Commit 327c906d for xz

commit 327c906dcd6a9e40a39bf922f69560bd62f0b1a2
Author: Lasse Collin <lasse.collin@tukaani.org>
Date:   Tue May 19 12:34:53 2026 +0300

    xz: Fix use-after-free in verbose error message to a non-tty

    If --verbose was used when stderr isn't a terminal, the filename
    contained a non-printable character, and an error occurred,
    a use-after-free occurred when printing the error message.

    The bug exists in versions 5.7.1alpha to 5.8.3.

    Reported-by: Omkhar Arasaratnam
    Fixes: d22f96921fd2 ("xz: Use tuklib_mbstr_nonprint")

diff --git a/src/xz/message.c b/src/xz/message.c
index 7657e856..dfd3da76 100644
--- a/src/xz/message.c
+++ b/src/xz/message.c
@@ -650,7 +650,14 @@ progress_flush(bool finished)
 				cols[4]);
 	} else {
 		// The filename is always printed.
-		fprintf(stderr, _("%s: "), tuklib_mask_nonprint(filename));
+		//
+		// NOTE: This function is called from vmessage() whose
+		// caller may have used tuklib_mask_nonprint(). Thus,
+		// we must use the _r variant here.
+		char *mem = NULL;
+		fprintf(stderr, _("%s: "),
+				tuklib_mask_nonprint_r(filename, &mem));
+		free(mem);

 		// Percentage is printed only if we didn't finish yet.
 		if (!finished) {