diff options
author | Anne LoVerso <aelv13@gmail.com> | 2014-08-21 13:45:55 -0400 |
---|---|---|
committer | Colin Walters <walters@verbum.org> | 2014-08-21 13:57:31 -0400 |
commit | 6dfe99a283e9327b70f636cf82da3fa439576645 (patch) | |
tree | dca2b2298c205fc0b01f87576096f13a288f6b15 | |
parent | 3742c329459615eca34fdd374673c76ac648ffba (diff) | |
download | ostree-6dfe99a283e9327b70f636cf82da3fa439576645.tar.gz |
pull: Fix use-after-free
The strchr() was pointing into a string we were freeing.
-rw-r--r-- | src/libostree/ostree-repo-pull.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c index 7c85ccd6..0ad91575 100644 --- a/src/libostree/ostree-repo-pull.c +++ b/src/libostree/ostree-repo-pull.c @@ -441,23 +441,22 @@ scan_dirtree_object (OtPullData *pull_data, { const char *subpath = NULL; const char *nextslash = NULL; + gs_free char *dir_data = NULL; + g_assert (pull_data->dir[0] == '/'); // assert it starts with / like "/usr/share/rpm" subpath = pull_data->dir + 1; // refers to name minus / like "usr/share/rpm" nextslash = strchr (subpath, '/'); //refers to start of next slash like "/share/rpm" + dir_data = pull_data->dir; // keep the original pointer around since strchr() points into it + pull_data->dir = NULL; if (nextslash) { subdir_target = g_strndup (subpath, nextslash - subpath); // refers to first dir, like "usr" - g_free (pull_data->dir); pull_data->dir = g_strdup (nextslash); // sets dir to new deeper level like "/share/rpm" } else // we're as deep as it goes, i.e. subpath = "rpm" - { - subdir_target = g_strdup (subpath); - g_clear_pointer (&pull_data->dir, g_free); - pull_data->dir = NULL; - } - } + subdir_target = g_strdup (subpath); + } n = g_variant_n_children (dirs_variant); |