1From 9ff609f0e7798bc5fb04f791131c98e7693bdd9b Mon Sep 17 00:00:00 2001 2From: Alexey Makhalov <amakhalov@vmware.com> 3Date: Wed, 8 Jul 2020 20:41:56 +0000 4Subject: [PATCH] gfxmenu: Fix double free in load_image() 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9self->bitmap should be zeroed after free. Otherwise, there is a chance 10to double free (USE_AFTER_FREE) it later in rescale_image(). 11 12Fixes: CID 292472 13 14Signed-off-by: Alexey Makhalov <amakhalov@vmware.com> 15Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 16Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 17--- 18 grub-core/gfxmenu/gui_image.c | 5 ++++- 19 1 file changed, 4 insertions(+), 1 deletion(-) 20 21diff --git a/grub-core/gfxmenu/gui_image.c b/grub-core/gfxmenu/gui_image.c 22index 29784ed2d..6b2e976f1 100644 23--- a/grub-core/gfxmenu/gui_image.c 24+++ b/grub-core/gfxmenu/gui_image.c 25@@ -195,7 +195,10 @@ load_image (grub_gui_image_t self, const char *path) 26 return grub_errno; 27 28 if (self->bitmap && (self->bitmap != self->raw_bitmap)) 29- grub_video_bitmap_destroy (self->bitmap); 30+ { 31+ grub_video_bitmap_destroy (self->bitmap); 32+ self->bitmap = 0; 33+ } 34 if (self->raw_bitmap) 35 grub_video_bitmap_destroy (self->raw_bitmap); 36 37-- 382.26.2 39 40