From cea10cd1f2ef6bb4edaac0c1d46d47bf237c42b8 Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Mon, 21 Jan 2019 18:11:42 +0100 Subject: [PATCH] Fix UAF in comps_objmrtree_unite function The added field is not used at all in many places and it is probably the left-over of some copy-paste. Upstream-Status: Backport [https://github.com/rpm-software-management/libcomps/commit /e3a5d056633677959ad924a51758876d415e7046] CVE: CVE-2019-3817 Signed-off-by: Kevin Weng --- libcomps/src/comps_mradix.c | 2 -- libcomps/src/comps_objmradix.c | 2 -- libcomps/src/comps_objradix.c | 2 -- libcomps/src/comps_radix.c | 1 - 4 files changed, 7 deletions(-) diff --git a/libcomps/src/comps_mradix.c b/libcomps/src/comps_mradix.c index 338cb07..6ceb7c9 100644 --- a/libcomps/src/comps_mradix.c +++ b/libcomps/src/comps_mradix.c @@ -177,7 +177,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) { struct Pair { COMPS_HSList * subnodes; char * key; - char added; } *pair, *parent_pair; pair = malloc(sizeof(struct Pair)); @@ -195,7 +194,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) { parent_pair = (struct Pair*) it->data; free(it); - pair->added = 0; for (it = tmp_subnodes->first; it != NULL; it=it->next) { pair = malloc(sizeof(struct Pair)); pair->subnodes = ((COMPS_MRTreeData*)it->data)->subnodes; diff --git a/libcomps/src/comps_objmradix.c b/libcomps/src/comps_objmradix.c index 9be6648..8771c89 100644 --- a/libcomps/src/comps_objmradix.c +++ b/libcomps/src/comps_objmradix.c @@ -285,7 +285,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) { struct Pair { COMPS_HSList * subnodes; char * key; - char added; } *pair, *parent_pair; pair = malloc(sizeof(struct Pair)); @@ -303,7 +302,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) { parent_pair = (struct Pair*) it->data; free(it); - pair->added = 0; for (it = tmp_subnodes->first; it != NULL; it=it->next) { pair = malloc(sizeof(struct Pair)); pair->subnodes = ((COMPS_ObjMRTreeData*)it->data)->subnodes; diff --git a/libcomps/src/comps_objradix.c b/libcomps/src/comps_objradix.c index a790270..0ebaf22 100644 --- a/libcomps/src/comps_objradix.c +++ b/libcomps/src/comps_objradix.c @@ -692,7 +692,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) { struct Pair { COMPS_HSList * subnodes; char * key; - char added; } *pair, *parent_pair; pair = malloc(sizeof(struct Pair)); @@ -711,7 +710,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) { //printf("key-part:%s\n", parent_pair->key); free(it); - //pair->added = 0; for (it = tmp_subnodes->first; it != NULL; it=it->next) { pair = malloc(sizeof(struct Pair)); pair->subnodes = ((COMPS_ObjRTreeData*)it->data)->subnodes; diff --git a/libcomps/src/comps_radix.c b/libcomps/src/comps_radix.c index ada4fda..05dcaf2 100644 --- a/libcomps/src/comps_radix.c +++ b/libcomps/src/comps_radix.c @@ -529,7 +529,6 @@ void comps_rtree_unite(COMPS_RTree *rt1, COMPS_RTree *rt2) { struct Pair { COMPS_HSList * subnodes; char * key; - char added; } *pair, *parent_pair; pair = malloc(sizeof(struct Pair)); -- 2.22.0