From: Jeff King Date: Sun, 25 Aug 2019 07:19:51 +0000 (-0400) Subject: notes: avoid potential use-after-free during insertion X-Git-Tag: v2.24.0-rc0~118^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=60fe477a0be2a3801e5ce3913e0be8e8e2e58e4f;p=thirdparty%2Fgit.git notes: avoid potential use-after-free during insertion The note_tree_insert() function may free the leaf_node struct we pass in (e.g., if it's a duplicate, or if it needs to be combined with an existing note). Most callers are happy with this, as they assume that ownership of the struct is handed off. But in load_subtree(), if we see an error we'll use the handed-off struct's key_oid to generate the die() message, potentially accessing freed memory. We can easily fix this by instead using the original oid that we copied into the leaf_node struct. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- diff --git a/notes.c b/notes.c index 3130add618..9533a14a13 100644 --- a/notes.c +++ b/notes.c @@ -460,7 +460,7 @@ static void load_subtree(struct notes_tree *t, struct leaf_node *subtree, die("Failed to load %s %s into notes tree " "from %s", type == PTR_TYPE_NOTE ? "note" : "subtree", - oid_to_hex(&l->key_oid), t->ref); + oid_to_hex(&object_oid), t->ref); continue;