commit 6227cf0ee49b322cc297ef95bdad09ea8eae2ec4 from: Omar Polo date: Mon Sep 05 12:55:38 2022 UTC gotwebd: fix usage of the commit graph iter got_get_repo_commits mixes ids allocated on the heap and the one returned by the iter_next in the same variable, and then even attemp to free it. This is both a leak (we loose the pointer to the previously allocated id) and a possible invalid free since the object id pointer returned by the graph iterator is not to be passed to free(3). part of a bigger diff that's ok stsp@ commit - 9ea55f08a2fdb3e7018231c9fe4014c758a0b69a commit + 6227cf0ee49b322cc297ef95bdad09ea8eae2ec4 blob - 76816f00e1861046d23bfcd7dc01706f222e7f5c blob + 1595b111128cb8eaca43db33c9b1eab5a5ff4291 --- gotwebd/got_operations.c +++ gotwebd/got_operations.c @@ -434,6 +434,8 @@ got_get_repo_commits(struct request *c, int limit) goto done; for (;;) { + struct got_object_id *next_id; + if (limit_chk == ((limit * qs->page) - (limit - 1)) && commit_found == 0 && repo_commit && repo_commit->commit_id != NULL) { @@ -444,17 +446,15 @@ got_get_repo_commits(struct request *c, int limit) } } - error = got_commit_graph_iter_next(&id, graph, repo, NULL, + error = got_commit_graph_iter_next(&next_id, graph, repo, NULL, NULL); if (error) { if (error->code == GOT_ERR_ITER_COMPLETED) error = NULL; - goto done; - } - if (id == NULL) goto done; + } - error = got_object_open_as_commit(&commit, repo, id); + error = got_object_open_as_commit(&commit, repo, next_id); if (error) goto done; @@ -470,7 +470,7 @@ got_get_repo_commits(struct request *c, int limit) TAILQ_INSERT_TAIL(&t->repo_commits, repo_commit, entry); error = got_get_repo_commit(c, repo_commit, commit, - &refs, id); + &refs, next_id); if (error) goto done; @@ -482,15 +482,10 @@ got_get_repo_commits(struct request *c, int limit) commit_found = 1; else { limit_chk++; - free(id); - id = NULL; continue; } } - free(id); - id = NULL; - if (limit == 1 && chk_multi == 0 && srv->max_commits_display != 1) commit_found = 1;