From 90680e1b29019c5b1b1210b4692877e2f3af1054 Mon Sep 17 00:00:00 2001
From: Philip Withnall <withnall@endlessm.com>
Date: Mon, 23 Oct 2017 16:32:49 +0100
Subject: [PATCH] lib/repo-finder-avahi: Fix memory corruption of a
 GVariantIter

A GVariantIter* was being passed to a GVariant format string varargs,
rather than a GVariantIter**. This resulted in memory corruption.

So we can continue to reuse ref_map throughout the function, make it a
GVariantIter* rather than a stack-allocated GVariantIter.

Signed-off-by: Philip Withnall <withnall@endlessm.com>

Closes: #1301
Approved by: cgwalters
---
 src/libostree/ostree-repo-finder-avahi.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/libostree/ostree-repo-finder-avahi.c b/src/libostree/ostree-repo-finder-avahi.c
index 0c88ad60..a2574712 100644
--- a/src/libostree/ostree-repo-finder-avahi.c
+++ b/src/libostree/ostree-repo-finder-avahi.c
@@ -466,7 +466,7 @@ fill_refs_and_checksums_from_summary (GVariant    *summary,
 {
   g_autoptr(GVariant) ref_map_v = NULL;
   g_autoptr(GVariant) additional_metadata_v = NULL;
-  GVariantIter ref_map;
+  g_autoptr(GVariantIter) ref_map = NULL;
   g_auto(GVariantDict) additional_metadata = OT_VARIANT_BUILDER_INITIALIZER;
   const gchar *collection_id;
   g_autoptr(GVariantIter) collection_map = NULL;
@@ -474,7 +474,7 @@ fill_refs_and_checksums_from_summary (GVariant    *summary,
   ref_map_v = g_variant_get_child_value (summary, 0);
   additional_metadata_v = g_variant_get_child_value (summary, 1);
 
-  g_variant_iter_init (&ref_map, ref_map_v);
+  ref_map = g_variant_iter_new (ref_map_v);
   g_variant_dict_init (&additional_metadata, additional_metadata_v);
 
   /* If the summary file specifies a collection ID (to apply to all the refs in its
@@ -485,10 +485,12 @@ fill_refs_and_checksums_from_summary (GVariant    *summary,
     {
       if (!ostree_validate_collection_id (collection_id, error))
         return FALSE;
-      if (!fill_refs_and_checksums_from_summary_map (&ref_map, collection_id, refs_and_checksums, error))
+      if (!fill_refs_and_checksums_from_summary_map (ref_map, collection_id, refs_and_checksums, error))
         return FALSE;
     }
 
+  g_clear_pointer (&ref_map, (GDestroyNotify) g_variant_iter_free);
+
   /* Repeat for the other collections listed in the summary. */
   if (g_variant_dict_lookup (&additional_metadata, OSTREE_SUMMARY_COLLECTION_MAP, "a{sa(s(taya{sv}))}", &collection_map))
     {
@@ -496,7 +498,7 @@ fill_refs_and_checksums_from_summary (GVariant    *summary,
         {
           if (!ostree_validate_collection_id (collection_id, error))
             return FALSE;
-          if (!fill_refs_and_checksums_from_summary_map (&ref_map, collection_id, refs_and_checksums, error))
+          if (!fill_refs_and_checksums_from_summary_map (ref_map, collection_id, refs_and_checksums, error))
             return FALSE;
         }
     }