diff options
| author | David Woodhouse <dwmw@amazon.co.uk> | 2017-03-08 22:41:08 +0000 |
|---|---|---|
| committer | Simon Horman <horms@verge.net.au> | 2017-03-13 09:58:55 +0100 |
| commit | 0cc1891c4dc84a2cbbd1f126134ce51538f260dc (patch) | |
| tree | 31cb8d94c6dabfeca7c7031b470e93691a2461f9 | |
| parent | ed15ba1b9977e506637ff1697821d97127b2c919 (diff) | |
| download | kexec-tools-0cc1891c4dc84a2cbbd1f126134ce51538f260dc.tar.gz | |
uImage: fix realloc() pointer confusion
We carefully avoid the realloc() API trap by *not* using the
'ptr = realloc(ptr, new_size)' idiom which can lead to leaks on
failure. Very commendable, even though all we're going to do is
exit() on failure so it wouldn't have mattered.
What *does* matter is that we then ask zlib to continue
decompression... just past the end of the *old* buffer that just
got freed. Oops.
Apparently nobody has *ever* tested this code by booting a uImage
with a compressed payload larger than 10MiB.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Simon Horman <horms@verge.net.au>
| -rw-r--r-- | kexec/kexec-uImage.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kexec/kexec-uImage.c b/kexec/kexec-uImage.c index 5e246298..667cd932 100644 --- a/kexec/kexec-uImage.c +++ b/kexec/kexec-uImage.c @@ -210,9 +210,9 @@ static int uImage_gz_load(const unsigned char *buf, off_t len, return -1; } + uncomp_buf = new_buf; strm.next_out = uncomp_buf + mem_alloc - inc_buf; strm.avail_out = inc_buf; - uncomp_buf = new_buf; } else { printf("Error during decompression %d\n", ret); return -1; |