Fossil SCM
Fix a possible "use-after-free" while rendering a [/help?cmd=/file|/file] page for the case when "ci" parameter is missing. This is a preliminary fix, it may introduce a (tiny) memory leak.
Commit
a6477bca6540cde677543c7a41a6b3b40a8ba1231d5ee14bc35623c3b7162693
Parent
3a97dff2cf7937c…
1 file changed
+3
-2
+3
-2
| --- src/info.c | ||
| +++ src/info.c | ||
| @@ -2339,11 +2339,11 @@ | ||
| 2339 | 2339 | return; |
| 2340 | 2340 | } |
| 2341 | 2341 | |
| 2342 | 2342 | url_initialize(&url, g.zPath); |
| 2343 | 2343 | url_add_parameter(&url, "name", zName); |
| 2344 | - url_add_parameter(&url, "ci", zCI); | |
| 2344 | + url_add_parameter(&url, "ci", zCI); /* no-op if zCI is NULL */ | |
| 2345 | 2345 | |
| 2346 | 2346 | if( zCI==0 && !isFile ){ |
| 2347 | 2347 | /* If there is no ci= query parameter, then prefer to interpret |
| 2348 | 2348 | ** name= as a hash for /artifact and /whatis. But for not for /file. |
| 2349 | 2349 | ** For /file, a name= without a ci= while prefer to use the default |
| @@ -2381,11 +2381,12 @@ | ||
| 2381 | 2381 | " ORDER BY event.mtime DESC", |
| 2382 | 2382 | zName |
| 2383 | 2383 | ); |
| 2384 | 2384 | if( db_step(&q)==SQLITE_ROW ){ |
| 2385 | 2385 | rid = db_column_int(&q, 0); |
| 2386 | - zCI = zCIUuid = fossil_strdup(db_column_text(&q, 1)); | |
| 2386 | + zCI = fossil_strdup(db_column_text(&q, 1)); | |
| 2387 | + zCIUuid = fossil_strdup(zCI); | |
| 2387 | 2388 | url_add_parameter(&url, "ci", zCI); |
| 2388 | 2389 | } |
| 2389 | 2390 | db_finalize(&q); |
| 2390 | 2391 | if( rid==0 ){ |
| 2391 | 2392 | style_header("No such file"); |
| 2392 | 2393 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -2339,11 +2339,11 @@ | |
| 2339 | return; |
| 2340 | } |
| 2341 | |
| 2342 | url_initialize(&url, g.zPath); |
| 2343 | url_add_parameter(&url, "name", zName); |
| 2344 | url_add_parameter(&url, "ci", zCI); |
| 2345 | |
| 2346 | if( zCI==0 && !isFile ){ |
| 2347 | /* If there is no ci= query parameter, then prefer to interpret |
| 2348 | ** name= as a hash for /artifact and /whatis. But for not for /file. |
| 2349 | ** For /file, a name= without a ci= while prefer to use the default |
| @@ -2381,11 +2381,12 @@ | |
| 2381 | " ORDER BY event.mtime DESC", |
| 2382 | zName |
| 2383 | ); |
| 2384 | if( db_step(&q)==SQLITE_ROW ){ |
| 2385 | rid = db_column_int(&q, 0); |
| 2386 | zCI = zCIUuid = fossil_strdup(db_column_text(&q, 1)); |
| 2387 | url_add_parameter(&url, "ci", zCI); |
| 2388 | } |
| 2389 | db_finalize(&q); |
| 2390 | if( rid==0 ){ |
| 2391 | style_header("No such file"); |
| 2392 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -2339,11 +2339,11 @@ | |
| 2339 | return; |
| 2340 | } |
| 2341 | |
| 2342 | url_initialize(&url, g.zPath); |
| 2343 | url_add_parameter(&url, "name", zName); |
| 2344 | url_add_parameter(&url, "ci", zCI); /* no-op if zCI is NULL */ |
| 2345 | |
| 2346 | if( zCI==0 && !isFile ){ |
| 2347 | /* If there is no ci= query parameter, then prefer to interpret |
| 2348 | ** name= as a hash for /artifact and /whatis. But for not for /file. |
| 2349 | ** For /file, a name= without a ci= while prefer to use the default |
| @@ -2381,11 +2381,12 @@ | |
| 2381 | " ORDER BY event.mtime DESC", |
| 2382 | zName |
| 2383 | ); |
| 2384 | if( db_step(&q)==SQLITE_ROW ){ |
| 2385 | rid = db_column_int(&q, 0); |
| 2386 | zCI = fossil_strdup(db_column_text(&q, 1)); |
| 2387 | zCIUuid = fossil_strdup(zCI); |
| 2388 | url_add_parameter(&url, "ci", zCI); |
| 2389 | } |
| 2390 | db_finalize(&q); |
| 2391 | if( rid==0 ){ |
| 2392 | style_header("No such file"); |
| 2393 |