debugfs: fix memory allocation failures when parsing journal_write arguments

Fix double-free issues when parsing an invalid journal_write command,
such as: "journal_write -b 12 -b BAD -b 42".

Addresses-Coverity-Bug: 1464571
Addresses-Coverity-Bug: 1464575
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

2 files changed, 13 insertions, 10 deletions

diff --git a/debugfs/do_journal.c b/debugfs/do_journal.c
index c25e89467..a49bc369a 100644
--- a/debugfs/do_journal.c
+++ b/debugfs/do_journal.c
@@ -556,15 +556,19 @@ void do_journal_write(int argc, char *argv[], int sci_idx EXT2FS_ATTR((unused)),
 		switch (opt) {
 		case 'b':
 			err = read_list(optarg, &blist, &bn);
-			if (err)
+			if (err) {
 				com_err(argv[0], err,
 					"while reading block list");
+				goto out;
+			}
 			break;
 		case 'r':
 			err = read_list(optarg, &rlist, &rn);
-			if (err)
+			if (err) {
 				com_err(argv[0], err,
 					"while reading revoke list");
+				goto out;
+			}
 			break;
 		case 'c':
 			flags |= JOURNAL_WRITE_NO_COMMIT;
diff --git a/debugfs/util.c b/debugfs/util.c
index fb05e897b..be6b550e4 100644
--- a/debugfs/util.c
+++ b/debugfs/util.c
@@ -521,7 +521,7 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
 	blk64_t *lst = *list;
 	size_t ln = *len;
 	char *tok, *p = str;
-	errcode_t retval;
+	errcode_t retval = 0;
 
 	while ((tok = strtok(p, ","))) {
 		blk64_t *l;
@@ -538,15 +538,17 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
 				return errno;
 		} else if (*e != 0) {
 			retval = EINVAL;
-			goto err;
+			break;
 		}
 		if (y < x) {
 			retval = EINVAL;
-			goto err;
+			break;
 		}
 		l = realloc(lst, sizeof(blk64_t) * (ln + y - x + 1));
-		if (l == NULL)
-			return ENOMEM;
+		if (l == NULL) {
+			retval = ENOMEM;
+			break;
+		}
 		lst = l;
 		for (; x <= y; x++)
 			lst[ln++] = x;
@@ -555,9 +557,6 @@ errcode_t read_list(char *str, blk64_t **list, size_t *len)
 
 	*list = lst;
 	*len = ln;
-	return 0;
-err:
-	free(lst);
 	return retval;
 }