From c5631fc09666a9542d2882299d40500d18d1f68c Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 12 Jan 2016 16:54:44 -0500
Subject: uncrypt: avoid use-after-free

The `std::string package` variable goes out of scope but the input_path
variable is then used to access the memory as it's set to `c_str()`.

This was detected via OpenBSD malloc's junk filling feature.

Change-Id: Ic4b939347881b6ebebf71884e7e2272ce99510e2
---
 uncrypt/uncrypt.cpp | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/uncrypt/uncrypt.cpp b/uncrypt/uncrypt.cpp
index 20efbe4df..de7e48182 100644
--- a/uncrypt/uncrypt.cpp
+++ b/uncrypt/uncrypt.cpp
@@ -418,8 +418,6 @@ int uncrypt(const char* input_path, const char* map_file, int status_fd) {
 }
 
 int main(int argc, char** argv) {
-    const char* input_path;
-    const char* map_file;
 
     if (argc != 3 && argc != 1 && (argc == 2 && strcmp(argv[1], "--reboot") != 0)) {
         fprintf(stderr, "usage: %s [--reboot] [<transform_path> <map_file>]\n", argv[0]);
@@ -443,13 +441,16 @@ int main(int argc, char** argv) {
         }
         unique_fd status_fd_holder(status_fd);
 
+        std::string package;
+        const char* input_path;
+        const char* map_file;
+
         if (argc == 3) {
             // when command-line args are given this binary is being used
             // for debugging.
             input_path = argv[1];
             map_file = argv[2];
         } else {
-            std::string package;
             if (!find_uncrypt_package(package)) {
                 android::base::WriteStringToFd("-1\n", status_fd);
                 return 1;
-- 
cgit v1.2.3