packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pull: Fix use-after-free 

The strchr() was pointing into a string we were freeing.
This commit is contained in:
Anne LoVerso 2014-08-21 13:45:55 -04:00 committed by Colin Walters
parent 3742c32945
commit 6dfe99a283
1 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/libostree/ostree-repo-pull.c
View File

@ -441,22 +441,21 @@ scan_dirtree_object (OtPullData *pull_data,
{ {
const char *subpath = NULL; const char *subpath = NULL;
const char *nextslash = NULL; const char *nextslash = NULL;
gs_free char *dir_data = NULL;
g_assert (pull_data->dir[0] == '/'); // assert it starts with / like "/usr/share/rpm" g_assert (pull_data->dir[0] == '/'); // assert it starts with / like "/usr/share/rpm"
subpath = pull_data->dir + 1; // refers to name minus / like "usr/share/rpm" subpath = pull_data->dir + 1; // refers to name minus / like "usr/share/rpm"
nextslash = strchr (subpath, '/'); //refers to start of next slash like "/share/rpm" nextslash = strchr (subpath, '/'); //refers to start of next slash like "/share/rpm"
dir_data = pull_data->dir; // keep the original pointer around since strchr() points into it
pull_data->dir = NULL;
if (nextslash) if (nextslash)
{ {
subdir_target = g_strndup (subpath, nextslash - subpath); // refers to first dir, like "usr" subdir_target = g_strndup (subpath, nextslash - subpath); // refers to first dir, like "usr"
g_free (pull_data->dir);
pull_data->dir = g_strdup (nextslash); // sets dir to new deeper level like "/share/rpm" pull_data->dir = g_strdup (nextslash); // sets dir to new deeper level like "/share/rpm"
} }
else // we're as deep as it goes, i.e. subpath = "rpm" else // we're as deep as it goes, i.e. subpath = "rpm"
{
subdir_target = g_strdup (subpath); subdir_target = g_strdup (subpath);
g_clear_pointer (&pull_data->dir, g_free);
pull_data->dir = NULL;
}
} }
n = g_variant_n_children (dirs_variant); n = g_variant_n_children (dirs_variant);