commit: avoid possible use-after-free

pks-t · pks-t · commit ade0d9c658fd · 2017-02-13T13:50:52.000+01:00
When extracting a commit's signature, we first free the object and only
afterwards put its signature contents into the result buffer. This works
in most cases - the free'd object will normally be cached anyway, so we
only end up decrementing its reference count without actually freeing
its contents. But in some more exotic setups, where caching is disabled,
this can definitly be a problem, as we might be the only instance
currently holding a reference to this object.

Fix this issue by first extracting the contents and freeing the object
afterwards only.
diff --git a/src/commit.c b/src/commit.c
@@ -766,8 +766,9 @@ int git_commit_extract_signature(git_buf *signature, git_buf *signed_data, git_r
 		if (git_buf_oom(signature))
 			goto oom;
 
+		error = git_buf_puts(signed_data, eol+1);
 		git_odb_object_free(obj);
-		return git_buf_puts(signed_data, eol+1);
+		return error;
 	}
 
 	giterr_set(GITERR_OBJECT, "this commit is not signed");

Original file line number	Diff line number	Diff line change
`@@ -766,8 +766,9 @@ int git_commit_extract_signature(git_buf signature, git_buf signed_data, git_r`
`766`	`766`	`if (git_buf_oom(signature))`
`767`	`767`	`goto oom;`
`768`	`768`
	`769`	`+ error = git_buf_puts(signed_data, eol+1);`
`769`	`770`	`git_odb_object_free(obj);`
`770`		`- return git_buf_puts(signed_data, eol+1);`
	`771`	`+ return error;`
`771`	`772`	`}`
`772`	`773`
`773`	`774`	`giterr_set(GITERR_OBJECT, "this commit is not signed");`