From 5efb4029deaa8e0bfc7a4293a28e25469500ec06 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Sat, 4 Jul 2020 12:25:09 -0400 Subject: [PATCH 210/237] iso9660: Don't leak memory on realloc() failures Signed-off-by: Peter Jones Reviewed-by: Daniel Kiper Upstream-commit-id: f2bd30b2fe7 --- grub-core/fs/iso9660.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c index f45841e2b47..6fc9302bce3 100644 --- a/grub-core/fs/iso9660.c +++ b/grub-core/fs/iso9660.c @@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx, { int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0; grub_size_t sz; + char *new; if (grub_add (size, len2, &sz) || grub_add (sz, 1, &sz)) return; - ctx->symlink = grub_realloc (ctx->symlink, sz); - if (! ctx->symlink) - return; + new = grub_realloc (ctx->symlink, sz); + if (!new) + { + grub_free (ctx->symlink); + ctx->symlink = NULL; + return; + } + ctx->symlink = new; grub_memcpy (ctx->symlink + size, part, len2); ctx->symlink[size + len2] = 0; @@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, is the length. Both are part of the `Component Record'. */ if (ctx->symlink && !ctx->was_continue) - add_part (ctx, "/", 1); + { + add_part (ctx, "/", 1); + if (grub_errno) + return grub_errno; + } + add_part (ctx, (char *) &entry->data[pos + 2], entry->data[pos + 1]); ctx->was_continue = (entry->data[pos] & 1); @@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, add_part (ctx, "/", 1); break; } + + /* Check if grub_realloc() failed in add_part(). */ + if (grub_errno) + return grub_errno; + /* In pos + 1 the length of the `Component Record' is stored. */ pos += entry->data[pos + 1] + 2; -- 2.26.2