| From 3334a5e6c86f10e715cca3bf66ce0fc2f164b61b Mon Sep 17 00:00:00 2001 |
| From: Daniel Axtens <dja@axtens.net> |
| Date: Wed, 13 Jan 2021 20:59:09 +1100 |
| Subject: [PATCH] io/gzio: Bail if gzio->tl/td is NULL |
| |
| This is an ugly fix that doesn't address why gzio->tl comes to be NULL. |
| However, it seems to be sufficient to patch up a bunch of NULL derefs. |
| |
| It would be good to revisit this in future and see if we can have |
| a cleaner solution that addresses some of the causes of the unexpected |
| NULL pointers. |
| |
| Signed-off-by: Daniel Axtens <dja@axtens.net> |
| Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> |
| Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> |
| --- |
| grub-core/io/gzio.c | 20 ++++++++++++++++++++ |
| 1 file changed, 20 insertions(+) |
| |
| diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c |
| index 43d98a7..4a8eaea 100644 |
| --- a/grub-core/io/gzio.c |
| +++ b/grub-core/io/gzio.c |
| @@ -669,6 +669,13 @@ inflate_codes_in_window (grub_gzio_t gzio) |
| { |
| if (! gzio->code_state) |
| { |
| + |
| + if (gzio->tl == NULL) |
| + { |
| + grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl"); |
| + return 1; |
| + } |
| + |
| NEEDBITS ((unsigned) gzio->bl); |
| if ((e = (t = gzio->tl + ((unsigned) b & ml))->e) > 16) |
| do |
| @@ -707,6 +714,12 @@ inflate_codes_in_window (grub_gzio_t gzio) |
| n = t->v.n + ((unsigned) b & mask_bits[e]); |
| DUMPBITS (e); |
| |
| + if (gzio->td == NULL) |
| + { |
| + grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->td"); |
| + return 1; |
| + } |
| + |
| /* decode distance of block to copy */ |
| NEEDBITS ((unsigned) gzio->bd); |
| if ((e = (t = gzio->td + ((unsigned) b & md))->e) > 16) |
| @@ -917,6 +930,13 @@ init_dynamic_block (grub_gzio_t gzio) |
| n = nl + nd; |
| m = mask_bits[gzio->bl]; |
| i = l = 0; |
| + |
| + if (gzio->tl == NULL) |
| + { |
| + grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl"); |
| + return; |
| + } |
| + |
| while ((unsigned) i < n) |
| { |
| NEEDBITS ((unsigned) gzio->bl); |
| -- |
| 2.14.2 |
| |