From 9e8519b7a2c765b427f85f0aaa456256785eceb7 Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Thu, 5 Apr 2018 23:26:06 +0200
Subject: [PATCH] fix use-after-free in BufMap.set()

closes #879
---
 std/buf_map.zig | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/std/buf_map.zig b/std/buf_map.zig
index a58df4b2db..7e2ea99f1a 100644
--- a/std/buf_map.zig
+++ b/std/buf_map.zig
@@ -31,8 +31,8 @@ pub const BufMap = struct {
         if (self.hash_map.get(key)) |entry| {
             const value_copy = try self.copy(value);
             errdefer self.free(value_copy);
-            _ = try self.hash_map.put(key, value_copy);
-            self.free(entry.value);
+            const old_value = ??(try self.hash_map.put(key, value_copy));
+            self.free(old_value);
         } else {
             const key_copy = try self.copy(key);
             errdefer self.free(key_copy);
@@ -71,3 +71,29 @@ pub const BufMap = struct {
         return result;
     }
 };
+
+const assert = @import("debug/index.zig").assert;
+const heap = @import("heap.zig");
+
+test "BufMap" {
+    var direct_allocator = heap.DirectAllocator.init();
+    defer direct_allocator.deinit();
+
+    var bufmap = BufMap.init(&direct_allocator.allocator);
+    defer bufmap.deinit();
+
+    try bufmap.set("x", "1");
+    assert(mem.eql(u8, ??bufmap.get("x"), "1"));
+    assert(1 == bufmap.count());
+
+    try bufmap.set("x", "2");
+    assert(mem.eql(u8, ??bufmap.get("x"), "2"));
+    assert(1 == bufmap.count());
+
+    try bufmap.set("x", "3");
+    assert(mem.eql(u8, ??bufmap.get("x"), "3"));
+    assert(1 == bufmap.count());
+
+    bufmap.delete("x");
+    assert(0 == bufmap.count());
+}