Ticket #4616: mc-4616-tar.c-fix-double-free.patch

File mc-4616-tar.c-fix-double-free.patch, 1.8 KB (added by and, 6 hours ago)

  • src/vfs/tar/tar.c 

    From b778ff28109db4bb9f76b6dd24d60e2c59a245ea Mon Sep 17 00:00:00 2001
From: Andreas Mohr <and@gmx.li>
Date: Mon, 16 Dec 2024 23:00:00 +0000
Subject: [PATCH] (tar.c) fix double free

When tar data block unexpected end then header_copy get freed but goto ret: freed header_copy again.
Save header_copy pointer AFTER successful tar data block handling.

Found by Clang-19 Static Analyzer

Signed-off-by: Andreas Mohr <and@gmx.li>
---
 src/vfs/tar/tar.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/vfs/tar/tar.c b/src/vfs/tar/tar.c
index 185c9f4b8..96275faf0 100644
    a b tar_read_header (struct vfs_class *me, struct vfs_s_super *archive) 
    658658 
    659659            header_copy = g_malloc (size + 1); 
    660660 
    661             if (header->header.typeflag == GNUTYPE_LONGNAME) 
    662             { 
    663                 g_free (next_long_name); 
    664                 next_long_name = header_copy; 
    665             } 
    666             else 
    667             { 
    668                 g_free (next_long_link); 
    669                 next_long_link = header_copy; 
    670             } 
    671  
    672661            tar_set_next_block_after (header); 
    673662            *header_copy = *header; 
    674663            bp = header_copy->buffer + BLOCKSIZE; 
    tar_read_header (struct vfs_class *me, struct vfs_s_super *archive) 
    696685            } 
    697686 
    698687            *bp = '\0'; 
     688 
     689            if (header->header.typeflag == GNUTYPE_LONGNAME) 
     690            { 
     691                g_free (next_long_name); 
     692                next_long_name = header_copy; 
     693            } 
     694            else 
     695            { 
     696                g_free (next_long_link); 
     697                next_long_link = header_copy; 
     698            } 
     699 
    699700        } 
    700701        else if (header->header.typeflag == XHDTYPE || header->header.typeflag == SOLARIS_XHDTYPE) 
    701702        {