gfxmenu/gui_image: Fix double free of bitmap

In grub-core/gfxmenu/gui_image.c, Coverity detected a double free in the
function load_image(). The function checks if self->bitmap and self->raw_bitmap
aren't NULL and then frees them. In the case self->bitmap and self->raw_bitmap
are the same, only self->raw_bitmap is freed which would also free the memory
used by self->bitmap. However, in this case self->bitmap isn't being set to NULL
which could lead to a double free later in the code. After self->raw_bitmap is
freed, it gets set to the variable bitmap. If this variable is NULL, the code
could have a path that would free self->bitmap a second time in the function
rescale_image().

Fixes: CID 292472
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/gfxmenu/gui_image.c b/grub-core/gfxmenu/gui_image.c
index 6b2e976f16e15237780c96cfb4930da012fd71e8..eed4b6b87d3c67ebb9e4bc66eb49ad178d01b35b 100644 (file)
--- a/grub-core/gfxmenu/gui_image.c
+++ b/grub-core/gfxmenu/gui_image.c
@@ -195,13 +195,16 @@ load_image (grub_gui_image_t self, const char *path)
     return grub_errno;
 
   if (self->bitmap && (self->bitmap != self->raw_bitmap))
-    {
-      grub_video_bitmap_destroy (self->bitmap);
-      self->bitmap = 0;
-    }
+    grub_video_bitmap_destroy (self->bitmap);
   if (self->raw_bitmap)
     grub_video_bitmap_destroy (self->raw_bitmap);
 
+  /*
+   * Either self->bitmap is being freed or it shares memory with
+   * self->raw_bitmap which is being freed. To ensure self->bitmap doesn't
+   * point to memory that has been freed, we can set it to NULL.
+   */
+  self->bitmap = NULL;
   self->raw_bitmap = bitmap;
   return rescale_image (self);
 }