Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)

author: Petteri Aimonen <jpa@git.mail.kapsi.fi> 2020-02-01 18:40:45 +0200
committer: Petteri Aimonen <jpa@git.mail.kapsi.fi> 2020-02-01 19:18:00 +0200
commit: aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2 (patch)
tree: b669cb9f3851ee0b563b3ca2d5d0b10db9464e19
parent: ced3bb2478b018ad463143c272a4e6315e265fef (diff)
download: nanopb-c-aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/pb_decode.c b/pb_decode.c
index 5195f88..df8873e 100644
--- a/pb_decode.c
+++ b/pb_decode.c
@@ -655,11 +655,11 @@ static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_
                 if (*size == PB_SIZE_MAX)
                     PB_RETURN_ERROR(stream, "too many array entries");
                 
-                (*size)++;
-                if (!allocate_field(stream, iter->pData, iter->pos->data_size, *size))
+                if (!allocate_field(stream, iter->pData, iter->pos->data_size, (size_t)(*size + 1)))
                     return false;
             
-                pItem = *(char**)iter->pData + iter->pos->data_size * (*size - 1);
+                pItem = *(char**)iter->pData + iter->pos->data_size * (*size);
+                (*size)++;
                 initialize_pointer_field(pItem, iter);
                 return func(stream, iter->pos, pItem);
             }
author	Petteri Aimonen <jpa@git.mail.kapsi.fi>	2020-02-01 18:40:45 +0200
committer	Petteri Aimonen <jpa@git.mail.kapsi.fi>	2020-02-01 19:18:00 +0200
commit	aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2 (patch)
tree	b669cb9f3851ee0b563b3ca2d5d0b10db9464e19
parent	ced3bb2478b018ad463143c272a4e6315e265fef (diff)
download	nanopb-c-aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2.tar.gz