| From b5a2b59cc5b8f5ee7ba3b951e7693e402d5b3a6f Mon Sep 17 00:00:00 2001 |
| From: Daniel Axtens <dja@axtens.net> |
| Date: Thu, 21 Jan 2021 12:22:28 +1100 |
| Subject: [PATCH] io/gzio: Zero gzio->tl/td in init_dynamic_block() if |
| huft_build() fails |
| |
| If huft_build() fails, gzio->tl or gzio->td could contain pointers that |
| are no longer valid. Zero them out. |
| |
| This prevents a double free when grub_gzio_close() comes through and |
| attempts to free them again. |
| |
| Signed-off-by: Daniel Axtens <dja@axtens.net> |
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| Signed-off-by: Stefan SΓΈrensen <stefan.sorensen@spectralink.com> |
| --- |
| grub-core/io/gzio.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c |
| index 19adebe..aea86a0 100644 |
| --- a/grub-core/io/gzio.c |
| +++ b/grub-core/io/gzio.c |
| @@ -1010,6 +1010,7 @@ init_dynamic_block (grub_gzio_t gzio) |
| gzio->bl = lbits; |
| if (huft_build (ll, nl, 257, cplens, cplext, &gzio->tl, &gzio->bl) != 0) |
| { |
| + gzio->tl = 0; |
| grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, |
| "failed in building a Huffman code table"); |
| return; |
| @@ -1019,6 +1020,7 @@ init_dynamic_block (grub_gzio_t gzio) |
| { |
| huft_free (gzio->tl); |
| gzio->tl = 0; |
| + gzio->td = 0; |
| grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, |
| "failed in building a Huffman code table"); |
| return; |
| -- |
| 2.14.2 |
| |