From fdba2538855d8ad94bbe5e9c21c8564d01b20f1e Mon Sep 17 00:00:00 2001
From: David Malcolm <dmalcolm@redhat.com>
Date: Thu, 22 Dec 2011 18:16:25 -0500
Subject: [PATCH] fix use-after-free within rpmfdFromPyObject's error-handling

These lines within python/rpmfd-py.c: rpmfdFromPyObject
are the wrong way around:

	Py_DECREF(fdo);
 	PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));

If fdo was allocated by the call above to PyObject_CallFunctionObjArgs,
it may have an ob_refcnt == 1, and thus the Py_DECREF() frees it, so
fdo->fd is reading from deallocated memory.

Signed-off-by: Ales Kozumplik <akozumpl@redhat.com>
---
 python/rpmfd-py.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/rpmfd-py.c b/python/rpmfd-py.c
index 2d443f36f..a266ad686 100644
--- a/python/rpmfd-py.c
+++ b/python/rpmfd-py.c
@@ -29,8 +29,8 @@ int rpmfdFromPyObject(PyObject *obj, rpmfdObject **fdop)
     if (fdo == NULL) return 0;
 
     if (Ferror(fdo->fd)) {
-	Py_DECREF(fdo);
 	PyErr_SetString(PyExc_IOError, Fstrerror(fdo->fd));
+	Py_DECREF(fdo);
 	return 0;
     }
     *fdop = fdo;