Sun, 11 Jun 2023 21:21:34 +0200
fix UAF in davql select exec
libidav/davqlexec.c | file | annotate | diff | comparison | revisions |
--- a/libidav/davqlexec.c Fri Jun 09 22:37:17 2023 +0200 +++ b/libidav/davqlexec.c Sun Jun 11 21:21:34 2023 +0200 @@ -622,12 +622,12 @@ // do a propfind request for each resource on the stack while(stack->size > 0) { - DavQLRes *sr = cxListAt(stack, 0); // get first element from the stack - cxListRemove(stack, 0); + DavQLRes *sr_ptr = cxListAt(stack, 0); // get first element from the stack + DavResource *root = sr_ptr->resource; + int res_depth = sr_ptr->depth; cxListRemove(stack, 0); // remove first element - DavResource *root = sr->resource; - util_set_url(sn, dav_resource_get_href(sr->resource)); + util_set_url(sn, dav_resource_get_href(root)); CURLcode ret = do_propfind_request(sn, rqbuf, rpbuf); long http_status = 0; curl_easy_getinfo(sn->handle, CURLINFO_RESPONSE_CODE, &http_status); @@ -702,11 +702,11 @@ //resource_add_child(root, child); resource_add_ordered_child(root, child, ordercr); if(child->iscollection && - (depth < 0 || depth > sr->depth+1)) + (depth < 0 || depth > res_depth+1)) { DavQLRes rs; rs.resource = child; - rs.depth = sr->depth + 1; + rs.depth = res_depth + 1; cxListInsert(stack, 0, &rs); } } else {