When an invalid node size is detected in grub_hfsplus_mount(), data pinter is freed. Thus, file->data is not set. The code should also set the grub error when that happens to indicate an error and to avoid accessing the unintialized file->data in grub_file_close().
Signed-off-by: Lidong Chen <lidong.c...@oracle.com> --- grub-core/fs/hfsplus.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c index 9c1f12574..cf13e8a63 100644 --- a/grub-core/fs/hfsplus.c +++ b/grub-core/fs/hfsplus.c @@ -357,7 +357,10 @@ grub_hfsplus_mount (grub_disk_t disk) (header.key_compare == GRUB_HFSPLUSX_BINARYCOMPARE)); if (data->catalog_tree.nodesize < 2) - goto fail; + { + grub_error (GRUB_ERR_BAD_FS, "invalid catalog node size"); + goto fail; + } if (grub_hfsplus_read_file (&data->extoverflow_tree.file, 0, 0, sizeof (struct grub_hfsplus_btnode), @@ -374,7 +377,10 @@ grub_hfsplus_mount (grub_disk_t disk) data->extoverflow_tree.nodesize = grub_be_to_cpu16 (header.nodesize); if (data->extoverflow_tree.nodesize < 2) - goto fail; + { + grub_error (GRUB_ERR_BAD_FS, "invalid extents overflow node size"); + goto fail; + } data->extoverflow_tree_ready = 1; -- 2.39.1 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel