From b5a2b59cc5b8f5ee7ba3b951e7693e402d5b3a6f Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Thu, 21 Jan 2021 12:22:28 +1100 Subject: [PATCH] io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build() fails If huft_build() fails, gzio->tl or gzio->td could contain pointers that are no longer valid. Zero them out. This prevents a double free when grub_gzio_close() comes through and attempts to free them again. Signed-off-by: Daniel Axtens Reviewed-by: Daniel Kiper Signed-off-by: Stefan Sørensen --- grub-core/io/gzio.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c index 19adebe..aea86a0 100644 --- a/grub-core/io/gzio.c +++ b/grub-core/io/gzio.c @@ -1010,6 +1010,7 @@ init_dynamic_block (grub_gzio_t gzio) gzio->bl = lbits; if (huft_build (ll, nl, 257, cplens, cplext, &gzio->tl, &gzio->bl) != 0) { + gzio->tl = 0; grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "failed in building a Huffman code table"); return; @@ -1019,6 +1020,7 @@ init_dynamic_block (grub_gzio_t gzio) { huft_free (gzio->tl); gzio->tl = 0; + gzio->td = 0; grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "failed in building a Huffman code table"); return; -- 2.14.2