[COMMITTED] libdwfl: Fix double free on failure path in gzip.c.

Mark Wielaard mark@klomp.org
Sun Apr 26 00:39:55 GMT 2020


GCC10 -fanalyzer found a double free when openstream failed. When
openstream fails __libdw_gunzip will call fail, which frees the
state->buffer. But openstream can call zlib_fail, which will also
call fail. Instead of calling zlib_fail, just return the error
that zlib_fail would have returned.

Signed-off-by: Mark Wielaard <mark@klomp.org>
---
 libdwfl/ChangeLog | 5 +++++
 libdwfl/gzip.c    | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog
index 4ddc9ad4..daedaed8 100644
--- a/libdwfl/ChangeLog
+++ b/libdwfl/ChangeLog
@@ -1,3 +1,8 @@
+2020-04-25  Mark Wielaard  <mark@klomp.org>
+
+	* gzip.c (open_stream): Return DWFL_E_NOMEM instead of calling
+	zlib_fail.
+
 2020-04-16  Mark Wielaard  <mark@klomp.org>
 
 	* find-debuginfo.c (dwfl_standard_find_debuginfo): Initialize bits
diff --git a/libdwfl/gzip.c b/libdwfl/gzip.c
index 043d0b6e..e9988cc2 100644
--- a/libdwfl/gzip.c
+++ b/libdwfl/gzip.c
@@ -153,7 +153,7 @@ open_stream (int fd, off_t start_offset, struct unzip_state *state)
     if (unlikely (state->zf == NULL))
       {
 	close (d);
-	return zlib_fail (state, Z (MEM_ERROR));
+	return DWFL_E_NOMEM;
       }
 
     /* From here on, zlib will close D.  */
-- 
2.18.2



More information about the Elfutils-devel mailing list