From d5fbb8baf0474378c863739d8ecb0213218d6b77 Mon Sep 17 00:00:00 2001
From: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Date: Mon, 1 Jul 2019 10:51:50 +0200
Subject: Fix double free in GNU tar sparse file parser

The intention was to free the temporary object in addition to the list.
Since the temp pointer is also used for iterating the list, this resulted
in a double free instead of the intended.

This commit fixes the double free by replacing the recycled variable based
list free with the helper function intended to do this.

Bug found using scan-build.

Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
---
 lib/tar/read_header.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/lib/tar/read_header.c b/lib/tar/read_header.c
index 95d7d0c..de6f0cd 100644
--- a/lib/tar/read_header.c
+++ b/lib/tar/read_header.c
@@ -203,11 +203,7 @@ fail_format:
 	fputs("malformed GNU pax sparse file record\n", stderr);
 	goto fail;
 fail:
-	while (list != NULL) {
-		ent = list;
-		list = list->next;
-		free(ent);
-	}
+	free_sparse_list(list);
 	free(ent);
 	return NULL;
 }
-- 
cgit v1.2.3