From mboxrd@z Thu Jan  1 00:00:00 1970
From: john at keeping.me.uk (John Keeping)
Date: Wed, 13 Jan 2016 08:58:43 +0000
Subject: [PATCH 1/1] ui-repolist: initialize char *buf to NULL
In-Reply-To: <1452642303-30792-1-git-send-email-list@eworm.de>
References: <1452642303-30792-1-git-send-email-list@eworm.de>
Message-ID: <20160113085842.GB14056@serenity.lan>

On Wed, Jan 13, 2016 at 12:45:03AM +0100, Christian Hesse wrote:
> From: Christian Hesse <mail at eworm.de>
> 
> readfile() can fail if the agefile is not readable. Make sure free()
> does not free an ininitialized string.
> 
> Signed-off-by: Christian Hesse <mail at eworm.de>
> ---
>  ui-repolist.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ui-repolist.c b/ui-repolist.c
> index a2e9e07..8d982c4 100644
> --- a/ui-repolist.c
> +++ b/ui-repolist.c
> @@ -15,7 +15,7 @@ static time_t read_agefile(char *path)
>  {
>  	time_t result;
>  	size_t size;
> -	char *buf;
> +	char *buf = NULL;
>  	struct strbuf date_buf = STRBUF_INIT;
>  
>  	if (readfile(path, &buf, &size)) {

I wonder if we'd be better off changing readfile() so that it only
updates buf on success (and cleans up after itself on failure).

The only other use of readfile() is in scan-tree.c and in that case we
don't really want to leave a partial value in the result.

Something like this perhaps (untested):

-- >8 --
diff --git a/shared.c b/shared.c
index e216c64..6fc4ee5 100644
--- a/shared.c
+++ b/shared.c
@@ -469,6 +469,8 @@ int readfile(const char *path, char **buf, size_t *size)
 {
        int fd, e;
        struct stat st;
+       char *out;
+       size_t sz;
 
        fd = open(path, O_RDONLY);
        if (fd == -1)
@@ -482,12 +484,20 @@ int readfile(const char *path, char **buf, size_t *size)
                close(fd);
                return EISDIR;
        }
-       *buf = xmalloc(st.st_size + 1);
-       *size = read_in_full(fd, *buf, st.st_size);
+       out = xmalloc(st.st_size + 1);
+       sz = read_in_full(fd, out, st.st_size);
        e = errno;
-       (*buf)[*size] = '\0';
+       out[sz] = '\0';
        close(fd);
-       return (*size == st.st_size ? 0 : e);
+
+       if (sz != st.st_size) {
+               free(out);
+               return e;
+       }
+
+       *buf = out;
+       *size = sz;
+       return 0;
 }
 
 static int is_token_char(char c)