1From 3334a5e6c86f10e715cca3bf66ce0fc2f164b61b Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Wed, 13 Jan 2021 20:59:09 +1100 4Subject: [PATCH] io/gzio: Bail if gzio->tl/td is NULL 5 6This is an ugly fix that doesn't address why gzio->tl comes to be NULL. 7However, it seems to be sufficient to patch up a bunch of NULL derefs. 8 9It would be good to revisit this in future and see if we can have 10a cleaner solution that addresses some of the causes of the unexpected 11NULL pointers. 12 13Signed-off-by: Daniel Axtens <dja@axtens.net> 14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 15Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 16--- 17 grub-core/io/gzio.c | 20 ++++++++++++++++++++ 18 1 file changed, 20 insertions(+) 19 20diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c 21index 43d98a7..4a8eaea 100644 22--- a/grub-core/io/gzio.c 23+++ b/grub-core/io/gzio.c 24@@ -669,6 +669,13 @@ inflate_codes_in_window (grub_gzio_t gzio) 25 { 26 if (! gzio->code_state) 27 { 28+ 29+ if (gzio->tl == NULL) 30+ { 31+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl"); 32+ return 1; 33+ } 34+ 35 NEEDBITS ((unsigned) gzio->bl); 36 if ((e = (t = gzio->tl + ((unsigned) b & ml))->e) > 16) 37 do 38@@ -707,6 +714,12 @@ inflate_codes_in_window (grub_gzio_t gzio) 39 n = t->v.n + ((unsigned) b & mask_bits[e]); 40 DUMPBITS (e); 41 42+ if (gzio->td == NULL) 43+ { 44+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->td"); 45+ return 1; 46+ } 47+ 48 /* decode distance of block to copy */ 49 NEEDBITS ((unsigned) gzio->bd); 50 if ((e = (t = gzio->td + ((unsigned) b & md))->e) > 16) 51@@ -917,6 +930,13 @@ init_dynamic_block (grub_gzio_t gzio) 52 n = nl + nd; 53 m = mask_bits[gzio->bl]; 54 i = l = 0; 55+ 56+ if (gzio->tl == NULL) 57+ { 58+ grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl"); 59+ return; 60+ } 61+ 62 while ((unsigned) i < n) 63 { 64 NEEDBITS ((unsigned) gzio->bl); 65-- 662.14.2 67 68