uncrypt: avoid use-after-free
The `std::string package` variable goes out of scope but the input_path
variable is then used to access the memory as it's set to `c_str()`.
This was detected via OpenBSD malloc's junk filling feature.
Change-Id: Ic4b939347881b6ebebf71884e7e2272ce99510e2
diff --git a/uncrypt/uncrypt.cpp b/uncrypt/uncrypt.cpp
index 20efbe4..de7e481 100644
--- a/uncrypt/uncrypt.cpp
+++ b/uncrypt/uncrypt.cpp
@@ -418,8 +418,6 @@
}
int main(int argc, char** argv) {
- const char* input_path;
- const char* map_file;
if (argc != 3 && argc != 1 && (argc == 2 && strcmp(argv[1], "--reboot") != 0)) {
fprintf(stderr, "usage: %s [--reboot] [<transform_path> <map_file>]\n", argv[0]);
@@ -443,13 +441,16 @@
}
unique_fd status_fd_holder(status_fd);
+ std::string package;
+ const char* input_path;
+ const char* map_file;
+
if (argc == 3) {
// when command-line args are given this binary is being used
// for debugging.
input_path = argv[1];
map_file = argv[2];
} else {
- std::string package;
if (!find_uncrypt_package(package)) {
android::base::WriteStringToFd("-1\n", status_fd);
return 1;
