!12 Fix incorrect handling of leftovers with poptStuffArgs and memory leak

From: @panxh_purple Reviewed-by: @licunlong Signed-off-by: @licunlong
2022-08-15 10:41:34 +00:00 · 2022-08-15 10:41:34 +00:00 · b1826f6075
commit b1826f6075
parent 7c1384fb2d d888e7aa36
4 changed files with 170 additions and 1 deletions
--- a/backport-Consider-POPT_CONTEXT_KEEP_FIRST-during-reset.patch
+++ b/backport-Consider-POPT_CONTEXT_KEEP_FIRST-during-reset.patch
@ -0,0 +1,38 @@
+From cd32d1c7da8265a06491d72190c649496ae2f489 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 16 Aug 2020 20:39:20 +0200
+Subject: [PATCH] Consider POPT_CONTEXT_KEEP_FIRST during reset.
+
+If context is created with POPT_CONTEXT_KEEP_FIRST flag, then the
+first argv entry is parsed as well (argv[0] is normally the program
+name).
+
+Calling poptResetContext should reset the context exactly back into
+the state in wich it was after poptGetContext.
+
+Unfortunately the "next" value is always set to 1, i.e. pointing
+towards argv[1]. Consider POPT_CONTEXT_KEEP_FIRST. If it is set,
+point to argv[0] just like poptGetContext does.
+---
+ src/popt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/popt.c b/src/popt.c
+index c08b3c9..b7d9478 100644
+--- a/src/popt.c
+++ b/src/popt.c
+@@ -210,7 +210,10 @@ void poptResetContext(poptContext con)
+     con->os->currAlias = NULL;
+     con->os->nextCharArg = NULL;
+     con->os->nextArg = _free(con->os->nextArg);
+-    con->os->next = 1;			/* skip argv[0] */
+    if (!(con->flags & POPT_CONTEXT_KEEP_FIRST))
+	con->os->next = 1;		/* skip argv[0] */
+    else
+	con->os->next = 0;
+ 
+     con->numLeftovers = 0;
+     con->nextLeftover = 0;
+-- 
+2.27.0
+
--- a/backport-Fix-incorrect-handling-of-leftovers-with-poptStuffAr.patch
+++ b/backport-Fix-incorrect-handling-of-leftovers-with-poptStuffAr.patch
@ -0,0 +1,87 @@
+From 7219e1ddc1e8606dda18c1105df0d45d8e8e0e09 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <richard@levitte.org>
+Date: Mon, 29 Jun 2020 11:56:00 -0400
+Subject: [PATCH] Fix incorrect handling of leftovers with poptStuffArgs
+
+If poptStuffArgs() is used twice with the same context, it will invariably
+cause memory corruption and possibly memory leaks or a crash.
+
+Change the allocation of leftOvers so it adapts to the input on the fly
+instead of trying to pre-allocate it in one go.
+---
+ src/popt.c    | 24 ++++++++++++++++++++++--
+ src/poptint.h |  1 +
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/popt.c b/src/popt.c
+index b7d9478..ab7b54f 100644
+--- a/src/popt.c
+++ b/src/popt.c
+@@ -168,6 +168,7 @@ poptContext poptGetContext(const char * name, int argc, const char ** argv,
+ 	con->os->next = 1;		/* skip argv[0] */
+ 
+     con->leftovers = calloc( (size_t)(argc + 1), sizeof(*con->leftovers) );
+    con->allocLeftovers = argc + 1;
+     con->options = options;
+     con->aliases = NULL;
+     con->numAliases = 0;
+@@ -1272,8 +1273,21 @@ int poptGetNextOpt(poptContext con)
+ 		    con->os->nextArg = xstrdup(origOptString);
+ 		    return 0;
+ 		}
+-		if (con->leftovers != NULL)	/* XXX can't happen */
+-		    con->leftovers[con->numLeftovers++] = origOptString;
+		if (con->leftovers != NULL) {	/* XXX can't happen */
+		    /* One might think we can never overflow the leftovers
+		       array.  Actually, that's true, as long as you don't
+		       use poptStuffArgs()... */
+		    if ((con->numLeftovers + 1) >= (con->allocLeftovers)) {
+			con->allocLeftovers += 10;
+			con->leftovers =
+			    realloc(con->leftovers,
+				    sizeof(*con->leftovers) * con->allocLeftovers);
+		    }
