io/gzio: Bail if gzio->tl/td is NULL

This is an ugly fix that doesn't address why gzio->tl comes to be NULL.
However, it seems to be sufficient to patch up a bunch of NULL derefs.

It would be good to revisit this in future and see if we can have
a cleaner solution that addresses some of the causes of the unexpected
NULL pointers.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
index 43d98a7bdf4405d55db8e7208058a9f8c603d533..4a8eaeae28f8119681cba2a50b4363ac05f10265 100644 (file)
--- a/grub-core/io/gzio.c
+++ b/grub-core/io/gzio.c
@@ -669,6 +669,13 @@ inflate_codes_in_window (grub_gzio_t gzio)
     {
       if (! gzio->code_state)
        {
+
+         if (gzio->tl == NULL)
+           {
+             grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl");
+             return 1;
+           }
+
          NEEDBITS ((unsigned) gzio->bl);
          if ((e = (t = gzio->tl + ((unsigned) b & ml))->e) > 16)
            do
@@ -707,6 +714,12 @@ inflate_codes_in_window (grub_gzio_t gzio)
              n = t->v.n + ((unsigned) b & mask_bits[e]);
              DUMPBITS (e);
 
+             if (gzio->td == NULL)
+               {
+                 grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->td");
+                 return 1;
+               }
+
              /* decode distance of block to copy */
              NEEDBITS ((unsigned) gzio->bd);
              if ((e = (t = gzio->td + ((unsigned) b & md))->e) > 16)
@@ -917,6 +930,13 @@ init_dynamic_block (grub_gzio_t gzio)
   n = nl + nd;
   m = mask_bits[gzio->bl];
   i = l = 0;
+
+  if (gzio->tl == NULL)
+    {
+      grub_error (GRUB_ERR_BAD_COMPRESSED_DATA, "NULL gzio->tl");
+      return;
+    }
+
   while ((unsigned) i < n)
     {
       NEEDBITS ((unsigned) gzio->bl);