Fix potential leak, do not allow replacement of discovered pkgs

Ikey Doherty · Ikey Doherty · commit 1d500c4394ce · 2016-01-08T15:25:51.000Z
This fixes an issue in flat clones of repos, whereby an expanded repo may then
contain a .spec file further inside the tree beyond its own .spec file, noticed
specifically in RPM setups.

Signed-off-by: Ikey Doherty &lt;michael.i.doherty@intel.com&gt;
diff --git a/src/main.c b/src/main.c
@@ -95,7 +95,8 @@ static void cve_add_package_internal(struct source_package_t *pkg)
         }
 
         if (g_hash_table_contains(self->db, pkg->name)) {
-                g_hash_table_remove(self->db, pkg->name);
+                package_free(pkg);
+                return;
         }
 
         if (self->mapping) {
@@ -529,7 +530,6 @@ static bool cve_locate(const char *path, bool recurse)
         bool ret = false;
         DIR *dir = NULL;
         struct dirent *ent = NULL;
-        char *fullp = NULL;
 
         if (!pkg_plugin || !(pkg_plugin->flags & PLUGIN_TYPE_PACKAGE) || !pkg_plugin->is_package) {
                 fprintf(stderr, "Abnormal configuration in plugin\n");
@@ -549,13 +549,13 @@ static bool cve_locate(const char *path, bool recurse)
                 }
                 while ((ent = readdir(dir))) {
                         if (!streq(ent->d_name, ".") && !streq(ent->d_name, "..")) {
+                                autofree(char) *fullp = NULL;
                                 if (!asprintf(&fullp, "%s/%s", path, ent->d_name)) {
                                         goto end;
                                 }
                                 if (!(cve_is_dir(fullp) && !recurse)) {
                                         cve_locate(fullp, recurse);
                                 }
-                                free(fullp);
                         }
                 }
         } else if (S_ISREG(st.st_mode)) {

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,8 @@ static void cve_add_package_internal(struct source_package_t *pkg)`
`95`	`95`	`}`
`96`	`96`
`97`	`97`	`if (g_hash_table_contains(self->db, pkg->name)) {`
`98`		`- g_hash_table_remove(self->db, pkg->name);`
	`98`	`+ package_free(pkg);`
	`99`	`+ return;`
`99`	`100`	`}`
`100`	`101`
`101`	`102`	`if (self->mapping) {`
`@@ -529,7 +530,6 @@ static bool cve_locate(const char *path, bool recurse)`
`529`	`530`	`bool ret = false;`
`530`	`531`	`DIR *dir = NULL;`
`531`	`532`	`struct dirent *ent = NULL;`
`532`		`- char *fullp = NULL;`
`533`	`533`
`534`	`534`	`if (!pkg_plugin \|\| !(pkg_plugin->flags & PLUGIN_TYPE_PACKAGE) \|\| !pkg_plugin->is_package) {`
`535`	`535`	`fprintf(stderr, "Abnormal configuration in plugin\n");`
`@@ -549,13 +549,13 @@ static bool cve_locate(const char *path, bool recurse)`
`549`	`549`	`}`
`550`	`550`	`while ((ent = readdir(dir))) {`
`551`	`551`	`if (!streq(ent->d_name, ".") && !streq(ent->d_name, "..")) {`
	`552`	`+ autofree(char) *fullp = NULL;`
`552`	`553`	`if (!asprintf(&fullp, "%s/%s", path, ent->d_name)) {`
`553`	`554`	`goto end;`
`554`	`555`	`}`
`555`	`556`	`if (!(cve_is_dir(fullp) && !recurse)) {`
`556`	`557`	`cve_locate(fullp, recurse);`
`557`	`558`	`}`
`558`		`- free(fullp);`
`559`	`559`	`}`
`560`	`560`	`}`
`561`	`561`	`} else if (S_ISREG(st.st_mode)) {`