From e3a5d056633677959ad924a51758876d415e7046 Mon Sep 17 00:00:00 2001

From: Riccardo Schirone <rschiron@redhat.com>

Date: Mon, 21 Jan 2019 18:11:42 +0100

Subject: [PATCH] Fix UAF in comps_objmrtree_unite function

The added field is not used at all in many places and it is probably the

left-over of some copy-paste.

---

 libcomps/src/comps_mradix.c    | 2 --

 libcomps/src/comps_objmradix.c | 2 --

 libcomps/src/comps_objradix.c  | 2 --

 libcomps/src/comps_radix.c     | 1 -

 4 files changed, 7 deletions(-)

diff --git a/libcomps/src/comps_mradix.c b/libcomps/src/comps_mradix.c

index 8ef9640..dfdee8e 100644

--- a/libcomps/src/comps_mradix.c

+++ b/libcomps/src/comps_mradix.c

@@ -177,7 +177,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {

     struct Pair {

         COMPS_HSList * subnodes;

         char * key;

-        char added;

     } *pair, *parent_pair;

     pair = malloc(sizeof(struct Pair));

@@ -195,7 +194,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {

         parent_pair = (struct Pair*) it->data;

         free(it);

-        pair->added = 0;

         for (it = tmp_subnodes->first; it != NULL; it=it->next) {

             pair = malloc(sizeof(struct Pair));

             pair->subnodes = ((COMPS_MRTreeData*)it->data)->subnodes;

diff --git a/libcomps/src/comps_objmradix.c b/libcomps/src/comps_objmradix.c

index 9a2038b..22ad262 100644

--- a/libcomps/src/comps_objmradix.c

+++ b/libcomps/src/comps_objmradix.c

@@ -285,7 +285,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {

     struct Pair {

         COMPS_HSList * subnodes;

         char * key;

-        char added;

     } *pair, *parent_pair;

     pair = malloc(sizeof(struct Pair));

@@ -303,7 +302,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {

         parent_pair = (struct Pair*) it->data;

         free(it);

-        pair->added = 0;

         for (it = tmp_subnodes->first; it != NULL; it=it->next) {

             pair = malloc(sizeof(struct Pair));

             pair->subnodes = ((COMPS_ObjMRTreeData*)it->data)->subnodes;

diff --git a/libcomps/src/comps_objradix.c b/libcomps/src/comps_objradix.c

index c657b75..840592a 100644

--- a/libcomps/src/comps_objradix.c

+++ b/libcomps/src/comps_objradix.c

@@ -697,7 +697,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {

     struct Pair {

         COMPS_HSList * subnodes;

         char * key;

-        char added;

     } *pair, *parent_pair;

     pair = malloc(sizeof(struct Pair));

@@ -716,7 +715,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {

         //printf("key-part:%s\n", parent_pair->key);

         free(it);

-        //pair->added = 0;

         for (it = tmp_subnodes->first; it != NULL; it=it->next) {

             pair = malloc(sizeof(struct Pair));

             pair->subnodes = ((COMPS_ObjRTreeData*)it->data)->subnodes;

diff --git a/libcomps/src/comps_radix.c b/libcomps/src/comps_radix.c

index ada4fda..05dcaf2 100644

--- a/libcomps/src/comps_radix.c

+++ b/libcomps/src/comps_radix.c

@@ -529,7 +529,6 @@ void comps_rtree_unite(COMPS_RTree *rt1, COMPS_RTree *rt2) {

     struct Pair {

         COMPS_HSList * subnodes;

         char * key;

-        char added;

     } *pair, *parent_pair;

     pair = malloc(sizeof(struct Pair));

--

libgit2 0.28.2