From 1f3aff87554ccb365da6b3755fa5bc6f43a255e8 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Fri, 7 Apr 2017 15:04:46 +0200
Subject: restore: Fix a use-after-free

Also fixing the string length of the affected strncmp.

Credit to Mällon Lobjakas
---
 src/restore.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/restore.c b/src/restore.c
index d06eba9..18fc1e9 100644
--- a/src/restore.c
+++ b/src/restore.c
@@ -1037,9 +1037,9 @@ int restore_send_nor(restored_client_t restore, struct idevicerestore_client_t*
 			error("ERROR: Unable to extract component: %s\n", component);
 			return -1;
 		}
-		free(comppath);
 
 		if (personalize_component(component, component_data, component_size, client->tss, &nor_data, &nor_size) < 0) {
+			free(comppath);
 			free(component_data);
 			plist_free(firmware_files);
 			error("ERROR: Unable to get personalized component: %s\n", component);
@@ -1050,12 +1050,13 @@ int restore_send_nor(restored_client_t restore, struct idevicerestore_client_t*
 		component_size = 0;
 
 		/* make sure iBoot is the first entry in the array */
-		if (!strncmp("iBoot", filename, 4)) {
+		if (!strncmp("iBoot", filename, 5)) {
 			plist_array_insert_item(norimage_array, plist_new_data((char*)nor_data, (uint64_t)nor_size), 0);
 		} else {
 			plist_array_append_item(norimage_array, plist_new_data((char*)nor_data, (uint64_t)nor_size));
 		}
 
+		free(comppath);
 		free(nor_data);
 		nor_data = NULL;
 		nor_size = 0;
-- 
cgit v1.1-32-gdbae