summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2017-04-07 15:04:46 +0200
committerGravatar Nikias Bassen2017-04-07 15:04:46 +0200
commit1f3aff87554ccb365da6b3755fa5bc6f43a255e8 (patch)
tree8c6716332362a18040fbe6ee9d60318fa9c98bb4
parent8a75d318450704fc547188018eb2afd38b8a6e45 (diff)
downloadidevicerestore-1f3aff87554ccb365da6b3755fa5bc6f43a255e8.tar.gz
idevicerestore-1f3aff87554ccb365da6b3755fa5bc6f43a255e8.tar.bz2
restore: Fix a use-after-free
Also fixing the string length of the affected strncmp. Credit to Mällon Lobjakas
-rw-r--r--src/restore.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/src/restore.c b/src/restore.c
index d06eba9..18fc1e9 100644
--- a/src/restore.c
+++ b/src/restore.c
@@ -1037,9 +1037,9 @@ int restore_send_nor(restored_client_t restore, struct idevicerestore_client_t*
error("ERROR: Unable to extract component: %s\n", component);
return -1;
}
- free(comppath);
if (personalize_component(component, component_data, component_size, client->tss, &nor_data, &nor_size) < 0) {
+ free(comppath);
free(component_data);
plist_free(firmware_files);
error("ERROR: Unable to get personalized component: %s\n", component);
@@ -1050,12 +1050,13 @@ int restore_send_nor(restored_client_t restore, struct idevicerestore_client_t*
component_size = 0;
/* make sure iBoot is the first entry in the array */
- if (!strncmp("iBoot", filename, 4)) {
+ if (!strncmp("iBoot", filename, 5)) {
plist_array_insert_item(norimage_array, plist_new_data((char*)nor_data, (uint64_t)nor_size), 0);
} else {
plist_array_append_item(norimage_array, plist_new_data((char*)nor_data, (uint64_t)nor_size));
}
+ free(comppath);
free(nor_data);
nor_data = NULL;
nor_size = 0;