From efda0ff7c7035dbbe72014369d1ad8c9624e8616 Mon Sep 17 00:00:00 2001
From: Florian Forster <octo@collectd.org>
Date: Wed, 17 Jun 2015 17:28:39 +0200
Subject: [PATCH] src/utils_db_query.c: Fix use-after-free.

"r_area->next" was evaluated after "r_area" was freed.
---
 src/utils_db_query.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/utils_db_query.c b/src/utils_db_query.c
index aadf9c5e..ab4299b3 100644
--- a/src/utils_db_query.c
+++ b/src/utils_db_query.c
@@ -976,10 +976,9 @@ udb_query_allocate_preparation_area (udb_query_t *q) /* {{{ */
   udb_result_preparation_area_t **next_r_area;
   udb_result_t *r;
 
-  q_area = (udb_query_preparation_area_t *)malloc (sizeof (*q_area));
+  q_area = malloc (sizeof (*q_area));
   if (q_area == NULL)
     return NULL;
-
   memset (q_area, 0, sizeof (*q_area));
 
   next_r_area = &q_area->result_prep_areas;
@@ -987,14 +986,18 @@ udb_query_allocate_preparation_area (udb_query_t *q) /* {{{ */
   {
     udb_result_preparation_area_t *r_area;
 
-    r_area = (udb_result_preparation_area_t *)malloc (sizeof (*r_area));
+    r_area = malloc (sizeof (*r_area));
     if (r_area == NULL)
     {
-      for (r_area = q_area->result_prep_areas;
-          r_area != NULL; r_area = r_area->next)
+      udb_result_preparation_area_t *a = q_area->result_prep_areas;
+
+      while (a != NULL)
       {
-        free (r_area);
+        udb_result_preparation_area_t *next = a->next;
+        sfree (a);
+        a = next;
       }
+
       free (q_area);
       return NULL;
     }
-- 
2.11.0