From 4b3b7975b2f28b067c593f45c7c7dda2d31bc250 Mon Sep 17 00:00:00 2001
From: Ron Yorston <rmy@pobox.com>
Date: Sun, 19 Jan 2020 09:38:11 +0000
Subject: mingw: fix use after free in file_owner()

The security descriptor was being freed before its contents were
accessed.
---
 win32/mingw.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

(limited to 'win32')

diff --git a/win32/mingw.c b/win32/mingw.c
index 38fbf2d4b..e64f48bf1 100644
--- a/win32/mingw.c
+++ b/win32/mingw.c
@@ -418,7 +418,6 @@ static uid_t file_owner(HANDLE fh)
 	PSECURITY_DESCRIPTOR pSD;
 	static PTOKEN_USER user = NULL;
 	static int initialised = 0;
-	int equal;
 	uid_t uid = 0;
 	DWORD *ptr;
 	unsigned char prefix[] = {
@@ -453,18 +452,16 @@ static uid_t file_owner(HANDLE fh)
 			&pSidOwner, NULL, NULL, NULL, &pSD) != ERROR_SUCCESS)
 		return 0;
 
-	equal = EqualSid(pSidOwner, user->User.Sid);
-	LocalFree(pSD);
-
-	if (equal)
-		return DEFAULT_UID;
-
-	/* for local or domain users use the RID as uid */
-	if (memcmp(pSidOwner, prefix, sizeof(prefix)) == 0) {
+	if (EqualSid(pSidOwner, user->User.Sid)) {
+		uid = DEFAULT_UID;
+	}
+	else if (memcmp(pSidOwner, prefix, sizeof(prefix)) == 0) {
+		/* for local or domain users use the RID as uid */
 		ptr = (DWORD *)pSidOwner;
 		if (ptr[6] >= 500 && ptr[6] < DEFAULT_UID)
 			uid = (uid_t)ptr[6];
 	}
+	LocalFree(pSD);
 	return uid;
 
 #if 0
-- 
cgit v1.2.3-55-g6feb