Blob Blame History Raw
From 78c87b3f3b359fac5401f81a86dd9e2f5968220e Mon Sep 17 00:00:00 2001
From: Pino Toscano <ptoscano@redhat.com>
Date: Thu, 19 Jul 2018 15:43:21 +0200
Subject: [PATCH] * src/augtool.c: fix access to invalid memory

When stripping the context from the result, readline_path_generator used
to realloc the string to a shorter size, copying only the content after
the prefix.  This resulted in reading with strcpy  from the previous
memory, which is freed already.  Avoid the issue, and simplify the code
by using strdup, freeing the old string.

This issue could be reproduced in augtool, trying to autocomplete files
without the /files prefix, e.g.:
  augtool> ls <TAB><TAB>

(cherry picked from commit 05b5784b2029f198ea486738d33fb7b49ef23eb8)
---
 src/augtool.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/augtool.c b/src/augtool.c
index ff097bd9..2745812c 100644
--- a/src/augtool.c
+++ b/src/augtool.c
@@ -153,15 +153,13 @@ static char *readline_path_generator(const char *text, int state) {
 
             /* strip off context if the user didn't give it */
             if (ctx != NULL) {
-                char *c = realloc(child, strlen(child)-strlen(ctx)+1);
-                if (c == NULL) {
-                    free(child);
-                    return NULL;
-                }
                 int ctxidx = strlen(ctx);
                 if (child[ctxidx] == SEP)
                     ctxidx++;
-                strcpy(c, &child[ctxidx]);
+                char *c = strdup(&child[ctxidx]);
+                free(child);
+                if (c == NULL)
+                    return NULL;
                 child = c;
             }
 
-- 
2.17.2