commit c3821befbed0b67d1b48a5cfa3aaa2e022c58430 from: Florian Obser date: Thu Jul 21 05:41:04 2022 UTC Prevent use-after-free of packed_refs_path in error path. Found by llvm's scan-build. OK stsp commit - c9e76cc42e880db2e858c1e99942214157bd7ea9 commit + c3821befbed0b67d1b48a5cfa3aaa2e022c58430 blob - de71b5845e334bff8e56366f910514f149cf3519 blob + 78eb9ebab2c20cab529d7f47d39f8d4829ac8699 --- lib/reference.c +++ lib/reference.c @@ -453,7 +453,7 @@ got_ref_open(struct got_reference **ref, struct got_re const char *refname, int lock) { const struct got_error *err = NULL; - char *path_refs = NULL; + char *packed_refs_path = NULL, *path_refs = NULL; const char *subdirs[] = { GOT_REF_HEADS, GOT_REF_TAGS, GOT_REF_REMOTES }; @@ -472,7 +472,6 @@ got_ref_open(struct got_reference **ref, struct got_re if (well_known) { err = open_ref(ref, path_refs, "", refname, lock); } else { - char *packed_refs_path; FILE *f; /* Search on-disk refs before packed refs! */ @@ -496,7 +495,6 @@ got_ref_open(struct got_reference **ref, struct got_re goto done; } f = fopen(packed_refs_path, "rbe"); - free(packed_refs_path); if (f != NULL) { struct stat sb; if (fstat(fileno(f), &sb) == -1) { @@ -521,6 +519,7 @@ done: err = got_error_not_ref(refname); if (err && lf) got_lockfile_unlock(lf, -1); + free(packed_refs_path); free(path_refs); return err; } @@ -997,7 +996,7 @@ got_ref_list(struct got_reflist_head *refs, struct got const char *ref_namespace, got_ref_cmp_cb cmp_cb, void *cmp_arg) { const struct got_error *err; - char *packed_refs_path, *path_refs = NULL; + char *packed_refs_path = NULL, *path_refs = NULL; char *abs_namespace = NULL, *buf = NULL; const char *ondisk_ref_namespace = NULL; char *line = NULL; @@ -1090,7 +1089,6 @@ got_ref_list(struct got_reflist_head *refs, struct got } f = fopen(packed_refs_path, "re"); - free(packed_refs_path); if (f) { size_t linesize = 0; ssize_t linelen; @@ -1135,6 +1133,7 @@ got_ref_list(struct got_reflist_head *refs, struct got } } done: + free(packed_refs_path); free(abs_namespace); free(buf); free(line);