pathspec: fix segfault in clear_pathspec

In 'clear_pathspec()' the incorrect index parameter is used to bound an
inner-loop which is used to free a 'struct attr_match' value field.
Using the incorrect index parameter (in addition to being incorrect)
occasionally causes segmentation faults when attempting to free an
invalid pointer.  Fix this by using the correct index parameter 'i'.

Signed-off-by: Brandon Williams <bmwill@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/pathspec.c b/pathspec.c
index 303efda837a10ec4e8798f9899c90cd511752cfe..69ef86b85a7735df428b8cab9f9cce477a4fcd89 100644 (file)
--- a/pathspec.c
+++ b/pathspec.c
@@ -724,7 +724,7 @@ void clear_pathspec(struct pathspec *pathspec)
                free(pathspec->items[i].match);
                free(pathspec->items[i].original);
 
-               for (j = 0; j < pathspec->items[j].attr_match_nr; j++)
+               for (j = 0; j < pathspec->items[i].attr_match_nr; j++)
                        free(pathspec->items[i].attr_match[j].value);
                free(pathspec->items[i].attr_match);