Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / c6c6f30beb4d3800de01e19ca14ab2aa316f9562^1..c6c6f30beb4d3800de01e19ca14ab2aa316f9562 / .
commitc6c6f30beb4d3800de01e19ca14ab2aa316f9562[log] [tgz]
authorEric Biggers <ebiggers@google.com>Fri Mar 24 01:18:39 2023 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Fri Mar 24 01:18:39 2023 +0000
tree42d0fab2eafe2abdd01cb108e5d5d7aa73ac0452
parentf9bfa851c2c614110b202858d46c33fef2621e82 [diff]
parentaa70ac106ac8e84e85b5410e3e4bfebcb4375246 [diff]
Merge "libsparse: fix double free after block splitting" am: aa70ac106a

Original change: https://android-review.googlesource.com/c/platform/system/core/+/2506666

Change-Id: Ib71ec037449820efff80d112dcbbcf84a2ef38e2
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

diff --git a/libsparse/backed_block.cpp b/libsparse/backed_block.cpp
index 6229e7c..a0d1cde 100644
--- a/libsparse/backed_block.cpp
+++ b/libsparse/backed_block.cpp

@@ -315,6 +315,10 @@
   bb->len = len;
   bb->type = BACKED_BLOCK_FILE;
   bb->file.filename = strdup(filename);
+  if (!bb->file.filename) {
+    free(bb);
+    return -ENOMEM;
+  }
   bb->file.offset = offset;
   bb->next = nullptr;
 
@@ -359,14 +363,17 @@
   new_bb->len = bb->len - max_len;
   new_bb->block = bb->block + max_len / bbl->block_size;
   new_bb->next = bb->next;
-  bb->next = new_bb;
-  bb->len = max_len;
 
   switch (bb->type) {
     case BACKED_BLOCK_DATA:
       new_bb->data.data = (char*)bb->data.data + max_len;
       break;
     case BACKED_BLOCK_FILE:
+      new_bb->file.filename = strdup(bb->file.filename);
+      if (!new_bb->file.filename) {
+        free(new_bb);
+        return -ENOMEM;
+      }
       new_bb->file.offset += max_len;
       break;
     case BACKED_BLOCK_FD:
@@ -376,5 +383,7 @@
       break;
   }
 
+  bb->next = new_bb;
+  bb->len = max_len;
   return 0;
 }