BUG/MEDIUM: args: fix double free on error path in argument expression parser

William Lallemand reported a double free on the args parser used in fetches
and ACLs. The cause is that the arg expression is not fully initialized nor
deinitialized when killed and that one of the pointers was already freed once
in certain error conditions.

Simply set it to NULL after the first call to free().

The bug was apparently introduced in 1.5-dev9 with commit 2ac5718
(MEDIUM: add a new typed argument list parsing framework).

diff --git a/src/arg.c b/src/arg.c
index 1bf6444d32b3bc1a665416095450e2375148d96b..e7bed1ed9d3d215ac22522a1dd8c52c363fe331a 100644 (file)
--- a/src/arg.c
+++ b/src/arg.c
@@ -290,6 +290,7 @@ int make_arg_list(const char *in, int len, unsigned int mask, struct arg **argp,
  err:
        free(word);
        free(*argp);
+       *argp = NULL;
        if (err_arg)
                *err_arg = pos;
        if (err_ptr)