diff options
author | Jeff King <peff@peff.net> | 2015-06-26 05:03:31 -0400 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2015-06-26 09:23:08 -0700 |
commit | 38ae8784074852c8e7b651f4f6e44e07466da7e1 (patch) | |
tree | 44ca3f69a322f6019126661e2f3714f10efec71a | |
parent | 0179ca7a626e0a6c7bf5eaccf88dead307306dee (diff) | |
download | git-38ae8784074852c8e7b651f4f6e44e07466da7e1.tar.gz |
read_gitfile_gently: fix use-after-free
The "dir" variable is a pointer into the "buf" array. When
we hit the cleanup_return path, the first thing we do is
free(buf); but one of the error messages prints "dir", which
will access the memory after the free.
We can fix this by reorganizing the error path a little. We
act on the fatal, error-printing conditions first, as they
want to access memory and do not care about freeing. Then we
free any memory, and finally return.
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r-- | setup.c | 14 |
1 files changed, 5 insertions, 9 deletions
@@ -479,19 +479,14 @@ const char *read_gitfile_gently(const char *path, int *return_error_code) path = real_path(dir); cleanup_return: - free(buf); - if (return_error_code) *return_error_code = error_code; - - if (error_code) { - if (return_error_code) - return NULL; - + else if (error_code) { switch (error_code) { case READ_GITFILE_ERR_STAT_FAILED: case READ_GITFILE_ERR_NOT_A_FILE: - return NULL; + /* non-fatal; follow return path */ + break; case READ_GITFILE_ERR_OPEN_FAILED: die_errno("Error opening '%s'", path); case READ_GITFILE_ERR_TOO_LARGE: @@ -509,7 +504,8 @@ cleanup_return: } } - return path; + free(buf); + return error_code ? NULL : path; } static const char *setup_explicit_git_dir(const char *gitdirenv, |