From 9cdf0f9123ee39c7cb32a276371b2fd95f0df5ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Grabovsk=C3=BD?= <mgrabovs@redhat.com>
Date: Mon, 2 Nov 2020 11:45:23 +0100
Subject: [PATCH] rhbz: Fix a double-free condition

The `cc` string must not be freed after the variable goes out of scope
since it's appended to `cc_list`. (`g_list_append()` does not copy its
input.) We only need to free the last string in the loop, which is an
empty string.

The bug was introduced in 7aba6e53.

Resolves rhbz#1893595
---
 src/plugins/rhbz.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/plugins/rhbz.c b/src/plugins/rhbz.c
index 8a2ded79..e0d7a091 100644
--- a/src/plugins/rhbz.c
+++ b/src/plugins/rhbz.c
@@ -406,18 +406,20 @@ GList *rhbz_bug_cc(xmlrpc_value* result_xml)
         if (!item)
             continue;
 
-        g_autofree const char* cc = NULL;
-        xmlrpc_read_string(&env, item, &cc);
+        char *cc = NULL;
+        xmlrpc_read_string(&env, item, (const char **)&cc);
         xmlrpc_DECREF(item);
         if (env.fault_occurred)
             abrt_xmlrpc_die(&env);
 
         if (*cc != '\0')
         {
-            cc_list = g_list_append(cc_list, (char*)cc);
+            cc_list = g_list_append(cc_list, cc);
             log_debug("member on cc is %s", cc);
             continue;
         }
+
+        free(cc);
     }
     xmlrpc_DECREF(cc_member);
     return cc_list;
-- 
2.26.2