notes: avoid potential use-after-free during insertion

The note_tree_insert() function may free the leaf_node struct we pass in (e.g., if it's a duplicate, or if it needs to be combined with an existing note). Most callers are happy with this, as they assume that ownership of the struct is handed off. But in load_subtree(), if we see an error we'll use the handed-off struct's key_oid to generate the die() message, potentially accessing freed memory. We can easily fix this by instead using the original oid that we copied into the leaf_node struct. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
5 years ago · 60fe477a0b
1 changed files with 1 additions and 1 deletions
--- a/notes.c
+++ b/notes.c
@ -460,7 +460,7 @@ static void load_subtree(struct notes_tree *t, struct leaf_node *subtree,
				@@ -460,7 +460,7 @@ static void load_subtree(struct notes_tree *t, struct leaf_node *subtree,
 			die("Failed to load %s %s into notes tree "
 			    "from %s",
 			    type == PTR_TYPE_NOTE ? "note" : "subtree",
-			    oid_to_hex(&l->key_oid), t->ref);
+			    oid_to_hex(&object_oid), t->ref);

 		continue;