From 0cc1891c4dc84a2cbbd1f126134ce51538f260dc Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw@amazon.co.uk>
Date: Wed, 8 Mar 2017 22:41:08 +0000
Subject: [PATCH 22/45] uImage: fix realloc() pointer confusion

We carefully avoid the realloc() API trap by *not* using the
'ptr = realloc(ptr, new_size)' idiom which can lead to leaks on
failure. Very commendable, even though all we're going to do is
exit() on failure so it wouldn't have mattered.

What *does* matter is that we then ask zlib to continue
decompression... just past the end of the *old* buffer that just
got freed. Oops.

Apparently nobody has *ever* tested this code by booting a uImage
with a compressed payload larger than 10MiB.

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 kexec/kexec-uImage.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kexec/kexec-uImage.c b/kexec/kexec-uImage.c
index 5e24629880bc..667cd932fd27 100644
--- a/kexec/kexec-uImage.c
+++ b/kexec/kexec-uImage.c
@@ -210,9 +210,9 @@ static int uImage_gz_load(const unsigned char *buf, off_t len,
 				return -1;
 			}
 
+			uncomp_buf = new_buf;
 			strm.next_out = uncomp_buf + mem_alloc - inc_buf;
 			strm.avail_out = inc_buf;
-			uncomp_buf = new_buf;
 		} else {
 			printf("Error during decompression %d\n", ret);
 			return -1;
-- 
2.13.0