|
|
ec07862 |
From 9cdf0f9123ee39c7cb32a276371b2fd95f0df5ac Mon Sep 17 00:00:00 2001
|
|
|
d9b53bd |
From: =?UTF-8?q?Mat=C4=9Bj=20Grabovsk=C3=BD?= <mgrabovs@redhat.com>
|
|
|
d9b53bd |
Date: Mon, 2 Nov 2020 11:45:23 +0100
|
|
|
ec07862 |
Subject: [PATCH] rhbz: Fix a double-free condition
|
|
|
d9b53bd |
|
|
|
d9b53bd |
The `cc` string must not be freed after the variable goes out of scope
|
|
|
d9b53bd |
since it's appended to `cc_list`. (`g_list_append()` does not copy its
|
|
|
d9b53bd |
input.) We only need to free the last string in the loop, which is an
|
|
|
d9b53bd |
empty string.
|
|
|
d9b53bd |
|
|
|
d9b53bd |
The bug was introduced in 7aba6e53.
|
|
|
d9b53bd |
|
|
|
d9b53bd |
Resolves rhbz#1893595
|
|
|
d9b53bd |
---
|
|
|
d9b53bd |
src/plugins/rhbz.c | 8 +++++---
|
|
|
d9b53bd |
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
d9b53bd |
|
|
|
d9b53bd |
diff --git a/src/plugins/rhbz.c b/src/plugins/rhbz.c
|
|
|
ec07862 |
index 8a2ded79..e0d7a091 100644
|
|
|
d9b53bd |
--- a/src/plugins/rhbz.c
|
|
|
d9b53bd |
+++ b/src/plugins/rhbz.c
|
|
|
ec07862 |
@@ -406,18 +406,20 @@ GList *rhbz_bug_cc(xmlrpc_value* result_xml)
|
|
|
d9b53bd |
if (!item)
|
|
|
d9b53bd |
continue;
|
|
|
d9b53bd |
|
|
|
ec07862 |
- g_autofree const char* cc = NULL;
|
|
|
d9b53bd |
- xmlrpc_read_string(&env, item, &cc);
|
|
|
d9b53bd |
+ char *cc = NULL;
|
|
|
d9b53bd |
+ xmlrpc_read_string(&env, item, (const char **)&cc);
|
|
|
d9b53bd |
xmlrpc_DECREF(item);
|
|
|
d9b53bd |
if (env.fault_occurred)
|
|
|
d9b53bd |
abrt_xmlrpc_die(&env;;
|
|
|
d9b53bd |
|
|
|
d9b53bd |
if (*cc != '\0')
|
|
|
d9b53bd |
{
|
|
|
d9b53bd |
- cc_list = g_list_append(cc_list, (char*)cc);
|
|
|
d9b53bd |
+ cc_list = g_list_append(cc_list, cc);
|
|
|
d9b53bd |
log_debug("member on cc is %s", cc);
|
|
|
d9b53bd |
continue;
|
|
|
d9b53bd |
}
|
|
|
d9b53bd |
+
|
|
|
d9b53bd |
+ free(cc);
|
|
|
d9b53bd |
}
|
|
|
d9b53bd |
xmlrpc_DECREF(cc_member);
|
|
|
d9b53bd |
return cc_list;
|
|
|
d9b53bd |
--
|
|
|
d9b53bd |
2.26.2
|
|
|
d9b53bd |
|