Fix double-free bug in common/zlib.c. DOES NOT FIX pppdump's copy, though.

2024-11-23 10:23:26 +08:00 · 2002-04-02 13:34:03 +00:00 · 2002-04-02 13:34:03 +00:00 · 2ddcabd59d
commit 2ddcabd59d
parent da44517ffe
1 changed files with 8 additions and 5 deletions
--- a/common/zlib.c
+++ b/common/zlib.c
@ -10,7 +10,7 @@
 * - added inflateIncomp and deflateOutputPending
 * - allow strm->next_out to be NULL, meaning discard the output
 *
- * $Id: zlib.c,v 1.11 1998/09/13 23:37:12 paulus Exp $
+ * $Id: zlib.c,v 1.12 2002/04/02 13:34:03 dfs Exp $
 */

 /* 
@ -3861,10 +3861,11 @@ int r;
                             &s->sub.trees.tb, z);
      if (t != Z_OK)
      {
-        ZFREE(z, s->sub.trees.blens);
        r = t;
-        if (r == Z_DATA_ERROR)
+        if (r == Z_DATA_ERROR) {
          s->mode = BADB;
+          ZFREE(z, s->sub.trees.blens);
+        }
        LEAVE
      }
      s->sub.trees.index = 0;
@ -3929,14 +3930,16 @@ int r;
 #endif
        t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f),
                                  s->sub.trees.blens, &bl, &bd, &tl, &td, z);
-        ZFREE(z, s->sub.trees.blens);
        if (t != Z_OK)
        {
-          if (t == (uInt)Z_DATA_ERROR)
+          if (t == (uInt)Z_DATA_ERROR) {
            s->mode = BADB;
+            ZFREE(z, s->sub.trees.blens);
+          }
          r = t;
          LEAVE
        }
+        ZFREE(z, s->sub.trees.blens);
        Tracev((stderr, "inflate:       trees ok, %d * %d bytes used\n",
              inflate_hufts, sizeof(inflate_huft)));
        if ((c = inflate_codes_new(bl, bd, tl, td, z)) == Z_NULL)