[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SECURITY PATCH 06/28] iso9660: Don't leak memory on realloc() failures
|
From: |
Daniel Kiper |
|
Subject: |
[SECURITY PATCH 06/28] iso9660: Don't leak memory on realloc() failures |
|
Date: |
Wed, 29 Jul 2020 19:00:19 +0200 |
From: Peter Jones <pjones@redhat.com>
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/iso9660.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 7ba5b300b..5ec4433b8 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx,
{
int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
grub_size_t sz;
+ char *new;
if (grub_add (size, len2, &sz) ||
grub_add (sz, 1, &sz))
return;
- ctx->symlink = grub_realloc (ctx->symlink, sz);
- if (! ctx->symlink)
- return;
+ new = grub_realloc (ctx->symlink, sz);
+ if (!new)
+ {
+ grub_free (ctx->symlink);
+ ctx->symlink = NULL;
+ return;
+ }
+ ctx->symlink = new;
grub_memcpy (ctx->symlink + size, part, len2);
ctx->symlink[size + len2] = 0;
@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
is the length. Both are part of the `Component
Record'. */
if (ctx->symlink && !ctx->was_continue)
- add_part (ctx, "/", 1);
+ {
+ add_part (ctx, "/", 1);
+ if (grub_errno)
+ return grub_errno;
+ }
+
add_part (ctx, (char *) &entry->data[pos + 2],
entry->data[pos + 1]);
ctx->was_continue = (entry->data[pos] & 1);
@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
add_part (ctx, "/", 1);
break;
}
+
+ /* Check if grub_realloc() failed in add_part(). */
+ if (grub_errno)
+ return grub_errno;
+
/* In pos + 1 the length of the `Component Record' is
stored. */
pos += entry->data[pos + 1] + 2;
--
2.11.0
- [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 02/28] safemath: Add some arithmetic primitives that check for overflow, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 03/28] calloc: Make sure we always have an overflow-checking calloc() available, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 04/28] calloc: Use calloc() at most places, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 01/28] yylex: Make lexer fatal errors actually be fatal, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 05/28] malloc: Use overflow checking primitives where we do complex allocations, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 06/28] iso9660: Don't leak memory on realloc() failures,
Daniel Kiper <=
- [SECURITY PATCH 07/28] font: Do not load more than one NAME section, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 08/28] gfxmenu: Fix double free in load_image(), Daniel Kiper, 2020/07/29
- [SECURITY PATCH 10/28] json: Avoid a double-free when parsing fails., Daniel Kiper, 2020/07/29
- [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 12/28] term: Fix overflow on user inputs, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 13/28] udf: Fix memory leak, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 14/28] multiboot2: Fix memory leak if grub_create_loader_cmdline() fails, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 15/28] tftp: Do not use priority queue, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 18/28] script: Remove unused fields from grub_script_function struct, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 19/28] script: Avoid a use-after-free when redefining a function during execution, Daniel Kiper, 2020/07/29