From 1c02cdf4b0c932edc4180199057416363aa7048a Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 10 Feb 2017 11:04:10 +0100
Subject: [PATCH] libopkg: fix use-after-free with duplicate packages on the
 command line

When the same package file is specified multiple times on the opkg install
command line, the name pointer on the argv array becomes stale after the
package structures have been merged, leading to invalid memory accesses
upon install.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 libopkg/opkg_download.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index 97e1a84..631bdab 100644
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -335,7 +335,7 @@ opkg_prepare_url_for_install(const char *url, char **namep)
      hash_insert_pkg(pkg, 1);
 
      if (namep) {
-	  *namep = pkg->name;
+	  *namep = xstrdup(pkg->name);
      }
      return 0;
 }
-- 
2.25.1