Fix double free in Cu6mPlayer::~Cu6mPlayer() (issue adplug#91)

Leave deallocation of song_data to destructor when decompression fails, just like on success. This fixes CVE-2019-15151. Even though load() is apparently not supposed to be called twice (and bad things happen in many players if you do), let's also avoid leaking song_data's memory in that case. Fixes: adplug#91
miller-alex · Mar 24, 2020 · 8abb932 · 8abb932
1 parent 8f0e614
commit 8abb932
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/src/u6m.cpp b/src/u6m.cpp
@@ -66,6 +66,7 @@ bool Cu6mPlayer::load(const std::string &filename, const CFileProvider &fp)
     }
 
   // load section
+  delete[] song_data;
   song_data = new unsigned char[decompressed_filesize];
   unsigned char* compressed_song_data = new unsigned char[filesize-3];
 
@@ -74,7 +75,6 @@ bool Cu6mPlayer::load(const std::string &filename, const CFileProvider &fp)
   fp.close(f);
 
   // attempt to decompress the song data
-  // if unsuccessful, deallocate song_data[] on the spot, and return(false)
   data_block source, destination;
   source.size = filesize-4;
   source.data = compressed_song_data;
@@ -84,7 +84,6 @@ bool Cu6mPlayer::load(const std::string &filename, const CFileProvider &fp)
   if (!lzw_decompress(source,destination))
     {
       delete[] compressed_song_data;
-      delete[] song_data;
       return(false);
     }