commit aa8b5dd032c8cba930e5be67a90069a95e0001b8
from: Stefan Sperling <stsp@stsp.name>
date: Sun Aug 01 12:59:32 2021 UTC

fix a use-after-free in get_changed_paths() in got and tog

Once the parent commit is closed the tree_id1 pointer is no longer valid,
but the pointer was still being used. Make a deep copy to fix this issue.

commit - 267bb3b89907b99d17aece9890a57afe2982b782
commit + aa8b5dd032c8cba930e5be67a90069a95e0001b8
blob - eead62c4d2989b648729acc4857033da98231ab3
blob + 71cc16e4b52a05afc8991d3d0c566bd8c200b3d7
--- got/got.c
+++ got/got.c
@@ -3438,7 +3438,12 @@ get_changed_paths(struct got_pathlist_head *paths,
 		if (err)
 			return err;
 
-		tree_id1 = got_object_commit_get_tree_id(pcommit);
+		tree_id1 = got_object_id_dup(
+		    got_object_commit_get_tree_id(pcommit));
+		if (tree_id1 == NULL) {
+			got_object_commit_close(pcommit);
+			return got_error_from_errno("got_object_id_dup");
+		}
 		got_object_commit_close(pcommit);
 
 	}
@@ -3461,6 +3466,7 @@ done:
 		got_object_tree_close(tree1);
 	if (tree2)
 		got_object_tree_close(tree2);
+	free(tree_id1);
 	return err;
 }
 
blob - bc64c6af7747946ee999102bd29e8c420df1a314
blob + c175ea3c10692ebe9286741d643cd9b65fb4140c
--- tog/tog.c
+++ tog/tog.c
@@ -3053,7 +3053,12 @@ get_changed_paths(struct got_pathlist_head *paths,
 		if (err)
 			return err;
 
-		tree_id1 = got_object_commit_get_tree_id(pcommit);
+		tree_id1 = got_object_id_dup(
+		    got_object_commit_get_tree_id(pcommit));
+		if (tree_id1 == NULL) {
+			got_object_commit_close(pcommit);
+			return got_error_from_errno("got_object_id_dup");
+		}
 		got_object_commit_close(pcommit);
 
 	}
@@ -3076,6 +3081,7 @@ done:
 		got_object_tree_close(tree1);
 	if (tree2)
 		got_object_tree_close(tree2);
+	free(tree_id1);
 	return err;
 }