Currently pmenu_item_setup may free its item parameter on error.
This makes it non-obvious whether the item is still allocated on exit to
the caller.
Instead, this change removes the talloc_free, and requires that the
caller do this on error. This makes the potential use-after-free in
cui_boot_editor_on_exit obvious, so we fix that too.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
item->data = cod = talloc_zero(item, struct cui_opt_data);
cod->name = talloc_asprintf(cod, "User item %u:", insert_pt);
item->data = cod = talloc_zero(item, struct cui_opt_data);
cod->name = talloc_asprintf(cod, "User item %u:", insert_pt);
- pmenu_item_setup(menu, item, insert_pt,
- talloc_strdup(item, cod->name));
+ if (pmenu_item_setup(menu, item, insert_pt,
+ talloc_strdup(item, cod->name)) == NULL) {
+ talloc_free(item);
+ item = NULL;
+ }
/* Re-attach the items array. */
set_menu_items(menu->ncm, menu->items);
/* Re-attach the items array. */
set_menu_items(menu->ncm, menu->items);
cod->bd = talloc_steal(cod, bd);
cod->bd = talloc_steal(cod, bd);
- set_current_item(item->pmenu->ncm, item->nci);
+ if (item)
+ set_current_item(item->pmenu->ncm, item->nci);
cui_set_current(cui, &cui->main->scr);
talloc_free(cui->boot_editor);
cui->boot_editor = NULL;
cui_set_current(cui, &cui->main->scr);
talloc_free(cui->boot_editor);
cui->boot_editor = NULL;
i->pmenu = menu;
i->nci = new_item(name, NULL);
i->pmenu = menu;
i->nci = new_item(name, NULL);
- if (!i->nci) {
- talloc_free(i);
set_item_userptr(i->nci, i);
set_item_userptr(i->nci, i);
static inline struct pmenu_item *pmenu_item_init(struct pmenu *menu,
unsigned int index, const char *name)
{
static inline struct pmenu_item *pmenu_item_init(struct pmenu *menu,
unsigned int index, const char *name)
{
- return pmenu_item_setup(menu, pmenu_item_alloc(menu), index, name);
+ struct pmenu_item *item = pmenu_item_alloc(menu);
+
+ if (pmenu_item_setup(menu, item, index, name)) {
+ talloc_free(item);
+ item = NULL;
+ }
+
+ return item;