read_gitfile_gently: fix use-after-free

The "dir" variable is a pointer into the "buf" array. When
we hit the cleanup_return path, the first thing we do is
free(buf); but one of the error messages prints "dir", which
will access the memory after the free.

We can fix this by reorganizing the error path a little. We
act on the fatal, error-printing conditions first, as they
want to access memory and do not care about freeing. Then we
free any memory, and finally return.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/setup.c b/setup.c
index a03ca94234e944570cceb5d3e556c214cf1f387a..97bb5e3b93e8e678832a6d9f057eaa0ec48ed9ac 100644 (file)
--- a/setup.c
+++ b/setup.c
@@ -479,19 +479,14 @@ const char *read_gitfile_gently(const char *path, int *return_error_code)
        path = real_path(dir);
 
 cleanup_return:
-       free(buf);
-
        if (return_error_code)
                *return_error_code = error_code;
-
-       if (error_code) {
-               if (return_error_code)
-                       return NULL;
-
+       else if (error_code) {
                switch (error_code) {
                case READ_GITFILE_ERR_STAT_FAILED:
                case READ_GITFILE_ERR_NOT_A_FILE:
-                       return NULL;
+                       /* non-fatal; follow return path */
+                       break;
                case READ_GITFILE_ERR_OPEN_FAILED:
                        die_errno("Error opening '%s'", path);
                case READ_GITFILE_ERR_TOO_LARGE:
@@ -509,7 +504,8 @@ cleanup_return:
                }
        }
 
-       return path;
+       free(buf);
+       return error_code ? NULL : path;
 }
 
 static const char *setup_explicit_git_dir(const char *gitdirenv,