Fix double-free on ternary operator parsing error

v1 gets double-freed when there's an error parsing the result side of the ternary operator. Add testcases to go, one that catches the actual error and another which serves to demonstrate that the false branch doesn't get parsed at all, errors or no.
rpm-software-management · Sep 19, 2019 · 7ec004c · 7ec004c
1 parent 708e613
commit 7ec004c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/rpmio/expression.c b/rpmio/expression.c
@@ -705,9 +705,9 @@ static Value doTernary(ParseState state)
       default:
 	goto err;
     }
-    valueFree(v1);
     if (rdToken(state))
       goto err;
+    valueFree(v1);
     v1 = doTernary(state);
     if (v1 == NULL)
       goto err;

diff --git a/tests/rpmmacro.at b/tests/rpmmacro.at
@@ -276,6 +276,8 @@ runroot rpm --eval '%{expr:"a"=!"b"}'
 runroot rpm --eval '%{expr:4+}'
 runroot rpm --eval '%{expr:bare}'
 runroot rpm --eval '%{expr:1/0}'
+runroot rpm --eval '%{expr:0 < 1 ? 0 : 4+}'
+runroot rpm --eval '%{expr:0 < 1 ? 4+ : 0}'
 ],
 [1],
 [],
@@ -288,6 +290,7 @@ error: unexpected end of expression: 4+
 error: bare words are no longer supported, please use "...": bare
 error:                                                       ^
 error: division by zero: 1/0
+error: unexpected end of expression: 0 < 1 ? 0 : 4+
 ])
 AT_CLEANUP