1From dc9777dc17697b196c415c53187a55861d41fd2a Mon Sep 17 00:00:00 2001 2From: Alexey Makhalov <amakhalov@vmware.com> 3Date: Wed, 8 Jul 2020 21:30:43 +0000 4Subject: [PATCH] xnu: Fix double free in grub_xnu_devprop_add_property() 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get 10allocated and freed in the caller. 11 12Minor improvement: do prop fields initialization after memory allocations. 13 14Fixes: CID 292442, CID 292457, CID 292460, CID 292466 15 16Signed-off-by: Alexey Makhalov <amakhalov@vmware.com> 17Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 18Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 19--- 20 grub-core/loader/i386/xnu.c | 17 ++++++++--------- 21 1 file changed, 8 insertions(+), 9 deletions(-) 22 23diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c 24index b7d176b5d..e9e119259 100644 25--- a/grub-core/loader/i386/xnu.c 26+++ b/grub-core/loader/i386/xnu.c 27@@ -262,20 +262,19 @@ grub_xnu_devprop_add_property (struct grub_xnu_devprop_device_descriptor *dev, 28 if (!prop) 29 return grub_errno; 30 31- prop->name = utf8; 32- prop->name16 = utf16; 33- prop->name16len = utf16len; 34- 35- prop->length = datalen; 36- prop->data = grub_malloc (prop->length); 37+ prop->data = grub_malloc (datalen); 38 if (!prop->data) 39 { 40- grub_free (prop->name); 41- grub_free (prop->name16); 42 grub_free (prop); 43 return grub_errno; 44 } 45- grub_memcpy (prop->data, data, prop->length); 46+ grub_memcpy (prop->data, data, datalen); 47+ 48+ prop->name = utf8; 49+ prop->name16 = utf16; 50+ prop->name16len = utf16len; 51+ prop->length = datalen; 52+ 53 grub_list_push (GRUB_AS_LIST_P (&dev->properties), 54 GRUB_AS_LIST (prop)); 55 return GRUB_ERR_NONE; 56-- 572.26.2 58 59