Browse code
Fix lzma-sdk xz bug
A use-after-free read is possible in the Xz decoder cleanup.
The fix is to set a pointer to NULL so it doesn't try to
dereference it and free a second time.
Fixes https://issues.oss-fuzz.com/issues/384549094
This fix is also present in lzma-sdk version 18.01.
Ref: https://github.com/welovegit/LZMA-SDK/blame/main/C/XzDec.c#L508
Val Snyder authored on 2025/03/13 05:08:25Showing 1 changed files
| ... | ... |
@@ -343,8 +343,10 @@ void MixCoder_Free(CMixCoder *p) |
| 343 | 343 |
for (i = 0; i < p->numCoders; i++) |
| 344 | 344 |
{
|
| 345 | 345 |
IStateCoder *sc = &p->coders[i]; |
| 346 |
- if (p->alloc && sc->p) |
|
| 346 |
+ if (p->alloc && sc->p) {
|
|
| 347 | 347 |
sc->Free(sc->p, p->alloc); |
| 348 |
+ sc->p = NULL; |
|
| 349 |
+ } |
|
| 348 | 350 |
} |
| 349 | 351 |
p->numCoders = 0; |
| 350 | 352 |
if (p->buf) |