rpm/rpm-4.16.1.3-hashtab-use-after-free-fix.patch
Michal Domonkos c5168f7f34 Fix use-after-free error in hashtab.c
This file has been completely removed upstream in the meantime (as part
of the debuginfo tooling split off in commit 04b0805) so this patch will
only be carried downstream.

The issue here was that htab->entries would be freed at the end of
htab_expand() if the htab->return_allocation_failure toggle was 0, and
later accessed in the calling function(s).

In reality, though, the toggle is initialized to 1 and never turned off
in the current implementation, but let's future-proof ourselves in case
we inadvertently turn it off in a future patch.

Found by Coverity.

Related: #1938861
2021-07-01 15:51:34 +02:00

14 lines
379 B
Diff

diff -up rpm-4.16.1.3/tools/hashtab.c.orig rpm-4.16.1.3/tools/hashtab.c
--- rpm-4.16.1.3/tools/hashtab.c.orig 2021-07-01 14:51:24.576237269 +0200
+++ rpm-4.16.1.3/tools/hashtab.c 2021-07-01 15:02:42.005754968 +0200
@@ -292,7 +292,8 @@ htab_expand (htab)
}
while (p < olimit);
- free (oentries);
+ if (oentries != htab->entries)
+ free(oentries);
return 1;
}