From ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Fri, 7 Jan 2022 13:57:24 +0100 Subject: [PATCH] Fix use-after-free in haveSignature() pgpPrtParams() may leave sig2 unchanged and if we're not in the very first iteration of the while() loop, we could pass a freed pointer to pgpDigParamsCmp(). Fix by setting it to NULL after freeing. Found by Coverity, after commit bd36c5d (subkey binding validation), although note that the commit didn't introduce this bug; it just seems to have been a false negative that got "fixed" by the changes in pgpPrtParams() in that commit. --- sign/rpmgensig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c index d8c84e9..e88f9b7 100644 --- a/sign/rpmgensig.c +++ b/sign/rpmgensig.c @@ -364,7 +364,7 @@ static int haveSignature(rpmtd sigtd, Header h) pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2); if (pgpDigParamsCmp(sig1, sig2) == 0) rc = 1; - pgpDigParamsFree(sig2); + sig2 = pgpDigParamsFree(sig2); } pgpDigParamsFree(sig1); rpmtdFreeData(&oldtd); -- 1.8.3.1