Fix: use-after-free with popt 1.19

In parse_options, we loop over all non-option arguments, adding them to opt_input_paths. Immediately after adding `ipath' to opt_input_paths, we call poptFreeContext. This has the affect of free'ing pc->leftovers, which is where these non-option arguments are stored. This is ultimately due to this upstream commit in popt 1.19: rpm-software-management/popt@7182e46 This is derived from a package patch: https://src.fedoraproject.org/rpms/babeltrace/c/d48452beff87b145c038f070e7182358db04336c?branch=rawhide Change-Id: Icf330e53c2f4fad1d98a1ae494f2664670a0828e Reported-by: Keith Seitz <[email protected]> Signed-off-by: Michael Jeanson <[email protected]> Signed-off-by: Jérémie Galarneau <[email protected]>
efficios · Nov 2, 2022 · eaa8081 · eaa8081
1 parent c78c943
commit eaa8081
Showing 1 changed file with 18 additions and 2 deletions.
diff --git a/converter/babeltrace.c b/converter/babeltrace.c
@@ -448,8 +448,17 @@ static int parse_options(int argc, char **argv)
 
 	do {
 		ipath = poptGetArg(pc);
-		if (ipath)
-			g_ptr_array_add(opt_input_paths, (gpointer) ipath);
+		if (ipath) {
+			gpointer ipath_copy = strdup(ipath);
+
+			if (!ipath_copy) {
+				perror("Failed to copy input path");
+				ret = -1;
+				goto end;
+			}
+
+			g_ptr_array_add(opt_input_paths, ipath_copy);
+		}
 	} while (ipath);
 	if (opt_input_paths->len == 0) {
 		ret = -EINVAL;
@@ -726,6 +735,12 @@ void call_plugins_hooks(void)
 	bt_ctf_metadata_hook();
 }
 
+static
+void free_ptr_array_element(gpointer ptr, gpointer user_data __attribute__((unused)))
+{
+	free(ptr);
+}
+
 int main(int argc, char **argv)
 {
 	int ret, partial_error = 0, open_success = 0;
@@ -880,6 +895,7 @@ int main(int argc, char **argv)
 	free(opt_output_path);
 	free(opt_debug_info_dir);
 	free(opt_debug_info_target_prefix);
+	g_ptr_array_foreach(opt_input_paths, free_ptr_array_element, NULL);
 	g_ptr_array_free(opt_input_paths, TRUE);
 	if (partial_error)
 		exit(EXIT_FAILURE);