[PATCH v3 0/1] MR3013: wusa: Fix double free on error path in read_components (scan-build).
If read_identity returns FALSE, it has already called clear_identity.
This is the same problem as in merge request !2970. Unfortunately I did not notice at first that the problem was present in two places.
-- v3: wusa: Zero out identity on error path in read_identity.
From: Alex Henrie alexhenrie24@gmail.com
Fixes double frees in read_components and read_dependency. The double frees could also be fixed by using free instead of free_dependency in those functions, but zeroing out the pointers is easier to understand because it ensures that alloc_dependency can always be paired with free_dependency. --- programs/wusa/manifest.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/programs/wusa/manifest.c b/programs/wusa/manifest.c index 83d4125133f..986bda27cd8 100644 --- a/programs/wusa/manifest.c +++ b/programs/wusa/manifest.c @@ -275,6 +275,7 @@ static BOOL read_identity(IXMLDOMElement *root, struct assembly_identity *identi
error: clear_identity(identity); + memset(identity, 0, sizeof(*identity)); return FALSE; }
On Thu Jun 8 16:03:04 2023 +0000, Alex Henrie wrote:
Whoops. I fixed the title, but I will have to come back to this when I have time to look at the other double frees you mentioned (hopefully later today). Thanks for the feedback.
Thanks for spotting the third double free. You're probably right that it makes sense to zero out the pointers so that alloc_dependency can always be paired with free_dependency. I've pushed a new patch that zeroes them out on read_identity's error path, which I think makes a little more sense than zeroing them out in every call to clear_identity.
This merge request was approved by Hans Leidekker.
-
Alex Henrie -
Alex Henrie (@alexhenrie)
-
Hans Leidekker (@hans)