From 8f60ea029a81e1419c4b6f95a1fdf4b166c4efd2 Mon Sep 17 00:00:00 2001 From: David Oberhollenzer Date: Tue, 24 Sep 2019 17:46:54 +0200 Subject: Fix memory and pointer leaks in data reader error paths Make sure that the block cache pointers are reset to NULL after freeing them, the get_block function does not update them on failure. Also, make sure all error paths in the get_block function actually clean up the allocated memory. Signed-off-by: David Oberhollenzer --- lib/sqfs/data_reader.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib/sqfs/data_reader.c') diff --git a/lib/sqfs/data_reader.c b/lib/sqfs/data_reader.c index 2603cfe..19b416b 100644 --- a/lib/sqfs/data_reader.c +++ b/lib/sqfs/data_reader.c @@ -57,8 +57,10 @@ static int get_block(sqfs_data_reader_t *data, uint64_t off, uint32_t size, on_disk_size = SQFS_ON_DISK_BLOCK_SIZE(size); - if (on_disk_size > unpacked_size) + if (on_disk_size > unpacked_size) { + free(blk); return SQFS_ERROR_OVERFLOW; + } if (SQFS_IS_BLOCK_COMPRESSED(size)) { err = data->file->read_at(data->file, off, @@ -95,6 +97,7 @@ static int precache_data_block(sqfs_data_reader_t *data, uint64_t location, return 0; free(data->data_block); + data->data_block = NULL; ret = get_block(data, location, size, data->block_size, &data->data_block); @@ -119,6 +122,7 @@ static int precache_fragment_block(sqfs_data_reader_t *data, size_t idx) return SQFS_ERROR_OUT_OF_BOUNDS; free(data->frag_block); + data->frag_block = NULL; ret = get_block(data, data->frag[idx].start_offset, data->frag[idx].size, data->block_size, -- cgit v1.2.3