In the function free_subchunk(), after checking that subchu->post isn't NULL, grub_memset() is called on subchu->pre->freebytes but it should be called on subchu->post->freebytes. If subchu->pre is NULL but subchu->post isn't NULL, then this could lead to a NULL pointer dereference.
Fixes: CID 473882 Signed-off-by: Vladimir Serbinenko <[email protected]> Signed-off-by: Alec Brown <[email protected]> --- grub-core/lib/relocator.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c index 1e1e09704..37da0c6db 100644 --- a/grub-core/lib/relocator.c +++ b/grub-core/lib/relocator.c @@ -398,9 +398,9 @@ free_subchunk (const struct grub_relocator_subchunk *subchu) if (subchu->post) { int off = subchu->start + subchu->size - fend; - grub_memset (subchu->pre->freebytes, - 0xff, sizeof (subchu->pre->freebytes) - off / 8); - subchu->pre->freebytes[off / 8] |= ((1 << (8 - (off % 8))) - 1); + grub_memset (subchu->post->freebytes, + 0xff, sizeof (subchu->post->freebytes) - off / 8 - 1); + subchu->post->freebytes[sizeof (subchu->post->freebytes) - off / 8 - 1] |= ((1 << (8 - (off % 8))) - 1); check_leftover (subchu->post); } #endif -- 2.27.0 _______________________________________________ Grub-devel mailing list [email protected] https://lists.gnu.org/mailman/listinfo/grub-devel
