network/ftp/cmds.c @@ -1677,12 +1677,12 @@ int globulize(const char **cpp) return (0); } if (globbed) { - *cpp = *globbed++; + *cpp = *globbed; /* don't waste too much memory */ - if (*globbed) { - blkfree(globbed); - free((char *)globbed); + if (globbed[1]) { + blkfree(&globbed[1]); } + free(globbed); } return (1); }