From: Vladimir Serbinenko <phcoder@gmail.com>
Date: Wed, 19 Nov 2025 06:37:32 +0000 (+0000)
Subject: lib/relocator: Fix dereference after NULL check
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae69b464bedfdf4da9147124dce28cbebf3bb3d9;p=thirdparty%2Fgrub.git

lib/relocator: Fix dereference after NULL check

In the function free_subchunk(), after checking that subchu->post isn't NULL,
grub_memset() is called on subchu->pre->freebytes but it should be called on
subchu->post->freebytes. If subchu->pre is NULL but subchu->post isn't NULL,
then this could lead to a NULL pointer dereference.

Fixes: CID 473882

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---

diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
index 1e1e09704..37da0c6db 100644
--- a/grub-core/lib/relocator.c
+++ b/grub-core/lib/relocator.c
@@ -398,9 +398,9 @@ free_subchunk (const struct grub_relocator_subchunk *subchu)
 	if (subchu->post)
 	  {
 	    int off = subchu->start + subchu->size - fend;
-	    grub_memset (subchu->pre->freebytes,
-			 0xff, sizeof (subchu->pre->freebytes) - off / 8);
-	    subchu->pre->freebytes[off / 8] |= ((1 << (8 - (off % 8))) - 1);
+	    grub_memset (subchu->post->freebytes,
+			 0xff, sizeof (subchu->post->freebytes) - off / 8 - 1);
+	    subchu->post->freebytes[sizeof (subchu->post->freebytes) - off / 8 - 1] |= ((1 << (8 - (off % 8))) - 1);
 	    check_leftover (subchu->post);
 	  }
 #endif