From: Jérémie Galarneau Date: Mon, 31 Oct 2022 19:27:11 +0000 (-0400) Subject: Fix: use-after-free with popt 1.19 X-Git-Tag: v1.5.11~2 X-Git-Url: http://git.efficios.com/?p=babeltrace.git;a=commitdiff_plain;h=eaa80814dee7373f72a66107bcb406f998e37fc3 Fix: use-after-free with popt 1.19 In parse_options, we loop over all non-option arguments, adding them to opt_input_paths. Immediately after adding `ipath' to opt_input_paths, we call poptFreeContext. This has the affect of free'ing pc->leftovers, which is where these non-option arguments are stored. This is ultimately due to this upstream commit in popt 1.19: https://github.com/rpm-software-management/popt/commit/7182e4618ad5a0186145fc2aa4a98c2229afdfa8 This is derived from a package patch: https://src.fedoraproject.org/rpms/babeltrace/c/d48452beff87b145c038f070e7182358db04336c?branch=rawhide Change-Id: Icf330e53c2f4fad1d98a1ae494f2664670a0828e Reported-by: Keith Seitz Signed-off-by: Michael Jeanson Signed-off-by: Jérémie Galarneau --- diff --git a/converter/babeltrace.c b/converter/babeltrace.c index ef783ed4..043ac0d5 100644 --- a/converter/babeltrace.c +++ b/converter/babeltrace.c @@ -448,8 +448,17 @@ static int parse_options(int argc, char **argv) do { ipath = poptGetArg(pc); - if (ipath) - g_ptr_array_add(opt_input_paths, (gpointer) ipath); + if (ipath) { + gpointer ipath_copy = strdup(ipath); + + if (!ipath_copy) { + perror("Failed to copy input path"); + ret = -1; + goto end; + } + + g_ptr_array_add(opt_input_paths, ipath_copy); + } } while (ipath); if (opt_input_paths->len == 0) { ret = -EINVAL; @@ -726,6 +735,12 @@ void call_plugins_hooks(void) bt_ctf_metadata_hook(); } +static +void free_ptr_array_element(gpointer ptr, gpointer user_data __attribute__((unused))) +{ + free(ptr); +} + int main(int argc, char **argv) { int ret, partial_error = 0, open_success = 0; @@ -880,6 +895,7 @@ end: free(opt_output_path); free(opt_debug_info_dir); free(opt_debug_info_target_prefix); + g_ptr_array_foreach(opt_input_paths, free_ptr_array_element, NULL); g_ptr_array_free(opt_input_paths, TRUE); if (partial_error) exit(EXIT_FAILURE);