# HG changeset patch
# User ddmitriev
# Date 1449748247 -10800
# Node ID a5ade0cccbd4093af9d9b6e0fffd51ffb6d680f6
# Parent  d7725e7f76b150e6a466e5cb1777cfec676db420
8144197: Possible use after free in Arguments::add_property function
Reviewed-by: dholmes, goetz

diff -r d7725e7f76b1 -r a5ade0cccbd4 hotspot/src/share/vm/runtime/arguments.cpp
--- a/hotspot/src/share/vm/runtime/arguments.cpp	Wed Dec 09 21:24:57 2015 +0900
+++ b/hotspot/src/share/vm/runtime/arguments.cpp	Thu Dec 10 14:50:47 2015 +0300
@@ -1308,18 +1308,20 @@
     PropertyList_unique_add(&_system_properties, key, value, true);
   } else {
     if (strcmp(key, "sun.java.command") == 0) {
-      if (_java_command != NULL) {
-        os::free(_java_command);
+      char *old_java_command = _java_command;
+      _java_command = os::strdup_check_oom(value, mtInternal);
+      if (old_java_command != NULL) {
+        os::free(old_java_command);
       }
-      _java_command = os::strdup_check_oom(value, mtInternal);
     } else if (strcmp(key, "java.vendor.url.bug") == 0) {
-      if (_java_vendor_url_bug != DEFAULT_VENDOR_URL_BUG) {
-        assert(_java_vendor_url_bug != NULL, "_java_vendor_url_bug is NULL");
-        os::free((void *)_java_vendor_url_bug);
-      }
+      const char* old_java_vendor_url_bug = _java_vendor_url_bug;
       // save it in _java_vendor_url_bug, so JVM fatal error handler can access
       // its value without going through the property list or making a Java call.
       _java_vendor_url_bug = os::strdup_check_oom(value, mtInternal);
+      if (old_java_vendor_url_bug != DEFAULT_VENDOR_URL_BUG) {
+        assert(old_java_vendor_url_bug != NULL, "_java_vendor_url_bug is NULL");
+        os::free((void *)old_java_vendor_url_bug);
+      }
     }
 
     // Create new property and add at the end of the list