From 85b687098bcedb67285ab787b8bd506d328c34e0 Mon Sep 17 00:00:00 2001

From: Ernestas Kulik <ekulik@redhat.com>

Date: Tue, 25 Aug 2020 15:17:54 +0300

Subject: [PATCH] gui-wizard-gtk: wizard: Fix invalid memory read

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

This partially reverts 7aba6e53bbfeedaacd95bbaa5e0c5e325a3e6a8d, which

results in “event” being inappropriately freed before a “goto” statement

is executed and the value stored in “g_event_selected” is read.

---

 src/gui-wizard-gtk/wizard.c | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/gui-wizard-gtk/wizard.c b/src/gui-wizard-gtk/wizard.c

index a4d7caa0..3e69a513 100644

--- a/src/gui-wizard-gtk/wizard.c

+++ b/src/gui-wizard-gtk/wizard.c

@@ -2635,7 +2635,7 @@ static gint select_next_page_no(gint current_page_no)

         log_info("%s: Looking for next event to process", __func__);

         /* (note: this frees and sets to NULL g_event_selected) */

-        g_autofree char *event = setup_next_processed_event(&g_auto_event_list);

+        char *event = setup_next_processed_event(&g_auto_event_list);

         if (!event)

         {

             current_page_no = PAGENO_EVENT_PROGRESS - 1;

@@ -2644,6 +2644,8 @@ static gint select_next_page_no(gint current_page_no)

         if (!get_sensitive_data_permission(event))

         {

+            free(event);

+

             cancel_processing(g_lbl_event_log, /* default message */ NULL, TERMINATE_NOFLAGS);

             current_page_no = PAGENO_EVENT_PROGRESS - 1;

             goto again;

@@ -2659,6 +2661,8 @@ static gint select_next_page_no(gint current_page_no)

             if (libreport_get_global_stop_on_not_reportable())

             {

+                free(event);

+

                 cancel_processing(g_lbl_event_log, msg, TERMINATE_NOFLAGS);

                 current_page_no = PAGENO_EVENT_PROGRESS - 1;

                 goto again;

-- 

2.28.0