elfops: fix crash on grab_fd() failure

If we call release_elf_file() when grab_fd() fails, it will call
release_file() with a NULL pointer and undefined length.  This can
cause a crash when zlib support is disabled and release_file() is
implemented using munmap().

This is only theoretical at the moment.  However it will allow
grab_elf_file_fd() to be removed straightforwardly, without
creating a more significant bug.

Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>

1 files changed, 8 insertions, 5 deletions

diff --git a/elfops.c b/elfops.c
index da2740e..51f02eb 100644
--- a/elfops.c
+++ b/elfops.c
@@ -91,17 +91,16 @@ struct elf_file *grab_elf_file_fd(const char *pathname, int fd)
 	file = malloc(sizeof(*file));
 	if (!file) {
 		errno = ENOMEM;
-		return NULL;
+		goto fail;
 	}
 	file->pathname = strdup(pathname);
 	if (!file->pathname) {
-		free(file);
 		errno = ENOMEM;
-		return NULL;
+		goto fail_free_file;
 	}
 	file->data = grab_fd(fd, &file->len);
 	if (!file->data)
-		goto fail;
+		goto fail_free_pathname;
 
 	switch (elf_ident(file->data, file->len, &file->conv)) {
 	case ELFCLASS32:
@@ -117,8 +116,12 @@ struct elf_file *grab_elf_file_fd(const char *pathname, int fd)
 		goto fail;
 	}
 	return file;
+
+fail_free_pathname:
+	free(file->pathname);
+fail_free_file:
+	free(file);
 fail:
-	release_elf_file(file);
 	return NULL;
 }