In grub-core/gfxmenu/gui_image.c, coverity detected a double free in the
function load_image(). The function checks if self->bitmap and self->raw_bitmap
aren't NULL and then frees them. In the case self->bitmap and self->raw_bitmap
are the same, only self->raw_bitmap is freed which would also free the memory
used by self->bitmap. However, in this case self->bitmap isn't being set to NULL
which could lead to a double free later in the code. After self->raw_bitmap is
freed, it gets set to the variable bitmap. If this variable is NULL, the code
could have a path that would free self->bitmap a second time in the function
rescale_image().
Fixes: CID 292472
Signed-off-by: Alec Brown <alec.r.br...@oracle.com>
---
grub-core/gfxmenu/gui_image.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/grub-core/gfxmenu/gui_image.c b/grub-core/gfxmenu/gui_image.c
index 6b2e976f1..e619fa4ba 100644
--- a/grub-core/gfxmenu/gui_image.c
+++ b/grub-core/gfxmenu/gui_image.c
@@ -195,13 +195,16 @@ load_image (grub_gui_image_t self, const char *path)
return grub_errno;
if (self->bitmap && (self->bitmap != self->raw_bitmap))
- {
- grub_video_bitmap_destroy (self->bitmap);
- self->bitmap = 0;
- }
+ grub_video_bitmap_destroy (self->bitmap);
if (self->raw_bitmap)
grub_video_bitmap_destroy (self->raw_bitmap);
+ /*
+ * Either self->bitmap is being freed or it shares memory with
+ * self->raw_bitmap which is being freed. To ensure self->bitmap doesn't
+ * point to memory that has been freed, we can set it to NULL.
+ */
+ self->bitmap = NULL;
self->raw_bitmap = bitmap;
return rescale_image (self);
}
--
2.27.0
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
