From 33686804d29e676177d408f1ce047b8c35185ddb Mon Sep 17 00:00:00 2001
From: Richard Genoud <richard.genoud@posteo.net>
Date: Tue, 3 Nov 2020 12:11:17 +0100
Subject: fs/squashfs: sqfs_get_abs_path: fix possible memory leak on error

if  sqfs_tokenize(rel_tokens, rc, rel); fails, the function exits
without freeing the array base_tokens.

Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
Signed-off-by: Richard Genoud <richard.genoud@posteo.net>
---
 fs/squashfs/sqfs.c | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

(limited to 'fs')

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 825d5d1..f41deec 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -340,28 +340,31 @@ static char *sqfs_get_abs_path(const char *base, const char *rel)
 	char **base_tokens, **rel_tokens, *resolved = NULL;
 	int ret, bc, rc, i, updir = 0, resolved_size = 0, offset = 0;
 
+	base_tokens = NULL;
+	rel_tokens = NULL;
+
 	/* Memory allocation for the token lists */
 	bc = sqfs_count_tokens(base);
 	rc = sqfs_count_tokens(rel);
 	if (bc < 1 || rc < 1)
 		return NULL;
 
-	base_tokens = malloc(bc * sizeof(char *));
+	base_tokens = calloc(bc, sizeof(char *));
 	if (!base_tokens)
 		return NULL;
 
-	rel_tokens = malloc(rc * sizeof(char *));
+	rel_tokens = calloc(rc, sizeof(char *));
 	if (!rel_tokens)
-		goto free_b_tokens;
+		goto out;
 
 	/* Fill token lists */
 	ret = sqfs_tokenize(base_tokens, bc, base);
 	if (ret)
-		goto free_r_tokens;
+		goto out;
 
 	ret = sqfs_tokenize(rel_tokens, rc, rel);
 	if (ret)
-		goto free_r_tokens;
+		goto out;
 
 	/* count '..' occurrences in target path */
 	for (i = 0; i < rc; i++) {
@@ -372,7 +375,7 @@ static char *sqfs_get_abs_path(const char *base, const char *rel)
 	/* Remove the last token and the '..' occurrences */
 	bc = sqfs_clean_base_path(base_tokens, bc, updir);
 	if (bc < 0)
-		goto free_r_tokens;
+		goto out;
 
 	/* Calculate resolved path size */
 	if (!bc)
@@ -383,7 +386,7 @@ static char *sqfs_get_abs_path(const char *base, const char *rel)
 
 	resolved = malloc(resolved_size + 1);
 	if (!resolved)
-		goto free_r_tokens_loop;
+		goto out;
 
 	/* Set resolved path */
 	memset(resolved, '\0', resolved_size + 1);
@@ -391,14 +394,15 @@ static char *sqfs_get_abs_path(const char *base, const char *rel)
 	resolved[offset++] = '/';
 	offset += sqfs_join(rel_tokens, resolved + offset, updir, rc, '/');
 
-free_r_tokens_loop:
-	for (i = 0; i < rc; i++)
-		free(rel_tokens[i]);
-	for (i = 0; i < bc; i++)
-		free(base_tokens[i]);
-free_r_tokens:
+out:
+	if (rel_tokens)
+		for (i = 0; i < rc; i++)
+			free(rel_tokens[i]);
+	if (base_tokens)
+		for (i = 0; i < bc; i++)
+			free(base_tokens[i]);
+
 	free(rel_tokens);
-free_b_tokens:
 	free(base_tokens);
 
 	return resolved;
-- 
cgit v1.1