From 35d97a24f019a757cb8c6c262db787fc436dab6a Mon Sep 17 00:00:00 2001
From: Max Kellermann <max.kellermann@gmail.com>
Date: Thu, 20 Feb 2020 09:27:06 +0100
Subject: [PATCH] Expr: add missing reference in AssignExpr::InitVal()

The one reference returned by `op2->InitVal()` is given to
`aggr_r->Assign()` and returned to the caller, which may result in a
use-after-free crash bug.  This patch adds the missing reference.

Closes https://github.com/zeek/zeek/issues/805
---
 src/Expr.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Expr.cc b/src/Expr.cc
index 6170c1e495..5df2aa1413 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -2459,6 +2459,7 @@ Val* AssignExpr::InitVal(const BroType* t, Val* aggr) const
 		if ( ! v )
 			return 0;
 
+		::Ref(v);
 		aggr_r->Assign(field, v);
 		return v;
 		}