Fix double-free bug in common/zlib.c. DOES NOT FIX pppdump's copy, though.

1 files changed, 8 insertions, 5 deletions

diff --git a/common/zlib.c b/common/zlib.c
index 2c4834b..58c7939 100644
--- a/common/zlib.c
+++ b/common/zlib.c
@@ -10,7 +10,7 @@
  * - added inflateIncomp and deflateOutputPending
  * - allow strm->next_out to be NULL, meaning discard the output
  *
- * $Id: zlib.c,v 1.11 1998/09/13 23:37:12 paulus Exp $
+ * $Id: zlib.c,v 1.12 2002/04/02 13:34:03 dfs Exp $
  */
 
 /* 
@@ -3861,10 +3861,11 @@ int r;
                              &s->sub.trees.tb, z);
       if (t != Z_OK)
       {
-        ZFREE(z, s->sub.trees.blens);
         r = t;
-        if (r == Z_DATA_ERROR)
+        if (r == Z_DATA_ERROR) {
           s->mode = BADB;
+          ZFREE(z, s->sub.trees.blens);
+        }
         LEAVE
       }
       s->sub.trees.index = 0;
@@ -3929,14 +3930,16 @@ int r;
 #endif
         t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) & 0x1f),
                                   s->sub.trees.blens, &bl, &bd, &tl, &td, z);
-        ZFREE(z, s->sub.trees.blens);
         if (t != Z_OK)
         {
-          if (t == (uInt)Z_DATA_ERROR)
+          if (t == (uInt)Z_DATA_ERROR) {
             s->mode = BADB;
+            ZFREE(z, s->sub.trees.blens);
+          }
           r = t;
           LEAVE
         }
+        ZFREE(z, s->sub.trees.blens);
         Tracev((stderr, "inflate:       trees ok, %d * %d bytes used\n",
               inflate_hufts, sizeof(inflate_huft)));
         if ((c = inflate_codes_new(bl, bd, tl, td, z)) == Z_NULL)