]> git.ipfire.org Git - thirdparty/grub.git/commitdiff
projects / thirdparty / grub.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1a5417f)
lib/relocator: Fix dereference after NULL check
authorVladimir Serbinenko <phcoder@gmail.com>
Wed, 19 Nov 2025 06:37:32 +0000 (06:37 +0000)
committerDaniel Kiper <daniel.kiper@oracle.com>
Thu, 20 Nov 2025 16:28:00 +0000 (17:28 +0100)
In the function free_subchunk(), after checking that subchu->post isn't NULL,
grub_memset() is called on subchu->pre->freebytes but it should be called on
subchu->post->freebytes. If subchu->pre is NULL but subchu->post isn't NULL,
then this could lead to a NULL pointer dereference.

Fixes: CID 473882
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
grub-core/lib/relocator.c patch | blob | blame | history

diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
index 1e1e09704ae80b35148d721cc18a67faa55efb8f..37da0c6db0b150ed3ca4a0435cb6ad73555f8c11 100644 (file)
--- a/grub-core/lib/relocator.c
+++ b/grub-core/lib/relocator.c
@@ -398,9 +398,9 @@ free_subchunk (const struct grub_relocator_subchunk *subchu)
        if (subchu->post)
          {
            int off = subchu->start + subchu->size - fend;
-           grub_memset (subchu->pre->freebytes,
-                        0xff, sizeof (subchu->pre->freebytes) - off / 8);
-           subchu->pre->freebytes[off / 8] |= ((1 << (8 - (off % 8))) - 1);
+           grub_memset (subchu->post->freebytes,
+                        0xff, sizeof (subchu->post->freebytes) - off / 8 - 1);
+           subchu->post->freebytes[sizeof (subchu->post->freebytes) - off / 8 - 1] |= ((1 << (8 - (off % 8))) - 1);
            check_leftover (subchu->post);
          }
 #endif
Mirror of https://git.savannah.gnu.org/git/grub.git