On 06/26/2012 06:01 AM, Xu Zhongxing wrote:
> In Coreutils 8.17, csplit.c, static bool load_buffer (void)
> On line 503 and 511, b is passed to free_buffer() twice. This could lead to a use-after-free bug in free_buffer(): struct line *n = l->next;, where buf->line_start is freed in the first call of free_buffer().
> - Xu Zhongxing