Index: libsepol/src/module.c =================================================================== --- libsepol/src/module.c (revision 2538) +++ libsepol/src/module.c (working copy) @@ -353,21 +353,27 @@ struct policy_file *file, size_t ** offsets, uint32_t * sections) { - uint32_t buf[3], nsec; + uint32_t *buf = NULL, nsec; unsigned i; - size_t *off; + size_t *off = NULL; int rc; + buf = malloc(sizeof(uint32_t)*3); + if (!buf) { + ERR(file->handle, "out of memory"); + goto err; + } + rc = next_entry(buf, file, sizeof(uint32_t) * 3); if (rc < 0) { ERR(file->handle, "module package header truncated"); - return -1; + goto err; } if (le32_to_cpu(buf[0]) != SEPOL_MODULE_PACKAGE_MAGIC) { ERR(file->handle, "wrong magic number for module package: expected %u, got %u", SEPOL_MODULE_PACKAGE_MAGIC, le32_to_cpu(buf[0])); - return -1; + goto err; } mod->version = le32_to_cpu(buf[1]); @@ -376,23 +382,29 @@ if (nsec > MAXSECTIONS) { ERR(file->handle, "too many sections (%u) in module package", nsec); - return -1; + goto err; } off = (size_t *) malloc((nsec + 1) * sizeof(size_t)); if (!off) { ERR(file->handle, "out of memory"); - return -1; + goto err; } - rc = next_entry(off, file, sizeof(uint32_t) * nsec); + free(buf); + buf = malloc(sizeof(uint32_t) * nsec); + if (!buf) { + ERR(file->handle, "out of memory"); + goto err; + } + rc = next_entry(buf, file, sizeof(uint32_t) * nsec); if (rc < 0) { ERR(file->handle, "module package offset array truncated"); - return -1; + goto err; } for (i = 0; i < nsec; i++) { - off[i] = le32_to_cpu(off[i]); + off[i] = le32_to_cpu(buf[i]); if (i && off[i] < off[i - 1]) { ERR(file->handle, "offsets are not increasing (at %u, " "offset %zu -> %zu", i, off[i - 1], @@ -401,10 +413,15 @@ } } - + free(buf); off[nsec] = policy_file_length(file); *offsets = off; return 0; + +err: + free(buf); + free(off); + return -1; } /* Flags for which sections have been seen during parsing of module package. */