From f1207632cf192ef47181c2636298f73442038760 Mon Sep 17 00:00:00 2001
From: hanxinke <hanxinke@huawei.com>
Date: Fri, 4 Mar 2022 17:13:27 +0800
Subject: [PATCH] fix use after free in verto_free

---
 ...ort-fix-use-after-free-in-verto_free.patch | 47 +++++++++++++++++++
 libverto.spec                                 |  6 ++-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 backport-fix-use-after-free-in-verto_free.patch

diff --git a/backport-fix-use-after-free-in-verto_free.patch b/backport-fix-use-after-free-in-verto_free.patch
new file mode 100644
index 0000000..fab4841
--- /dev/null
+++ b/backport-fix-use-after-free-in-verto_free.patch
@@ -0,0 +1,47 @@
+From 60b276cf4ce4ab244670dfac1301704b28498805 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 15 Mar 2021 14:27:18 -0400
+Subject: [PATCH] Fix use-after-free in verto_free()
+
+Instead of freeing all events, verto_free() would spin trying to free
+the same one.
+
+Discovered by scan-build.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/verto.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/verto.c b/src/verto.c
+index 71eaffa..c06c92b 100644
+--- a/src/verto.c
++++ b/src/verto.c
+@@ -583,6 +583,8 @@ verto_set_allocator(void *(*resize)(void *mem, size_t size),
+ void
+ verto_free(verto_ctx *ctx)
+ {
++    verto_ev *cur, *next;
++
+     if (!ctx)
+         return;
+ 
+@@ -591,8 +593,12 @@ verto_free(verto_ctx *ctx)
+         return;
+ 
+     /* Cancel all pending events */
+-    while (ctx->events)
+-        verto_del(ctx->events);
++    next = NULL;
++    for (cur = ctx->events; cur != NULL; cur = next) {
++        next = cur->next;
++        verto_del(cur);
++    }
++    ctx->events = NULL;
+ 
+     /* Free the private */
+     if (!ctx->deflt || !ctx->module->funcs->ctx_default)
+-- 
+1.8.3.1
+
diff --git a/libverto.spec b/libverto.spec
index 7aa4fdc..875623a 100644
--- a/libverto.spec
+++ b/libverto.spec
@@ -1,12 +1,13 @@
 Name:           libverto
 Version:        0.3.1
-Release:        3
+Release:        4
 Summary:        Main loop abstraction library
 License:        MIT
 URL:            https://github.com/latchset/libverto
 Source0:        https://github.com/latchset/libverto/releases/download/%{version}/%{name}-%{version}.tar.gz
 
 Patch6000:	backport-re-order-pkgconfig-for-expected-dependencies.patch
+Patch6001:	backport-fix-use-after-free-in-verto_free.patch
 
 BuildRequires:  autoconf automake libtool glib2-devel
 BuildRequires:  libevent-devel libev-devel git
@@ -91,6 +92,9 @@ find  %{buildroot} -name '*.la' -exec rm -f {} ';'
 %{_libdir}/pkgconfig/%{name}-libev.pc
 
 %changelog
+* Fri Mar 04 2022 hanxinke <hanxinke@huawei.com> - 0.3.1-4
+- fix use after free in verto_free
+
 * Thu Mar 03 2022 hanxinke <hanxinke@huawei.com> - 0.3.1-3
 - fix broken pkgconfig files
 
-- 
Gitee