summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeff King <peff@peff.net>2015-06-26 05:03:31 -0400
committerJunio C Hamano <gitster@pobox.com>2015-06-26 09:23:08 -0700
commit38ae8784074852c8e7b651f4f6e44e07466da7e1 (patch)
tree44ca3f69a322f6019126661e2f3714f10efec71a
parent0179ca7a626e0a6c7bf5eaccf88dead307306dee (diff)
downloadgit-38ae8784074852c8e7b651f4f6e44e07466da7e1.tar.gz
read_gitfile_gently: fix use-after-free
The "dir" variable is a pointer into the "buf" array. When we hit the cleanup_return path, the first thing we do is free(buf); but one of the error messages prints "dir", which will access the memory after the free. We can fix this by reorganizing the error path a little. We act on the fatal, error-printing conditions first, as they want to access memory and do not care about freeing. Then we free any memory, and finally return. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--setup.c14
1 files changed, 5 insertions, 9 deletions
diff --git a/setup.c b/setup.c
index a03ca94234..97bb5e3b93 100644
--- a/setup.c
+++ b/setup.c
@@ -479,19 +479,14 @@ const char *read_gitfile_gently(const char *path, int *return_error_code)
path = real_path(dir);
cleanup_return:
- free(buf);
-
if (return_error_code)
*return_error_code = error_code;
-
- if (error_code) {
- if (return_error_code)
- return NULL;
-
+ else if (error_code) {
switch (error_code) {
case READ_GITFILE_ERR_STAT_FAILED:
case READ_GITFILE_ERR_NOT_A_FILE:
- return NULL;
+ /* non-fatal; follow return path */
+ break;
case READ_GITFILE_ERR_OPEN_FAILED:
die_errno("Error opening '%s'", path);
case READ_GITFILE_ERR_TOO_LARGE:
@@ -509,7 +504,8 @@ cleanup_return:
}
}
- return path;
+ free(buf);
+ return error_code ? NULL : path;
}
static const char *setup_explicit_git_dir(const char *gitdirenv,