Signed-off-by: Paul Gofman pgofman@codeweavers.com --- new_statement_list() uses parser_alloc_tmp() and the memory for statement list may get freed in script_parse() thus making compile_function() use the freed memory.
dlls/jscript/parser.y | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/dlls/jscript/parser.y b/dlls/jscript/parser.y index 9fc7ea61dc3..4bad7e326db 100644 --- a/dlls/jscript/parser.y +++ b/dlls/jscript/parser.y @@ -249,7 +249,17 @@ static expression_t *new_prop_and_value_expression(parser_ctx_t*,property_list_t
/* ECMA-262 10th Edition 15.1 */ Script - : ScriptBody HtmlComment { ctx->source = $1; } + : ScriptBody HtmlComment { + if ($1) + { + ctx->source = parser_alloc(ctx, sizeof(*ctx->source)); + *ctx->source = *$1; + } + else + { + ctx->source = NULL; + } + }
/* ECMA-262 10th Edition 15.1 */ ScriptBody @@ -1440,7 +1450,15 @@ static expression_t *new_function_expression(parser_ctx_t *ctx, const WCHAR *ide
ret->identifier = identifier; ret->parameter_list = parameter_list ? parameter_list->head : NULL; - ret->statement_list = statement_list; + if (statement_list) + { + ret->statement_list = parser_alloc(ctx, sizeof(*ret->statement_list)); + *ret->statement_list = *statement_list; + } + else + { + ret->statement_list = NULL; + } ret->event_target = event_target; ret->src_str = src_str; ret->src_len = src_len; @@ -1657,7 +1675,6 @@ HRESULT script_parse(script_ctx_t *ctx, struct _compiler_ctx_t *compiler, byteco jsstr_release(line_str); return DISP_E_EXCEPTION; } - *ret = parser_ctx; return S_OK; }