1From e0dd17a3ce79c6622dc78c96e1f2ef1b20e2bf7b Mon Sep 17 00:00:00 2001 2From: Peter Jones <pjones@redhat.com> 3Date: Sat, 4 Jul 2020 12:25:09 -0400 4Subject: [PATCH] iso9660: Don't leak memory on realloc() failures 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9Signed-off-by: Peter Jones <pjones@redhat.com> 10Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 11Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 12--- 13 grub-core/fs/iso9660.c | 24 ++++++++++++++++++++---- 14 1 file changed, 20 insertions(+), 4 deletions(-) 15 16diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c 17index 7ba5b300b..5ec4433b8 100644 18--- a/grub-core/fs/iso9660.c 19+++ b/grub-core/fs/iso9660.c 20@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx, 21 { 22 int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0; 23 grub_size_t sz; 24+ char *new; 25 26 if (grub_add (size, len2, &sz) || 27 grub_add (sz, 1, &sz)) 28 return; 29 30- ctx->symlink = grub_realloc (ctx->symlink, sz); 31- if (! ctx->symlink) 32- return; 33+ new = grub_realloc (ctx->symlink, sz); 34+ if (!new) 35+ { 36+ grub_free (ctx->symlink); 37+ ctx->symlink = NULL; 38+ return; 39+ } 40+ ctx->symlink = new; 41 42 grub_memcpy (ctx->symlink + size, part, len2); 43 ctx->symlink[size + len2] = 0; 44@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, 45 is the length. Both are part of the `Component 46 Record'. */ 47 if (ctx->symlink && !ctx->was_continue) 48- add_part (ctx, "/", 1); 49+ { 50+ add_part (ctx, "/", 1); 51+ if (grub_errno) 52+ return grub_errno; 53+ } 54+ 55 add_part (ctx, (char *) &entry->data[pos + 2], 56 entry->data[pos + 1]); 57 ctx->was_continue = (entry->data[pos] & 1); 58@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, 59 add_part (ctx, "/", 1); 60 break; 61 } 62+ 63+ /* Check if grub_realloc() failed in add_part(). */ 64+ if (grub_errno) 65+ return grub_errno; 66+ 67 /* In pos + 1 the length of the `Component Record' is 68 stored. */ 69 pos += entry->data[pos + 1] + 2; 70-- 712.26.2 72 73