cplus_replace_std_multiset() UAF

[XVilka]

static char *cplus_replace_std_multiset(char *input) {
225        char *p = strstr(input, "std::multiset<");
   	1. Condition !p, taking false branch.
226        if (!p) {
227                return input;
228        }
229        p += strlen("std::multiset<");
230        size_t length = cplus_find_type_length(p);
   	2. Condition length < 1, taking false branch.
231        if (length < 1) {
232                return input;
233        }
234        char *ktype = dem_str_ndup(p, length);
235        char *replace = dem_str_newf("std::multiset<%s>", ktype);
236        char *search = dem_str_newf("std::multiset<%s, std::less<%s>, std::allocator<%s> >", ktype, ktype, ktype);
   	3. freed_arg: dem_str_replace frees input. [[show details](https://scan3.scan.coverity.com/eventId=13166125-4&modelId=13166125-0&fileInstanceId=100856536&filePath=%2Fsubprojects%2Flibdemangle%2Fsrc%2Fdemangler_util.c&fileStart=33&fileEnd=77)]
237        char *output = dem_str_replace(input, search, replace, 1);
238        free(search);
239        // sometimes std::allocator has an extra space
240        search = dem_str_newf("std::multiset<%s, std::less<%s>, std::allocator<%s > >", ktype, ktype, ktype);
241        output = dem_str_replace(output, search, replace, 1);
242        free(search);
243        search = dem_str_newf("std::multiset<%s, std::greater<%s>, std::allocator<%s> >", ktype, ktype, ktype);
   	
CID 416049 (#1-6 of 6): Use after free (USE_AFTER_FREE)
4. pass_freed_arg: Passing freed pointer input as an argument to dem_str_replace.
244        output = dem_str_replace(input, search, replace, 1);
245        free(search);
246        // sometimes std::allocator has an extra space
247        search = dem_str_newf("std::multiset<%s, std::greater<%s>, std::allocator<%s > >", ktype, ktype, ktype);
248        output = dem_str_replace(output, search, replace, 1);
249        free(search);
250        free(replace);
251        free(ktype);
252        return output;
253}