From 8e4cdd221034aa260def15874e8f99262eb77930 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Sat, 27 Jan 2018 16:46:59 +0100
Subject: [PATCH] fiptool: Fix use after free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 880b9e8b4c99ad99eee14079d5a6162733ef4931 (Add padding at the end
of the last entry) added code using toc_entry pointer, whose memory is
already freed via variable buf. This causes enormous padding on openSUSE.

Free the memory buffer only after padding is done.

Signed-off-by: Andreas Färber <afaerber@suse.de>
---
 tools/fiptool/fiptool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/fiptool/fiptool.c b/tools/fiptool/fiptool.c
index 33c451e4e..e70ff364b 100644
--- a/tools/fiptool/fiptool.c
+++ b/tools/fiptool/fiptool.c
@@ -543,7 +543,6 @@ static int pack_images(const char *filename, uint64_t toc_flags, unsigned long a
 		log_dbgx("Metadata size: %zu bytes", buf_size);
 
 	xfwrite(buf, buf_size, fp, filename);
-	free(buf);
 
 	if (verbose)
 		log_dbgx("Payload size: %zu bytes", payload_size);
@@ -566,6 +565,7 @@ static int pack_images(const char *filename, uint64_t toc_flags, unsigned long a
 	while (pad_size--)
 		fputc(0x0, fp);
 
+	free(buf);
 	fclose(fp);
 	return 0;
 }
-- 
GitLab