1*4882a593SmuzhiyunFrom 9ff609f0e7798bc5fb04f791131c98e7693bdd9b Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Alexey Makhalov <amakhalov@vmware.com> 3*4882a593SmuzhiyunDate: Wed, 8 Jul 2020 20:41:56 +0000 4*4882a593SmuzhiyunSubject: [PATCH] gfxmenu: Fix double free in load_image() 5*4882a593SmuzhiyunMIME-Version: 1.0 6*4882a593SmuzhiyunContent-Type: text/plain; charset=UTF-8 7*4882a593SmuzhiyunContent-Transfer-Encoding: 8bit 8*4882a593Smuzhiyun 9*4882a593Smuzhiyunself->bitmap should be zeroed after free. Otherwise, there is a chance 10*4882a593Smuzhiyunto double free (USE_AFTER_FREE) it later in rescale_image(). 11*4882a593Smuzhiyun 12*4882a593SmuzhiyunFixes: CID 292472 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunSigned-off-by: Alexey Makhalov <amakhalov@vmware.com> 15*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 16*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 17*4882a593Smuzhiyun--- 18*4882a593Smuzhiyun grub-core/gfxmenu/gui_image.c | 5 ++++- 19*4882a593Smuzhiyun 1 file changed, 4 insertions(+), 1 deletion(-) 20*4882a593Smuzhiyun 21*4882a593Smuzhiyundiff --git a/grub-core/gfxmenu/gui_image.c b/grub-core/gfxmenu/gui_image.c 22*4882a593Smuzhiyunindex 29784ed2d..6b2e976f1 100644 23*4882a593Smuzhiyun--- a/grub-core/gfxmenu/gui_image.c 24*4882a593Smuzhiyun+++ b/grub-core/gfxmenu/gui_image.c 25*4882a593Smuzhiyun@@ -195,7 +195,10 @@ load_image (grub_gui_image_t self, const char *path) 26*4882a593Smuzhiyun return grub_errno; 27*4882a593Smuzhiyun 28*4882a593Smuzhiyun if (self->bitmap && (self->bitmap != self->raw_bitmap)) 29*4882a593Smuzhiyun- grub_video_bitmap_destroy (self->bitmap); 30*4882a593Smuzhiyun+ { 31*4882a593Smuzhiyun+ grub_video_bitmap_destroy (self->bitmap); 32*4882a593Smuzhiyun+ self->bitmap = 0; 33*4882a593Smuzhiyun+ } 34*4882a593Smuzhiyun if (self->raw_bitmap) 35*4882a593Smuzhiyun grub_video_bitmap_destroy (self->raw_bitmap); 36*4882a593Smuzhiyun 37*4882a593Smuzhiyun-- 38*4882a593Smuzhiyun2.26.2 39*4882a593Smuzhiyun 40