From 6c4d4db2bc8d8b682bd927144d37daa2ab21a6d6 Mon Sep 17 00:00:00 2001 From: Lasse Collin Date: Fri, 27 May 2011 22:25:44 +0300 Subject: [PATCH] xz: Fix error handling in xz -lvv. It could do an invalid free() and read past the end of the uninitialized filters array. --- src/xz/list.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/src/xz/list.c b/src/xz/list.c index 1c93718b..98307eb2 100644 --- a/src/xz/list.c +++ b/src/xz/list.c @@ -382,14 +382,9 @@ parse_block_header(file_pair *pair, const lzma_index_iter *iter, if (buf.u8[0] == 0) goto data_error; - lzma_block block; - lzma_filter filters[LZMA_FILTERS_MAX + 1]; - - // Initialize the pointers so that they can be passed to free(). - for (size_t i = 0; i < ARRAY_SIZE(filters); ++i) - filters[i].options = NULL; - // Initialize the block structure and decode Block Header Size. + lzma_filter filters[LZMA_FILTERS_MAX + 1]; + lzma_block block; block.version = 0; block.check = iter->stream.flags->check; block.filters = filters; @@ -437,6 +432,10 @@ parse_block_header(file_pair *pair, const lzma_index_iter *iter, break; case LZMA_DATA_ERROR: + // Free the memory allocated by lzma_block_header_decode(). + for (size_t i = 0; filters[i].id != LZMA_VLI_UNKNOWN; ++i) + free(filters[i].options); + goto data_error; default: @@ -466,14 +465,6 @@ data_error: // Show the error message. message_error("%s: %s", pair->src_name, message_strm(LZMA_DATA_ERROR)); - - // Free the memory allocated by lzma_block_header_decode(). - // This is truly needed only if we get here after a succcessful - // call to lzma_block_header_decode() but it doesn't hurt to - // always do it. - for (size_t i = 0; filters[i].id != LZMA_VLI_UNKNOWN; ++i) - free(filters[i].options); - return true; }