gpg: Fix regression in --locate-keys (in 2.1.9).

* g10/getkey.c (getkey_ctx_s): Add field "extra_list".
(get_pubkey_byname): Store strings in the context.
(getkey_end): Free EXTRA_LIST.
--

This fixes a use-after-free bug.  It showed up with:

  gpg --auto-key-locate local --locate-key [email protected]

The key was shown but also all other following keys in the keyring.
Bisecting showed d47e84946ee010917cfc3501062721b74afbb771 as culprit
but the actual cause was a part of:

Regression-due-to: b06f96ba4f57f55194efcd37a0e3a2aa5450b974
Signed-off-by: Werner Koch <[email protected]>

1 files changed, 13 insertions, 1 deletions

diff --git a/g10/getkey.c b/g10/getkey.c
index 9e123ee7f..7238bc39a 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -77,6 +77,10 @@ struct getkey_ctx_s
      released using getkey_end()).  */
   int not_allocated;
 
+  /* This variable is used as backing store for strings which have
+     their address used in ITEMS.  */
+  strlist_t extra_list;
+
   /* Part of the search criteria: The low-level search specification
      as passed to keydb_search.  */
   int nitems;
@@ -1028,7 +1032,14 @@ get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
       *retctx = NULL;
     }
 
-  free_strlist (namelist);
+  if (retctx && *retctx)
+    {
+      assert (!(*retctx)->extra_list);
+      (*retctx)->extra_list = namelist;
+    }
+  else
+    free_strlist (namelist);
+
   return rc;
 }
 
@@ -1279,6 +1290,7 @@ getkey_end (getkey_ctx_t ctx)
   if (ctx)
     {
       keydb_release (ctx->kr_handle);
+      free_strlist (ctx->extra_list);
       if (!ctx->not_allocated)
 	xfree (ctx);
     }