From 2ddcabd59d372be3f66c42ed9df15ca7a474ac2a Mon Sep 17 00:00:00 2001 From: "David F. Skoll" Date: Tue, 2 Apr 2002 13:34:03 +0000 Subject: [PATCH] Fix double-free bug in common/zlib.c. DOES NOT FIX pppdump's copy, though. --- common/zlib.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/common/zlib.c b/common/zlib.c index 2c4834b..58c7939 100644 --- a/common/zlib.c +++ b/common/zlib.c @@ -10,7 +10,7 @@ * - added inflateIncomp and deflateOutputPending * - allow strm->next_out to be NULL, meaning discard the output * - * $Id: zlib.c,v 1.11 1998/09/13 23:37:12 paulus Exp $ + * $Id: zlib.c,v 1.12 2002/04/02 13:34:03 dfs Exp $ */ /* @@ -3861,10 +3861,11 @@ int r; &s->sub.trees.tb, z); if (t != Z_OK) { - ZFREE(z, s->sub.trees.blens); r = t; - if (r == Z_DATA_ERROR) + if (r == Z_DATA_ERROR) { s->mode = BADB; + ZFREE(z, s->sub.trees.blens); + } LEAVE } s->sub.trees.index = 0; @@ -3929,14 +3930,16 @@ int r; #endif t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f), s->sub.trees.blens, &bl, &bd, &tl, &td, z); - ZFREE(z, s->sub.trees.blens); if (t != Z_OK) { - if (t == (uInt)Z_DATA_ERROR) + if (t == (uInt)Z_DATA_ERROR) { s->mode = BADB; + ZFREE(z, s->sub.trees.blens); + } r = t; LEAVE } + ZFREE(z, s->sub.trees.blens); Tracev((stderr, "inflate: trees ok, %d * %d bytes used\n", inflate_hufts, sizeof(inflate_huft))); if ((c = inflate_codes_new(bl, bd, tl, td, z)) == Z_NULL) -- 2.39.2