From: Christos Zoulas <christos@zoulas.com>
Date: Sat, 1 Sep 2018 15:52:02 +0000 (+0000)
Subject: Fix use-after-free (https://runtimeverification.com/). The free code was
X-Git-Tag: FILE5_35~29
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e64f6d716bd04cbd50bc484f0e2fcc6eb5810ba5;p=file

Fix use-after-free (https://runtimeverification.com/). The free code was
never changed when the mlist was changed from a NULL-terminated list to
a circular one.
---

diff --git a/src/apprentice.c b/src/apprentice.c
index 4d8a3dee..6608d776 100644
--- a/src/apprentice.c
+++ b/src/apprentice.c
@@ -32,7 +32,7 @@
 #include "file.h"
 
 #ifndef	lint
-FILE_RCSID("@(#)$File: apprentice.c,v 1.277 2018/08/11 12:17:37 christos Exp $")
+FILE_RCSID("@(#)$File: apprentice.c,v 1.278 2018/09/01 15:52:02 christos Exp $")
 #endif	/* lint */
 
 #include "magic.h"
@@ -585,6 +585,14 @@ mlist_alloc(void)
 	return mlist;
 }
 
+private void
+mlist_free_one(struct mlist *ml)
+{
+	if (ml->map)
+		apprentice_unmap(CAST(struct magic_map *, ml->map));
+	free(ml);
+}
+
 private void
 mlist_free(struct mlist *mlist)
 {
@@ -593,14 +601,11 @@ mlist_free(struct mlist *mlist)
 	if (mlist == NULL)
 		return;
 
-	ml = mlist->next;
-	for (ml = mlist->next; (next = ml->next) != NULL; ml = next) {
-		if (ml->map)
-			apprentice_unmap(CAST(struct magic_map *, ml->map));
-		free(ml);
-		if (ml == mlist)
-			break;
+	for (ml = mlist->next; ml != mlist; ml = next) {
+		next = ml->next;
+		mlist_free_one(ml);
 	}
+	mlist_free_one(mlist);
 }
 
 #ifndef COMPILE_ONLY