Correct multiple security related errors: a buffer overflow, NULL

pointer dereferences, possible use of uninitialized variables, and
memory leaks.

Security:	CAN-2005-0753
Security:	FreeBSD-SA-05:05.cvs
Approved by:	peter

1 files changed, 6 insertions, 3 deletions

diff --git a/contrib/cvs/src/patch.c b/contrib/cvs/src/patch.c
index cba6a8a..7d99f29 100644
--- a/contrib/cvs/src/patch.c
+++ b/contrib/cvs/src/patch.c
@@ -10,6 +10,8 @@
  * Create a Larry Wall format "patch" file between a previous release and the
  * current head of a module, or between two releases.  Can specify the
  * release as either a date or a revision number.
+ *
+ * $FreeBSD$
  */
 
 #include <assert.h>
@@ -385,6 +387,7 @@ patch_fileproc (callerdat, finfo)
     struct utimbuf t;
     char *vers_tag, *vers_head;
     char *rcs = NULL;
+    char *rcs_orig = NULL;
     RCSNode *rcsfile;
     FILE *fp1, *fp2, *fp3;
     int ret = 0;
@@ -415,7 +418,7 @@ patch_fileproc (callerdat, finfo)
     if ((rcsfile->flags & VALID) && (rcsfile->flags & INATTIC))
 	isattic = 1;
 
-    rcs = xmalloc (strlen (finfo->file) + sizeof (RCSEXT) + 5);
+    rcs_orig = rcs = xmalloc (strlen (finfo->file) + sizeof (RCSEXT) + 5);
     (void) sprintf (rcs, "%s%s", finfo->file, RCSEXT);
 
     /* if vers_head is NULL, may have been removed from the release */
@@ -757,8 +760,8 @@ failed to read diff file header %s for %s: end of file", tmpfile3, rcs);
 	free (vers_tag);
     if (vers_head != NULL)
 	free (vers_head);
-    if (rcs != NULL)
-	free (rcs);
+    if (rcs_orig)
+	free (rcs_orig);
     return ret;
 }