xz: Fix error handling in xz -lvv.

It could do an invalid free() and read past the end
of the uninitialized filters array.
This commit is contained in:
Lasse Collin 2011-05-27 22:25:44 +03:00
parent 844f84fcad
commit 6c4d4db2bc
1 changed files with 6 additions and 15 deletions

View File

@ -382,14 +382,9 @@ parse_block_header(file_pair *pair, const lzma_index_iter *iter,
if (buf.u8[0] == 0)
goto data_error;
lzma_block block;
lzma_filter filters[LZMA_FILTERS_MAX + 1];
// Initialize the pointers so that they can be passed to free().
for (size_t i = 0; i < ARRAY_SIZE(filters); ++i)
filters[i].options = NULL;
// Initialize the block structure and decode Block Header Size.
lzma_filter filters[LZMA_FILTERS_MAX + 1];
lzma_block block;
block.version = 0;
block.check = iter->stream.flags->check;
block.filters = filters;
@ -437,6 +432,10 @@ parse_block_header(file_pair *pair, const lzma_index_iter *iter,
break;
case LZMA_DATA_ERROR:
// Free the memory allocated by lzma_block_header_decode().
for (size_t i = 0; filters[i].id != LZMA_VLI_UNKNOWN; ++i)
free(filters[i].options);
goto data_error;
default:
@ -466,14 +465,6 @@ data_error:
// Show the error message.
message_error("%s: %s", pair->src_name,
message_strm(LZMA_DATA_ERROR));
// Free the memory allocated by lzma_block_header_decode().
// This is truly needed only if we get here after a succcessful
// call to lzma_block_header_decode() but it doesn't hurt to
// always do it.
for (size_t i = 0; filters[i].id != LZMA_VLI_UNKNOWN; ++i)
free(filters[i].options);
return true;
}