diff options
author | Petteri Aimonen <jpa@git.mail.kapsi.fi> | 2020-02-01 18:40:45 +0200 |
---|---|---|
committer | Petteri Aimonen <jpa@git.mail.kapsi.fi> | 2020-02-01 19:18:00 +0200 |
commit | aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2 (patch) | |
tree | b669cb9f3851ee0b563b3ca2d5d0b10db9464e19 | |
parent | ced3bb2478b018ad463143c272a4e6315e265fef (diff) | |
download | nanopb-c-aa9d0d1ca78d6adec3adfeecf3a706c7f9df81f2.tar.gz |
Fix invalid free() after failed realloc() (GHSA-gcx3-7m76-287p)
-rw-r--r-- | pb_decode.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/pb_decode.c b/pb_decode.c index 5195f88..df8873e 100644 --- a/pb_decode.c +++ b/pb_decode.c @@ -655,11 +655,11 @@ static bool checkreturn decode_pointer_field(pb_istream_t *stream, pb_wire_type_ if (*size == PB_SIZE_MAX) PB_RETURN_ERROR(stream, "too many array entries"); - (*size)++; - if (!allocate_field(stream, iter->pData, iter->pos->data_size, *size)) + if (!allocate_field(stream, iter->pData, iter->pos->data_size, (size_t)(*size + 1))) return false; - pItem = *(char**)iter->pData + iter->pos->data_size * (*size - 1); + pItem = *(char**)iter->pData + iter->pos->data_size * (*size); + (*size)++; initialize_pointer_field(pItem, iter); return func(stream, iter->pos, pItem); } |