From 872623def5e3e5c7f9f14f366d908f3e012d1007 Mon Sep 17 00:00:00 2001 From: Lasse Collin Date: Thu, 24 Nov 2022 01:26:37 +0200 Subject: [PATCH] liblzma: Fix another invalid free() after memory allocation failure. This time it can happen when lzma_stream_encoder_mt() is used to reinitialize an existing multi-threaded Stream encoder and one of 1-4 tiny allocations in lzma_filters_copy() fail. It's very similar to the previous bug 10430fbf3820dafd4eafd38ec8be161a6978ed2b, happening with an array of lzma_filter structures whose old options are freed but the replacement never arrives due to a memory allocation failure in lzma_filters_copy(). --- src/liblzma/common/stream_encoder_mt.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/liblzma/common/stream_encoder_mt.c b/src/liblzma/common/stream_encoder_mt.c index 819b2273..6dc10c3a 100644 --- a/src/liblzma/common/stream_encoder_mt.c +++ b/src/liblzma/common/stream_encoder_mt.c @@ -1053,6 +1053,10 @@ stream_encoder_mt_init(lzma_next_coder *next, const lzma_allocator *allocator, for (size_t i = 0; coder->filters[i].id != LZMA_VLI_UNKNOWN; ++i) lzma_free(coder->filters[i].options, allocator); + // Mark it as empty so that it is in a safe state in case + // lzma_filters_copy() fails. + coder->filters[0].id = LZMA_VLI_UNKNOWN; + return_if_error(lzma_filters_copy( filters, coder->filters, allocator));