[ostree] pull: Fix use-after-free

[Colin Walters <walters src gnome org>]

commit 6dfe99a283e9327b70f636cf82da3fa439576645
Author: Anne LoVerso <aelv13 gmail com>
Date:   Thu Aug 21 13:45:55 2014 -0400

    pull: Fix use-after-free
    
    The strchr() was pointing into a string we were freeing.

 src/libostree/ostree-repo-pull.c |   13 ++++++-------
 1 files changed, 6 insertions(+), 7 deletions(-)
---
diff --git a/src/libostree/ostree-repo-pull.c b/src/libostree/ostree-repo-pull.c
index 7c85ccd..0ad9157 100644
--- a/src/libostree/ostree-repo-pull.c
+++ b/src/libostree/ostree-repo-pull.c
@@ -441,23 +441,22 @@ scan_dirtree_object (OtPullData   *pull_data,
       {
         const char *subpath = NULL;  
         const char *nextslash = NULL;
+        gs_free char *dir_data = NULL;
+
         g_assert (pull_data->dir[0] == '/'); // assert it starts with / like "/usr/share/rpm"
         subpath = pull_data->dir + 1;  // refers to name minus / like "usr/share/rpm"
         nextslash = strchr (subpath, '/'); //refers to start of next slash like "/share/rpm"
+        dir_data = pull_data->dir; // keep the original pointer around since strchr() points into it
+        pull_data->dir = NULL;
 
         if (nextslash)
           {
             subdir_target = g_strndup (subpath, nextslash - subpath); // refers to first dir, like "usr"
-            g_free (pull_data->dir);
             pull_data->dir = g_strdup (nextslash); // sets dir to new deeper level like "/share/rpm"
           }
         else // we're as deep as it goes, i.e. subpath = "rpm"
-          {
-            subdir_target = g_strdup (subpath); 
-            g_clear_pointer (&pull_data->dir, g_free);
-            pull_data->dir = NULL;
-          }
-        }
+          subdir_target = g_strdup (subpath); 
+      }
 
   n = g_variant_n_children (dirs_variant);