1*4882a593SmuzhiyunFrom e0dd17a3ce79c6622dc78c96e1f2ef1b20e2bf7b Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Peter Jones <pjones@redhat.com> 3*4882a593SmuzhiyunDate: Sat, 4 Jul 2020 12:25:09 -0400 4*4882a593SmuzhiyunSubject: [PATCH] iso9660: Don't leak memory on realloc() failures 5*4882a593SmuzhiyunMIME-Version: 1.0 6*4882a593SmuzhiyunContent-Type: text/plain; charset=UTF-8 7*4882a593SmuzhiyunContent-Transfer-Encoding: 8bit 8*4882a593Smuzhiyun 9*4882a593SmuzhiyunSigned-off-by: Peter Jones <pjones@redhat.com> 10*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 11*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 12*4882a593Smuzhiyun--- 13*4882a593Smuzhiyun grub-core/fs/iso9660.c | 24 ++++++++++++++++++++---- 14*4882a593Smuzhiyun 1 file changed, 20 insertions(+), 4 deletions(-) 15*4882a593Smuzhiyun 16*4882a593Smuzhiyundiff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c 17*4882a593Smuzhiyunindex 7ba5b300b..5ec4433b8 100644 18*4882a593Smuzhiyun--- a/grub-core/fs/iso9660.c 19*4882a593Smuzhiyun+++ b/grub-core/fs/iso9660.c 20*4882a593Smuzhiyun@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx, 21*4882a593Smuzhiyun { 22*4882a593Smuzhiyun int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0; 23*4882a593Smuzhiyun grub_size_t sz; 24*4882a593Smuzhiyun+ char *new; 25*4882a593Smuzhiyun 26*4882a593Smuzhiyun if (grub_add (size, len2, &sz) || 27*4882a593Smuzhiyun grub_add (sz, 1, &sz)) 28*4882a593Smuzhiyun return; 29*4882a593Smuzhiyun 30*4882a593Smuzhiyun- ctx->symlink = grub_realloc (ctx->symlink, sz); 31*4882a593Smuzhiyun- if (! ctx->symlink) 32*4882a593Smuzhiyun- return; 33*4882a593Smuzhiyun+ new = grub_realloc (ctx->symlink, sz); 34*4882a593Smuzhiyun+ if (!new) 35*4882a593Smuzhiyun+ { 36*4882a593Smuzhiyun+ grub_free (ctx->symlink); 37*4882a593Smuzhiyun+ ctx->symlink = NULL; 38*4882a593Smuzhiyun+ return; 39*4882a593Smuzhiyun+ } 40*4882a593Smuzhiyun+ ctx->symlink = new; 41*4882a593Smuzhiyun 42*4882a593Smuzhiyun grub_memcpy (ctx->symlink + size, part, len2); 43*4882a593Smuzhiyun ctx->symlink[size + len2] = 0; 44*4882a593Smuzhiyun@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, 45*4882a593Smuzhiyun is the length. Both are part of the `Component 46*4882a593Smuzhiyun Record'. */ 47*4882a593Smuzhiyun if (ctx->symlink && !ctx->was_continue) 48*4882a593Smuzhiyun- add_part (ctx, "/", 1); 49*4882a593Smuzhiyun+ { 50*4882a593Smuzhiyun+ add_part (ctx, "/", 1); 51*4882a593Smuzhiyun+ if (grub_errno) 52*4882a593Smuzhiyun+ return grub_errno; 53*4882a593Smuzhiyun+ } 54*4882a593Smuzhiyun+ 55*4882a593Smuzhiyun add_part (ctx, (char *) &entry->data[pos + 2], 56*4882a593Smuzhiyun entry->data[pos + 1]); 57*4882a593Smuzhiyun ctx->was_continue = (entry->data[pos] & 1); 58*4882a593Smuzhiyun@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, 59*4882a593Smuzhiyun add_part (ctx, "/", 1); 60*4882a593Smuzhiyun break; 61*4882a593Smuzhiyun } 62*4882a593Smuzhiyun+ 63*4882a593Smuzhiyun+ /* Check if grub_realloc() failed in add_part(). */ 64*4882a593Smuzhiyun+ if (grub_errno) 65*4882a593Smuzhiyun+ return grub_errno; 66*4882a593Smuzhiyun+ 67*4882a593Smuzhiyun /* In pos + 1 the length of the `Component Record' is 68*4882a593Smuzhiyun stored. */ 69*4882a593Smuzhiyun pos += entry->data[pos + 1] + 2; 70*4882a593Smuzhiyun-- 71*4882a593Smuzhiyun2.26.2 72*4882a593Smuzhiyun 73