Fix: use-after-free with popt 1.19

In parse_options, we loop over all non-option arguments, adding them to
opt_input_paths.

Immediately after adding `ipath' to opt_input_paths, we call
poptFreeContext.  This has the affect of free'ing pc->leftovers, which
is where these non-option arguments are stored.

This is ultimately due to this upstream commit in popt 1.19:
https://github.com/rpm-software-management/popt/commit/7182e4618ad5a0186145fc2aa4a98c2229afdfa8

This is derived from a package patch:
https://src.fedoraproject.org/rpms/babeltrace/c/d48452beff87b145c038f070e7182358db04336c?branch=rawhide

Change-Id: Icf330e53c2f4fad1d98a1ae494f2664670a0828e
Reported-by: Keith Seitz <keiths@redhat.com>
Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>

diff --git a/converter/babeltrace.c b/converter/babeltrace.c
index ef783ed495a3f35295de62f6a0f71261ac216b98..043ac0d5bc90604482d511cac62b34403231f958 100644 (file)
--- a/converter/babeltrace.c
+++ b/converter/babeltrace.c
@@ -448,8 +448,17 @@ static int parse_options(int argc, char **argv)
 
        do {
                ipath = poptGetArg(pc);
-               if (ipath)
-                       g_ptr_array_add(opt_input_paths, (gpointer) ipath);
+               if (ipath) {
+                       gpointer ipath_copy = strdup(ipath);
+
+                       if (!ipath_copy) {
+                               perror("Failed to copy input path");
+                               ret = -1;
+                               goto end;
+                       }
+
+                       g_ptr_array_add(opt_input_paths, ipath_copy);
+               }
        } while (ipath);
        if (opt_input_paths->len == 0) {
                ret = -EINVAL;
@@ -726,6 +735,12 @@ void call_plugins_hooks(void)
        bt_ctf_metadata_hook();
 }
 
+static
+void free_ptr_array_element(gpointer ptr, gpointer user_data __attribute__((unused)))
+{
+       free(ptr);
+}
+
 int main(int argc, char **argv)
 {
        int ret, partial_error = 0, open_success = 0;
@@ -880,6 +895,7 @@ end:
        free(opt_output_path);
        free(opt_debug_info_dir);
        free(opt_debug_info_target_prefix);
+       g_ptr_array_foreach(opt_input_paths, free_ptr_array_element, NULL);
        g_ptr_array_free(opt_input_paths, TRUE);
        if (partial_error)
                exit(EXIT_FAILURE);