+		    con->leftovers[con->numLeftovers++]
+			= xstrdup(origOptString); /* so a free of a stuffed
+						     argv doesn't give us a
+						     dangling pointer */
+		}
+ 		continue;
+ 	    }
+ 
+@@ -1521,6 +1535,8 @@ poptItem poptFreeItems(poptItem items, int nitems)
+ 
+ poptContext poptFreeContext(poptContext con)
+ {
+    int i;
+
+     if (con == NULL) return con;
+     poptResetContext(con);
+ 
+@@ -1530,7 +1546,11 @@ poptContext poptFreeContext(poptContext con)
+     con->execs = poptFreeItems(con->execs, con->numExecs);
+     con->numExecs = 0;
+ 
+    for (i = 0; i < con->numLeftovers; i++) {
+        con->leftovers[i] = _free(&con->leftovers[i]);
+    }
+     con->leftovers = _free(con->leftovers);
+
+     con->finalArgv = _free(con->finalArgv);
+     con->appName = _free(con->appName);
+     con->otherHelp = _free(con->otherHelp);
+diff --git a/src/poptint.h b/src/poptint.h
+index b64e123..d4d6e90 100644
+--- a/src/poptint.h
+++ b/src/poptint.h
+@@ -94,6 +94,7 @@ struct poptContext_s {
+     struct optionStackEntry * os;
+     poptArgv leftovers;
+     int numLeftovers;
+    int allocLeftovers;
+     int nextLeftover;
+     const struct poptOption * options;
+     int restLeftover;
+-- 
+2.27.0
+
--- a/backport-Fix-memory-leak-regressions-in-popt-1.18.patch
+++ b/backport-Fix-memory-leak-regressions-in-popt-1.18.patch
@ -0,0 +1,38 @@
+From 7182e4618ad5a0186145fc2aa4a98c2229afdfa8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 5 Jan 2022 14:51:55 +0100
+Subject: [PATCH] Fix memory leak regressions in popt 1.18
+
+Fix memory leak regression introduced in commit
+7219e1ddc1e8606dda18c1105df0d45d8e8e0e09. Free the actual content, not
+the array multiple times, and free on reset.
+---
+ src/popt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/popt.c b/src/popt.c
+index 0521c8d..f3f26a3 100644
+--- a/src/popt.c
+++ b/src/popt.c
+@@ -216,6 +216,9 @@ void poptResetContext(poptContext con)
+     else
+ 	con->os->next = 0;
+ 
+    for (i = 0; i < con->numLeftovers; i++) {
+        con->leftovers[i] = _free(con->leftovers[i]);
+    }
+     con->numLeftovers = 0;
+     con->nextLeftover = 0;
+     con->restLeftover = 0;
+@@ -1534,7 +1537,7 @@ poptContext poptFreeContext(poptContext con)
+     con->numExecs = 0;
+ 
+     for (i = 0; i < con->numLeftovers; i++) {
+-        con->leftovers[i] = _free(&con->leftovers[i]);
+        con->leftovers[i] = _free(con->leftovers[i]);
+     }
+     con->leftovers = _free(con->leftovers);
+ 
+-- 
+2.27.0
+
--- a/popt.spec
+++ b/popt.spec
@ -1,6 +1,6 @@
 Name:		popt
 Version:	1.18
-Release:        1
+Release:        2
 Summary:	C library for parsing command line parameters
 License:	MIT
 URL:		https://github.com/rpm-software-management/popt/
@ -10,6 +10,9 @@ Patch0: 	fix-obscure-iconv-mis-call-error-path-could-lead-to-.patch
 Patch1: 	fix-handle-newly-added-asset-.-call-like-elsewhere.patch
 Patch2: 	fix-permit-reading-aliases-remove-left-over-goto-exi.patch
 Patch3: 	fix-coverity-CID-1057440-Unused-pointer-value-UNUSED.patch
+Patch4: 	backport-Consider-POPT_CONTEXT_KEEP_FIRST-during-reset.patch
+Patch5: 	backport-Fix-incorrect-handling-of-leftovers-with-poptStuffAr.patch
+Patch6: 	backport-Fix-memory-leak-regressions-in-popt-1.18.patch

 BuildRequires:	gcc git gettext

@ -79,6 +82,9 @@ make check
 %{_mandir}/man3/%{name}.3.gz

 %changelog
+* Mon Aug 15 2022 panxiaohe <panxh.life@foxmail.com> - 1.18-2
+- Fix incorrect handling of leftovers with poptStuffArgs and memory leak
+
 * Sat Jul 25 2020 zhangxingliang <zhangxingliang3@huawei.com> - 1.18-1
 - Type:update
 - ID:NA