From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Date: Mon, 14 Apr 2025 13:19:24 +0000 (+0200)
Subject: fs/squashfs: avoid illegal free() in sqfs_opendir()
X-Git-Tag: v2025.07-rc1~43
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=185fdf5e94731df05748b1c576effb52ff7a3ec5;p=pandora-u-boot.git

fs/squashfs: avoid illegal free() in sqfs_opendir()

* Use calloc() to allocate token_list. This avoids an illegal free if
  sqfs_tokenize() fails.
* Do not iterate over token_list if it has not been allocated.

Addresses-Coverity-ID: 510453:  Null pointer dereferences  (FORWARD_NULL)
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
---

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 7c364686f14..2dcdd60f683 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -949,7 +949,7 @@ static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp)
 		goto out;
 	}
 
-	token_list = malloc(token_count * sizeof(char *));
+	token_list = calloc(token_count, sizeof(char *));
 	if (!token_list) {
 		ret = -EINVAL;
 		goto out;
@@ -987,9 +987,11 @@ static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp)
 	*dirsp = (struct fs_dir_stream *)dirs;
 
 out:
-	for (j = 0; j < token_count; j++)
-		free(token_list[j]);
-	free(token_list);
+	if (token_list) {
+		for (j = 0; j < token_count; j++)
+			free(token_list[j]);
+		free(token_list);
+	}
 	free(pos_list);
 	free(path);
 	if (ret) {