Fix use-after-free in submodule reload

If the first call to release a no-longer-existent submodule freed the object, the check if a second is needed would dereference the data that was just freed.

Fix use-after-free in submodule reload
If the first call to release a no-longer-existent submodule freed the object, the check if a second is needed would dereference the data that was just freed.
add8db06 · Russell Belfer · 041fad4a · add8db06
Commit add8db06 authored Mar 27, 2014 by Russell Belfer
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

src/submodule.c
+6 -3

No files found.
--- a/src/submodule.c
+++ b/src/submodule.c
@@ -852,10 +852,13 @@ int git_submodule_reload_all(git_repository *repo, int force)
 	git_strmap_foreach_value(repo->submodules, sm, {
 		git_strmap *cache = repo->submodules;
-		if ((sm->flags & GIT_SUBMODULE_STATUS__IN_FLAGS) == 0) {
+		if (sm && (sm->flags & GIT_SUBMODULE_STATUS__IN_FLAGS) == 0) {
-			submodule_cache_remove_item(cache, sm->name, sm, true);
+			/* we must check path != name before first remove, in case
+			 * that call frees the submodule */
+			bool free_as_path = (sm->path != sm->name);
-			if (sm->path != sm->name)
+			submodule_cache_remove_item(cache, sm->name, sm, true);
+			if (free_as_path)
 				submodule_cache_remove_item(cache, sm->path, sm, true);
 		}
 	});