From 60fe477a0be2a3801e5ce3913e0be8e8e2e58e4f Mon Sep 17 00:00:00 2001
From: Jeff King <peff@peff.net>
Date: Sun, 25 Aug 2019 03:19:51 -0400
Subject: notes: avoid potential use-after-free during insertion

The note_tree_insert() function may free the leaf_node struct we pass in
(e.g., if it's a duplicate, or if it needs to be combined with an
existing note).

Most callers are happy with this, as they assume that ownership of the
struct is handed off. But in load_subtree(), if we see an error we'll
use the handed-off struct's key_oid to generate the die() message,
potentially accessing freed memory.

We can easily fix this by instead using the original oid that we copied
into the leaf_node struct.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 notes.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'notes.c')

diff --git a/notes.c b/notes.c
index 3130add618..9533a14a13 100644
--- a/notes.c
+++ b/notes.c
@@ -460,7 +460,7 @@ static void load_subtree(struct notes_tree *t, struct leaf_node *subtree,
 			die("Failed to load %s %s into notes tree "
 			    "from %s",
 			    type == PTR_TYPE_NOTE ? "note" : "subtree",
-			    oid_to_hex(&l->key_oid), t->ref);
+			    oid_to_hex(&object_oid), t->ref);
 
 		continue;
 
-- 
cgit v1.2.3