1*4882a593SmuzhiyunFrom b5a2b59cc5b8f5ee7ba3b951e7693e402d5b3a6f Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Daniel Axtens <dja@axtens.net> 3*4882a593SmuzhiyunDate: Thu, 21 Jan 2021 12:22:28 +1100 4*4882a593SmuzhiyunSubject: [PATCH] io/gzio: Zero gzio->tl/td in init_dynamic_block() if 5*4882a593Smuzhiyun huft_build() fails 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunIf huft_build() fails, gzio->tl or gzio->td could contain pointers that 8*4882a593Smuzhiyunare no longer valid. Zero them out. 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunThis prevents a double free when grub_gzio_close() comes through and 11*4882a593Smuzhiyunattempts to free them again. 12*4882a593Smuzhiyun 13*4882a593SmuzhiyunSigned-off-by: Daniel Axtens <dja@axtens.net> 14*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 15*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 16*4882a593Smuzhiyun--- 17*4882a593Smuzhiyun grub-core/io/gzio.c | 2 ++ 18*4882a593Smuzhiyun 1 file changed, 2 insertions(+) 19*4882a593Smuzhiyun 20*4882a593Smuzhiyundiff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c 21*4882a593Smuzhiyunindex 19adebe..aea86a0 100644 22*4882a593Smuzhiyun--- a/grub-core/io/gzio.c 23*4882a593Smuzhiyun+++ b/grub-core/io/gzio.c 24*4882a593Smuzhiyun@@ -1010,6 +1010,7 @@ init_dynamic_block (grub_gzio_t gzio) 25*4882a593Smuzhiyun gzio->bl = lbits; 26*4882a593Smuzhiyun if (huft_build (ll, nl, 257, cplens, cplext, &gzio->tl, &gzio->bl) != 0) 27*4882a593Smuzhiyun { 28*4882a593Smuzhiyun+ gzio->tl = 0; 29*4882a593Smuzhiyun grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, 30*4882a593Smuzhiyun "failed in building a Huffman code table"); 31*4882a593Smuzhiyun return; 32*4882a593Smuzhiyun@@ -1019,6 +1020,7 @@ init_dynamic_block (grub_gzio_t gzio) 33*4882a593Smuzhiyun { 34*4882a593Smuzhiyun huft_free (gzio->tl); 35*4882a593Smuzhiyun gzio->tl = 0; 36*4882a593Smuzhiyun+ gzio->td = 0; 37*4882a593Smuzhiyun grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, 38*4882a593Smuzhiyun "failed in building a Huffman code table"); 39*4882a593Smuzhiyun return; 40*4882a593Smuzhiyun-- 41*4882a593Smuzhiyun2.14.2 42*4882a593Smuzhiyun 43