When prepare_cmd() fails for, e.g., pager process setup,
child_process_clear() frees the memory in pager_process.args, but .argv
still points to the previously location.
When setup_pager() is called a second time, from cmd_log_init_finish()
in this case, its strvec operations (i.e. using pager_process.argv) will
lead to a use-after-free.
This patch makes sure that further uses of the child_process cleared by
child_process_clear() gets a properly initialized struct.
Reproducer:
$ git config pager.show INVALID_PAGER
$ git show $VALID_COMMIT
error: cannot run INVALID_PAGER: No such file or directory
[1] 3619 segmentation fault (core dumped) git show $VALID_COMMIT
Signed-off-by: Enzo Matsumiya <ematsumiya@xxxxxxx>
Reviewed-by: Jeff King <peff@xxxxxxxx>
---
Changes to v1:
* Implement all of Jeff's suggestions:
- remove double frees to .argv
- discard the idea of falling back to DEFAULT_PAGER
- replace memset() in child_process_clear() by child_process_init()
- update/improve commit message
run-command.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/run-command.c b/run-command.c
index f329391154ae..a7bf81025afb 100644
--- a/run-command.c
+++ b/run-command.c
@@ -19,6 +19,7 @@ void child_process_clear(struct child_process *child)
{
strvec_clear(&child->args);
strvec_clear(&child->env_array);
+ child_process_init(child);
}
struct child_to_clean {
--
2.33.1
