lib/repo-finder-avahi: Fix memory corruption of a GVariantIter

A GVariantIter* was being passed to a GVariant format string varargs,
rather than a GVariantIter**. This resulted in memory corruption.

So we can continue to reuse ref_map throughout the function, make it a
GVariantIter* rather than a stack-allocated GVariantIter.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
Closes: #1301
Approved by: cgwalters

diff --git a/src/libostree/ostree-repo-finder-avahi.c b/src/libostree/ostree-repo-finder-avahi.c
index 0c88ad60a5e26ab31df402f81eb4f42815cca091..a2574712c331c7f95436054ee87fca3ae2e5476a 100644 (file)
--- a/src/libostree/ostree-repo-finder-avahi.c
+++ b/src/libostree/ostree-repo-finder-avahi.c
@@ -466,7 +466,7 @@ fill_refs_and_checksums_from_summary (GVariant    *summary,
 {
   g_autoptr(GVariant) ref_map_v = NULL;
   g_autoptr(GVariant) additional_metadata_v = NULL;
-  GVariantIter ref_map;
+  g_autoptr(GVariantIter) ref_map = NULL;
   g_auto(GVariantDict) additional_metadata = OT_VARIANT_BUILDER_INITIALIZER;
   const gchar *collection_id;
   g_autoptr(GVariantIter) collection_map = NULL;
@@ -474,7 +474,7 @@ fill_refs_and_checksums_from_summary (GVariant    *summary,
   ref_map_v = g_variant_get_child_value (summary, 0);
   additional_metadata_v = g_variant_get_child_value (summary, 1);
 
-  g_variant_iter_init (&ref_map, ref_map_v);
+  ref_map = g_variant_iter_new (ref_map_v);
   g_variant_dict_init (&additional_metadata, additional_metadata_v);
 
   /* If the summary file specifies a collection ID (to apply to all the refs in its
@@ -485,10 +485,12 @@ fill_refs_and_checksums_from_summary (GVariant    *summary,
     {
       if (!ostree_validate_collection_id (collection_id, error))
         return FALSE;
-      if (!fill_refs_and_checksums_from_summary_map (&ref_map, collection_id, refs_and_checksums, error))
+      if (!fill_refs_and_checksums_from_summary_map (ref_map, collection_id, refs_and_checksums, error))
         return FALSE;
     }
 
+  g_clear_pointer (&ref_map, (GDestroyNotify) g_variant_iter_free);
+
   /* Repeat for the other collections listed in the summary. */
   if (g_variant_dict_lookup (&additional_metadata, OSTREE_SUMMARY_COLLECTION_MAP, "a{sa(s(taya{sv}))}", &collection_map))
     {
@@ -496,7 +498,7 @@ fill_refs_and_checksums_from_summary (GVariant    *summary,
         {
           if (!ostree_validate_collection_id (collection_id, error))
             return FALSE;
-          if (!fill_refs_and_checksums_from_summary_map (&ref_map, collection_id, refs_and_checksums, error))
+          if (!fill_refs_and_checksums_from_summary_map (ref_map, collection_id, refs_and_checksums, error))
             return FALSE;
         }
     }