From: Wentao_Liang <Wentao_Liang_g@163.com>
Date: Tue, 8 Mar 2022 08:18:11 +0000 (+0100)
Subject: aspeed: Fix a potential memory leak bug in write_boot_rom()
X-Git-Tag: v7.0.0-rc0~13^2~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05e6e40a869cc7e4492c5ffc8161005bbb7be986;p=thirdparty%2Fqemu.git

aspeed: Fix a potential memory leak bug in write_boot_rom()

A memory chunk is allocated with g_new0() and assigned to the variable
'storage'. However, if the branch takes true, there will be only an
error report but not a free operation for 'storage' before function
returns. As a result, a memory leak bug is triggered.

Use g_autofree to fix the issue.

Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
[ clg: reworked the commit log ]
Signed-off-by: Cédric Le Goater <clg@kaod.org>
---

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index 11558b327bc..b71bc2559ba 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -246,7 +246,7 @@ static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size,
                            Error **errp)
 {
     BlockBackend *blk = blk_by_legacy_dinfo(dinfo);
-    uint8_t *storage;
+    g_autofree void *storage = NULL;
     int64_t size;
 
     /* The block backend size should have already been 'validated' by
@@ -262,14 +262,13 @@ static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size,
         rom_size = size;
     }
 
-    storage = g_new0(uint8_t, rom_size);
+    storage = g_malloc0(rom_size);
     if (blk_pread(blk, 0, storage, rom_size) < 0) {
         error_setg(errp, "failed to read the initial flash content");
         return;
     }
 
     rom_add_blob_fixed("aspeed.boot_rom", storage, rom_size, addr);
-    g_free(storage);
 }
 
 static void aspeed_board_init_flashes(AspeedSMCState *s,