From debfebf3a7759884bae4209d2ee647d1d7489d97 Mon Sep 17 00:00:00 2001
From: Kevin Easton <caf@bitchx.org>
Date: Thu, 16 Feb 2017 23:12:38 +1100
Subject: [PATCH] Fix a double-free bug when a window on an alternate screen
 queries an exec process

The 'free_it' variable was only initialised to zero at the start of the function, so when non-main screens
were processed in the later iterations of the loop, it could keep a value of 1 from the previous iteration.

We don't actually need a free_it variable at all - just use a NULL value of ptr_free to indicate that there
is nothing to free (and passing a NULL to new_free() is a no-op).

This also simplifies a test because ptr is always non-NULL (strip_ansi() never returns NULL).
---
 Changelog      |  3 +++
 source/input.c | 24 +++++++++---------------
 2 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/Changelog b/Changelog
index bc930a9..64cd1e3 100644
--- a/Changelog
+++ b/Changelog
@@ -1,5 +1,8 @@
 [Changes 1.2.2]
 
+* Fix a double-free bug when a window on an alternate screen queries an exec
+  process. (caf)
+
 * Use 127.0.0.1 for wserv socket, which fixes /WINDOW CREATE with IPv6. (caf)
 
 * Allow INVITE and WALLOP floods to trigger auto-ignore. (caf)
diff --git a/source/input.c b/source/input.c
index b00d7dc..fc64b15 100644
--- a/source/input.c
+++ b/source/input.c
@@ -166,10 +166,9 @@ extern void BX_cursor_to_input (void)
  */
 extern void	BX_update_input (int update)
 {
-	int	old_zone;
-	char	*ptr, *ptr_free;
+	int old_zone;
+	char *ptr;
 	int	len,
-		free_it = 0,
 		echo = 1,
 		max;
 
@@ -178,7 +177,6 @@ extern void	BX_update_input (int update)
 	Screen	*ns;
 	Window	*saved_current_window = current_window;
 
-
 #ifdef WANT_HEBREW
 	void BX_set_input_heb (char *str);
 	char prehebbuff[2000];
@@ -230,32 +228,29 @@ extern void	BX_update_input (int update)
 				
 		if (prompt && update != NO_UPDATE)
 		{
-			int	args_used;	
+			int args_used;
+			char *ptr_free = NULL;
 
 			if (is_valid_process(get_target_by_refnum(0)) != -1)
 				ptr = (char *)get_prompt_by_refnum(0);
 			else
 			{
 				ptr = expand_alias(prompt, empty_string, &args_used, NULL);
-				free_it = 1;
+				ptr_free = ptr;
 			}
 			if (last_input_screen->promptlist)
 				term_echo(last_input_screen->promptlist->echo);
 
-			ptr_free = ptr;
 			ptr = strip_ansi(ptr);
 			strcat(ptr, ALL_OFF_STR);	/* Yes, we can do this */
-			if (free_it)
-				new_free(&ptr_free);
-			free_it = 1;
+			new_free(&ptr_free);
 			
-			if ((ptr && !INPUT_LINE) || (!ptr && INPUT_LINE) ||
-				strcmp(ptr, last_input_screen->input_buffer))
+			if (!INPUT_LINE || strcmp(ptr, last_input_screen->input_buffer))
 			{
 				if (last_input_screen->input_prompt_malloc)
 					new_free(&INPUT_PROMPT);
 	
-				last_input_screen->input_prompt_malloc = free_it;
+				last_input_screen->input_prompt_malloc = 1;
 	
 				INPUT_PROMPT = ptr;
 				len = strlen(INPUT_PROMPT);
@@ -264,8 +259,7 @@ extern void	BX_update_input (int update)
 			}
 			else
 			{
-				if (free_it)
-					new_free(&ptr);
+				new_free(&ptr);
 			}
 		}