diff options
author | Nikias Bassen | 2017-04-07 15:04:46 +0200 |
---|---|---|
committer | Nikias Bassen | 2017-04-07 15:04:46 +0200 |
commit | 1f3aff87554ccb365da6b3755fa5bc6f43a255e8 (patch) | |
tree | 8c6716332362a18040fbe6ee9d60318fa9c98bb4 /src/restore.c | |
parent | 8a75d318450704fc547188018eb2afd38b8a6e45 (diff) | |
download | idevicerestore-1f3aff87554ccb365da6b3755fa5bc6f43a255e8.tar.gz idevicerestore-1f3aff87554ccb365da6b3755fa5bc6f43a255e8.tar.bz2 |
restore: Fix a use-after-free
Also fixing the string length of the affected strncmp.
Credit to Mällon Lobjakas
Diffstat (limited to 'src/restore.c')
-rw-r--r-- | src/restore.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/restore.c b/src/restore.c index d06eba9..18fc1e9 100644 --- a/src/restore.c +++ b/src/restore.c @@ -1037,9 +1037,9 @@ int restore_send_nor(restored_client_t restore, struct idevicerestore_client_t* error("ERROR: Unable to extract component: %s\n", component); return -1; } - free(comppath); if (personalize_component(component, component_data, component_size, client->tss, &nor_data, &nor_size) < 0) { + free(comppath); free(component_data); plist_free(firmware_files); error("ERROR: Unable to get personalized component: %s\n", component); @@ -1050,12 +1050,13 @@ int restore_send_nor(restored_client_t restore, struct idevicerestore_client_t* component_size = 0; /* make sure iBoot is the first entry in the array */ - if (!strncmp("iBoot", filename, 4)) { + if (!strncmp("iBoot", filename, 5)) { plist_array_insert_item(norimage_array, plist_new_data((char*)nor_data, (uint64_t)nor_size), 0); } else { plist_array_append_item(norimage_array, plist_new_data((char*)nor_data, (uint64_t)nor_size)); } + free(comppath); free(nor_data); nor_data = NULL; nor_size = 0; |