From 78c87b3f3b359fac5401f81a86dd9e2f5968220e Mon Sep 17 00:00:00 2001

From: Pino Toscano <ptoscano@redhat.com>

Date: Thu, 19 Jul 2018 15:43:21 +0200

Subject: [PATCH] * src/augtool.c: fix access to invalid memory

When stripping the context from the result, readline_path_generator used

to realloc the string to a shorter size, copying only the content after

the prefix.  This resulted in reading with strcpy  from the previous

memory, which is freed already.  Avoid the issue, and simplify the code

by using strdup, freeing the old string.

This issue could be reproduced in augtool, trying to autocomplete files

without the /files prefix, e.g.:

  augtool> ls <TAB><TAB>

(cherry picked from commit 05b5784b2029f198ea486738d33fb7b49ef23eb8)

---

 src/augtool.c | 10 ++++------

 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/augtool.c b/src/augtool.c

index ff097bd9..2745812c 100644

--- a/src/augtool.c

+++ b/src/augtool.c

@@ -153,15 +153,13 @@ static char *readline_path_generator(const char *text, int state) {

             /* strip off context if the user didn't give it */

             if (ctx != NULL) {

-                char *c = realloc(child, strlen(child)-strlen(ctx)+1);

-                if (c == NULL) {

-                    free(child);

-                    return NULL;

-                }

                 int ctxidx = strlen(ctx);

                 if (child[ctxidx] == SEP)

                     ctxidx++;

-                strcpy(c, &child[ctxidx]);

+                char *c = strdup(&child[ctxidx]);

+                free(child);

+                if (c == NULL)

+                    return NULL;

                 child = c;

             }

-- 

2.17.2