From 8a5b6d268d57ff131ff8a5c600389dca85e02f5d Mon Sep 17 00:00:00 2001
From: Chris Kader <ChrisKader@users.noreply.github.com>
Date: Sat, 6 Jun 2026 02:54:45 -0500
Subject: [PATCH] Fix use-after-free of enum type id in set_int_display_type

`set_int_display_type` converted the optional enumeration type id to an owned
C string, then moved it into a closure to take its pointer. The C string was
dropped at the end of that closure, before `BNSetIntegerConstantDisplayType`
ran, so the FFI call read freed memory and stored a garbage type id for the
enumeration display. As a result an integer operand set to
EnumerationDisplayType never resolved to its enumeration and rendered as a
raw constant. Borrow the owned C string instead so it outlives the call.
---
 rust/src/function.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rust/src/function.rs b/rust/src/function.rs
index f9b635241..71c7972da 100644
--- a/rust/src/function.rs
+++ b/rust/src/function.rs
@@ -1945,7 +1945,11 @@ impl Function {
     ) {
         let arch = arch.unwrap_or_else(|| self.arch());
         let enum_display_typeid = enum_display_typeid.map(IntoCStr::to_cstr);
+        // Borrow the owned C string rather than moving it into `map`, otherwise it is dropped
+        // before the FFI call below and `BNSetIntegerConstantDisplayType` reads freed memory,
+        // storing a garbage type id for the enumeration.
         let enum_display_typeid_ptr = enum_display_typeid
+            .as_ref()
             .map(|x| x.as_ptr())
             .unwrap_or(std::ptr::null());
         unsafe {