boot/grub2/0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch - buildroot - Git at Google

 From e0dd17a3ce79c6622dc78c96e1f2ef1b20e2bf7b Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Sat, 4 Jul 2020 12:25:09 -0400
 Subject: [PATCH] iso9660: Don't leak memory on realloc() failures
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 Signed-off-by: Peter Jones <pjones@redhat.com>
 Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
 Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
 ---
  grub-core/fs/iso9660.c | 24 ++++++++++++++++++++----
  1 file changed, 20 insertions(+), 4 deletions(-)

 diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
 index 7ba5b300b..5ec4433b8 100644
 --- a/grub-core/fs/iso9660.c
 +++ b/grub-core/fs/iso9660.c
 @@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx,
  {
    int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
    grub_size_t sz;
 +  char *new;

    if (grub_add (size, len2, &sz) ||
        grub_add (sz, 1, &sz))
      return;

 -  ctx->symlink = grub_realloc (ctx->symlink, sz);
 -  if (! ctx->symlink)
 -    return;
 +  new = grub_realloc (ctx->symlink, sz);
 +  if (!new)
 +    {
 +      grub_free (ctx->symlink);
 +      ctx->symlink = NULL;
 +      return;
 +    }
 +  ctx->symlink = new;

    grub_memcpy (ctx->symlink + size, part, len2);
    ctx->symlink[size + len2] = 0;
 @@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
  		   is the length.  Both are part of the `Component
  		   Record'.  */
  		if (ctx->symlink && !ctx->was_continue)
 -		  add_part (ctx, "/", 1);
 +		  {
 +		    add_part (ctx, "/", 1);
 +		    if (grub_errno)
 +		      return grub_errno;
 +		  }
 +
  		add_part (ctx, (char *) &entry->data[pos + 2],
  			  entry->data[pos + 1]);
  		ctx->was_continue = (entry->data[pos] & 1);
 @@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
  	      add_part (ctx, "/", 1);
  	      break;
  	    }
 +
 +	  /* Check if grub_realloc() failed in add_part(). */
 +	  if (grub_errno)
 +	    return grub_errno;
 +
  	  /* In pos + 1 the length of the `Component Record' is
  	     stored.  */
  	  pos += entry->data[pos + 1] + 2;
 --
 2.26.2
	From e0dd17a3ce79c6622dc78c96e1f2ef1b20e2bf7b Mon Sep 17 00:00:00 2001
	From: Peter Jones <pjones@redhat.com>
	Date: Sat, 4 Jul 2020 12:25:09 -0400
	Subject: [PATCH] iso9660: Don't leak memory on realloc() failures
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	Signed-off-by: Peter Jones <pjones@redhat.com>
	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
	---
	grub-core/fs/iso9660.c \| 24 ++++++++++++++++++++----
	1 file changed, 20 insertions(+), 4 deletions(-)

	diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
	index 7ba5b300b..5ec4433b8 100644
	--- a/grub-core/fs/iso9660.c
	+++ b/grub-core/fs/iso9660.c
	@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx,
	{
	int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
	grub_size_t sz;
	+ char *new;

	if (grub_add (size, len2, &sz) \|\|
	grub_add (sz, 1, &sz))
	return;

	- ctx->symlink = grub_realloc (ctx->symlink, sz);
	- if (! ctx->symlink)
	- return;
	+ new = grub_realloc (ctx->symlink, sz);
	+ if (!new)
	+ {
	+ grub_free (ctx->symlink);
	+ ctx->symlink = NULL;
	+ return;
	+ }
	+ ctx->symlink = new;

	grub_memcpy (ctx->symlink + size, part, len2);
	ctx->symlink[size + len2] = 0;
	@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
	is the length. Both are part of the `Component
	Record'. */
	if (ctx->symlink && !ctx->was_continue)
	- add_part (ctx, "/", 1);
	+ {
	+ add_part (ctx, "/", 1);
	+ if (grub_errno)
	+ return grub_errno;
	+ }
	+
	add_part (ctx, (char *) &entry->data[pos + 2],
	entry->data[pos + 1]);
	ctx->was_continue = (entry->data[pos] & 1);
	@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
	add_part (ctx, "/", 1);
	break;
	}
	+
	+ /* Check if grub_realloc() failed in add_part(). */
	+ if (grub_errno)
	+ return grub_errno;
	+
	/* In pos + 1 the length of the `Component Record' is
	stored. */
	pos += entry->data[pos + 1] + 2;
	--
	2.26.2