From 063c59b1142655a70fc49fd4f0c464dd24d44506 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Trung=20L=C3=AA?= <8@tle.id.au>
Date: Mon, 1 Jun 2026 11:21:15 +1000
Subject: [PATCH] Fix #4: use-after-free of embeddedAddr in rs4_embed_cmsk()

embeddedAddr was derived from *io_rs4 before realloc() may relocate the
buffer, then dereferenced by memmove()/memcpy() afterwards. GCC reports
this as -Werror=use-after-free (e.g. Fedora 39 / Ubuntu 26.04), failing
the build, and it is a genuine latent bug regardless of the warning.

Move the embeddedAddr computation to after the realloc() so it is derived
from the (possibly new) *io_rs4 pointer.
---
 import/chips/p9/utils/imageProcs/p9_scan_compression.C | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/import/chips/p9/utils/imageProcs/p9_scan_compression.C b/import/chips/p9/utils/imageProcs/p9_scan_compression.C
index 8cff9edf9..290b06641 100644
--- a/import/chips/p9/utils/imageProcs/p9_scan_compression.C
+++ b/import/chips/p9/utils/imageProcs/p9_scan_compression.C
@@ -919,7 +919,6 @@ int
 rs4_embed_cmsk( CompressedScanData** io_rs4,
                 CompressedScanData*  i_rs4Cmsk )
 {
-    char* embeddedAddr = (char*)(*io_rs4 + 1);
     size_t embeddedSize = be16toh(i_rs4Cmsk->iv_size);
     size_t totalSize   = be16toh((*io_rs4)->iv_size) + embeddedSize;
 
@@ -931,6 +930,10 @@ rs4_embed_cmsk( CompressedScanData** io_rs4,
         return BUG(SCAN_COMPRESSION_NO_MEMORY);
     }
 
+    // realloc() above may move the buffer, so derive the embedded address from
+    // the (possibly new) *io_rs4 pointer rather than from the pre-realloc one.
+    char* embeddedAddr = (char*)(*io_rs4 + 1);
+
     // Make space for cmsk ring
     memmove(embeddedAddr + embeddedSize,
             embeddedAddr,