From f5955f1e62736f2f92b05a1ed7931d378f7b2ae6 Mon Sep 17 00:00:00 2001
From: lemon <lsof@mailbox.org>
Date: Fri, 9 Jan 2026 19:33:36 +0100
Subject: c: fix use after free

A silly one, declsbuf.p can be realloc'd in the call to putdecl, but in
this statement that pointer could be fetched before the call.
---
 c/c.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/c/c.c b/c/c.c
index 3b7264e..4b421d5 100644
--- a/c/c.c
+++ b/c/c.c
@@ -4503,7 +4503,8 @@ tldecl(struct comp *cm)
                error(&st.pspans[i], "parameter has incomplete type '%ty'", td->param[i]);
          }
          decl.isdef = 1;
-         struct decl *d = &declsbuf.p[putdecl(cm, &decl)];
+         int idecl = putdecl(cm, &decl);
+         struct decl *d = &declsbuf.p[idecl];
          struct function fn = { &cm->fnarena, .name = decl.name, .globl = d->scls != SCSTATIC, .fnty = decl.ty, .retty = td->ret };
          irinit(&fn);
          function(cm, &fn, st.pnames, st.pspans, st.pqual);
-- 
cgit v1.2.3