avb_replace() promises NULL on OOM. Once it had built the first replacement, a later allocation failure returned that partial buffer. Callers treat any result as success, so AVB could keep booting with truncated bootargs.
Free the partial result and return NULL. The existing callers can then take their OOM path. Signed-off-by: Josh Law <[email protected]> --- lib/libavb/avb_util.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/libavb/avb_util.c b/lib/libavb/avb_util.c index 8719ede15a7..9e2e6ea3495 100644 --- a/lib/libavb/avb_util.c +++ b/lib/libavb/avb_util.c @@ -272,7 +272,7 @@ char* avb_replace(const char* str, const char* search, const char* replace) { num_new = num_before + replace_len + 1; ret = avb_malloc(num_new); if (ret == NULL) { - goto out; + goto fail; } avb_memcpy(ret, str, num_before); avb_memcpy(ret + num_before, replace, replace_len); @@ -283,7 +283,7 @@ char* avb_replace(const char* str, const char* search, const char* replace) { num_new = ret_len + num_before + replace_len + 1; new_str = avb_malloc(num_new); if (new_str == NULL) { - goto out; + goto fail; } avb_memcpy(new_str, ret, ret_len); avb_memcpy(new_str + ret_len, str, num_before); @@ -308,7 +308,7 @@ char* avb_replace(const char* str, const char* search, const char* replace) { size_t num_new = ret_len + num_remaining + 1; char* new_str = avb_malloc(num_new); if (new_str == NULL) { - goto out; + goto fail; } avb_memcpy(new_str, ret, ret_len); avb_memcpy(new_str + ret_len, str_after_last_replace, num_remaining); @@ -320,6 +320,10 @@ char* avb_replace(const char* str, const char* search, const char* replace) { out: return ret; + +fail: + avb_free(ret); + return NULL; } /* We only support a limited amount of strings in avb_strdupv(). */ -- 2.47.3
