diff options
| author | Patrick Steinhardt <ps@pks.im> | 2017-02-13 13:46:17 +0100 |
|---|---|---|
| committer | Patrick Steinhardt <ps@pks.im> | 2017-02-13 13:50:52 +0100 |
| commit | ade0d9c658fdfc68d8046935f6908f033fe7a529 (patch) | |
| tree | 60301bba87531efcbbcb3b23abb38828eaa1dbe4 | |
| parent | dc851d9eae21db8671118d798e55990e199af6af (diff) | |
| download | libgit2-ade0d9c658fdfc68d8046935f6908f033fe7a529.tar.gz | |
commit: avoid possible use-after-free
When extracting a commit's signature, we first free the object and only
afterwards put its signature contents into the result buffer. This works
in most cases - the free'd object will normally be cached anyway, so we
only end up decrementing its reference count without actually freeing
its contents. But in some more exotic setups, where caching is disabled,
this can definitly be a problem, as we might be the only instance
currently holding a reference to this object.
Fix this issue by first extracting the contents and freeing the object
afterwards only.
| -rw-r--r-- | src/commit.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/commit.c b/src/commit.c index 89a4db115..05b70a983 100644 --- a/src/commit.c +++ b/src/commit.c @@ -766,8 +766,9 @@ int git_commit_extract_signature(git_buf *signature, git_buf *signed_data, git_r if (git_buf_oom(signature)) goto oom; + error = git_buf_puts(signed_data, eol+1); git_odb_object_free(obj); - return git_buf_puts(signed_data, eol+1); + return error; } giterr_set(GITERR_OBJECT, "this commit is not signed"); |