Hi Magnus, On Sat, Jan 24, 2026 at 11:13:25AM -0800, Nopey Nope wrote:
Hello!
Find attached two patches, which each fix a use-after-free bug.
I've also attached a crashing html document for each, but please be aware that these reproducer documents link urls from external web servers. The reproducers crash reliably on my x86_64 Void Linux laptop, but I've not tested them elsewhere. I've also attached a crash log with asan reporting of each.
Thank you -Magnus L
p.s. I've also opened github PR 449 with these same changes, but figured I should send the patches via email as well-- if only for practice :)
Thanks a lot for the patches and reproducers! I saw the PR but I only had time to look at the "Fix use-after-free in openssl cert popup" commit which seems good. We are moving away from GitHub so it would be nice to send future patches here (or a link to a git repo/branch to fetch with git). It would help to describe what is the condition that triggers the UAF in the Http_server patch and why the change helps, so that it is easier to review. Perhaps it would be a good idea to put that information it in the commit summary of both patches so we can see it via git blame. Best, Rodrigo.