From 402dfd533d4faec8705eacb2eb6490b6bab846a7 Mon Sep 17 00:00:00 2001 From: "dveditz%netscape.com" Date: Sun, 3 Mar 2002 06:32:46 +0000 Subject: [PATCH] fix zlib double-free crash (bug 126898) contributed by mjc@redhat.com, r=dveditz, sr=shaver, a=asa git-svn-id: svn://10.0.0.236/trunk@115667 18797224-902f-48f8-a5cc-f745e15eee43 --- mozilla/modules/zlib/src/infblock.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/mozilla/modules/zlib/src/infblock.c b/mozilla/modules/zlib/src/infblock.c index f4920faa5ea..b1fcbeea2f5 100644 --- a/mozilla/modules/zlib/src/infblock.c +++ b/mozilla/modules/zlib/src/infblock.c @@ -249,10 +249,12 @@ int r; &s->sub.trees.tb, s->hufts, z); if (t != Z_OK) { - ZFREE(z, s->sub.trees.blens); r = t; if (r == Z_DATA_ERROR) + { + ZFREE(z, s->sub.trees.blens); s->mode = BAD; + } LEAVE } s->sub.trees.index = 0; @@ -313,14 +315,17 @@ int r; t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f), s->sub.trees.blens, &bl, &bd, &tl, &td, s->hufts, z); - ZFREE(z, s->sub.trees.blens); if (t != Z_OK) { if (t == (uInt)Z_DATA_ERROR) + { + ZFREE(z, s->sub.trees.blens); s->mode = BAD; + } r = t; LEAVE } + ZFREE(z, s->sub.trees.blens); Tracev((stderr, "inflate: trees ok\n")); if ((c = inflate_codes_new(bl, bd, tl, td, z)) == Z_NULL) {