uImage: fix realloc() pointer confusion

We carefully avoid the realloc() API trap by *not* using the 'ptr = realloc(ptr, new_size)' idiom which can lead to leaks on failure. Very commendable, even though all we're going to do is exit() on failure so it wouldn't have mattered. What *does* matter is that we then ask zlib to continue decompression... just past the end of the *old* buffer that just got freed. Oops. Apparently nobody has *ever* tested this code by booting a uImage with a compressed payload larger than 10MiB. Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> Signed-off-by: Simon Horman <horms@verge.net.au>
author: David Woodhouse <dwmw@amazon.co.uk> 2017-03-08 22:41:08 +0000
committer: Simon Horman <horms@verge.net.au> 2017-03-13 09:58:55 +0100
commit: 0cc1891c4dc84a2cbbd1f126134ce51538f260dc (patch)
tree: 31cb8d94c6dabfeca7c7031b470e93691a2461f9
parent: ed15ba1b9977e506637ff1697821d97127b2c919 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/kexec/kexec-uImage.c b/kexec/kexec-uImage.c
index 5e24629..667cd93 100644
--- a/kexec/kexec-uImage.c
+++ b/kexec/kexec-uImage.c
@@ -210,9 +210,9 @@ static int uImage_gz_load(const unsigned char *buf, off_t len,
 				return -1;
 			}
 
+			uncomp_buf = new_buf;
 			strm.next_out = uncomp_buf + mem_alloc - inc_buf;
 			strm.avail_out = inc_buf;
-			uncomp_buf = new_buf;
 		} else {
 			printf("Error during decompression %d\n", ret);
 			return -1;
author	David Woodhouse <dwmw@amazon.co.uk>	2017-03-08 22:41:08 +0000
committer	Simon Horman <horms@verge.net.au>	2017-03-13 09:58:55 +0100
commit	0cc1891c4dc84a2cbbd1f126134ce51538f260dc (patch)
tree	31cb8d94c6dabfeca7c7031b470e93691a2461f9
parent	ed15ba1b9977e506637ff1697821d97127b2c919 (diff)