From 7723f38cfb0e80f010afaebdd9fec4d0822fd2e1 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 5 Apr 2017 13:24:41 +0200 Subject: [PATCH] difftool: fix use-after-free The left and right base directories were pointed to the buf field of two strbufs, which were subject to change. Let's just copy the strings and be done with it. This fixes https://github.com/git-for-windows/git/issues/1124 Signed-off-by: Johannes Schindelin --- builtin/difftool.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/builtin/difftool.c b/builtin/difftool.c index d13350ce83..3a77aeb682 100644 --- a/builtin/difftool.c +++ b/builtin/difftool.c @@ -262,6 +262,7 @@ static int run_dir_diff(const char *extcmd, int symlinks, const char *prefix, struct strbuf rpath = STRBUF_INIT, buf = STRBUF_INIT; struct strbuf ldir = STRBUF_INIT, rdir = STRBUF_INIT; struct strbuf wtdir = STRBUF_INIT; + char *lbase_dir, *rbase_dir; size_t ldir_len, rdir_len, wtdir_len; struct cache_entry *ce = xcalloc(1, sizeof(ce) + PATH_MAX + 1); const char *workdir, *tmp; @@ -298,11 +299,11 @@ static int run_dir_diff(const char *extcmd, int symlinks, const char *prefix, memset(&wtindex, 0, sizeof(wtindex)); memset(&lstate, 0, sizeof(lstate)); - lstate.base_dir = ldir.buf; + lstate.base_dir = lbase_dir = xstrdup(ldir.buf); lstate.base_dir_len = ldir.len; lstate.force = 1; memset(&rstate, 0, sizeof(rstate)); - rstate.base_dir = rdir.buf; + rstate.base_dir = rbase_dir = xstrdup(rdir.buf); rstate.base_dir_len = rdir.len; rstate.force = 1; @@ -585,6 +586,8 @@ static int run_dir_diff(const char *extcmd, int symlinks, const char *prefix, finish: free(ce); + free(lbase_dir); + free(rbase_dir); strbuf_release(&ldir); strbuf_release(&rdir); strbuf_release(&wtdir);