double-free in get_xattrs_impl
Hello, I'm reviewing flatpak as part of an Ubuntu main inclusion request. It's just a quick look, not an in-depth audit.
Coverity reported a double-free in get_xattrs_impl()
:
libglnx/glnx-xattrs.c:209
Type: Double free (USE_AFTER_FREE)
libglnx/glnx-xattrs.c:154:
1. path: Condition "path != NULL", taking true branch.
libglnx/glnx-xattrs.c:154:
2. path: Falling through to end of if statement.
libglnx/glnx-xattrs.c:154:
3. path: Condition "({...; _g_boolean_var_;})", taking true branch.
libglnx/glnx-xattrs.c:154:
4. path: Falling through to end of if statement.
libglnx/glnx-xattrs.c:160:
5. path: Condition "path", taking true branch.
libglnx/glnx-xattrs.c:161:
6. path: Falling through to end of if statement.
libglnx/glnx-xattrs.c:165:
7. path: Condition "bytes_read < 0", taking false branch.
libglnx/glnx-xattrs.c:173:
8. path: Condition "bytes_read > 0", taking true branch.
libglnx/glnx-xattrs.c:176:
9. path: Condition "path", taking true branch.
libglnx/glnx-xattrs.c:177:
10. path: Falling through to end of if statement.
libglnx/glnx-xattrs.c:180:
11. path: Condition "real_size < 0", taking true branch.
libglnx/glnx-xattrs.c:182:
12. path: Condition "*__errno_location() == 34", taking true branch.
libglnx/glnx-xattrs.c:184:
13. freed_arg: "g_free" frees "xattr_names".
libglnx/glnx-xattrs.c:185:
14. path: Jumping to label "again".
libglnx/glnx-xattrs.c:160:
15. path: Condition "path", taking true branch.
libglnx/glnx-xattrs.c:161:
16. path: Falling through to end of if statement.
libglnx/glnx-xattrs.c:165:
17. path: Condition "bytes_read < 0", taking true branch.
libglnx/glnx-xattrs.c:167:
18. path: Condition "*__errno_location() != 95", taking true branch.
libglnx/glnx-xattrs.c:170:
19. path: Jumping to label "out".
libglnx/glnx-xattrs.c:207:
20. path: Condition "!builder_initialized", taking false branch.
libglnx/glnx-xattrs.c:209:
21. double_free: Calling "g_autoptr_cleanup_generic_gfree" frees pointer "xattr_names" which has already been freed.
/usr/include/glib-2.0/glib/glib-autocleanups.h:27:
21.1. var_assign_parm: Assigning: "pp" = "p".
/usr/include/glib-2.0/glib/glib-autocleanups.h:28:
21.2. freed_arg: "g_free" frees parameter "*pp".
Thanks