1From b5a2b59cc5b8f5ee7ba3b951e7693e402d5b3a6f Mon Sep 17 00:00:00 2001 2From: Daniel Axtens <dja@axtens.net> 3Date: Thu, 21 Jan 2021 12:22:28 +1100 4Subject: [PATCH] io/gzio: Zero gzio->tl/td in init_dynamic_block() if 5 huft_build() fails 6 7If huft_build() fails, gzio->tl or gzio->td could contain pointers that 8are no longer valid. Zero them out. 9 10This prevents a double free when grub_gzio_close() comes through and 11attempts to free them again. 12 13Signed-off-by: Daniel Axtens <dja@axtens.net> 14Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 15Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 16--- 17 grub-core/io/gzio.c | 2 ++ 18 1 file changed, 2 insertions(+) 19 20diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c 21index 19adebe..aea86a0 100644 22--- a/grub-core/io/gzio.c 23+++ b/grub-core/io/gzio.c 24@@ -1010,6 +1010,7 @@ init_dynamic_block (grub_gzio_t gzio) 25 gzio->bl = lbits; 26 if (huft_build (ll, nl, 257, cplens, cplext, &gzio->tl, &gzio->bl) != 0) 27 { 28+ gzio->tl = 0; 29 grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, 30 "failed in building a Huffman code table"); 31 return; 32@@ -1019,6 +1020,7 @@ init_dynamic_block (grub_gzio_t gzio) 33 { 34 huft_free (gzio->tl); 35 gzio->tl = 0; 36+ gzio->td = 0; 37 grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, 38 "failed in building a Huffman code table"); 39 return; 40-- 412.14.2 42 43