bsd_user: Fix potential null pointer dereference

This bug was spotted by cppcheck.

Using g_try_malloc0 (as does the linux-user code) fixes this.

v2:
Use g_free in bsdload.c, too. Thanks to Peter Maydell for this hint.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Blue Swirl <blauwirbel@gmail.com>

2 files changed, 3 insertions, 4 deletions

diff --git a/bsd-user/bsdload.c b/bsd-user/bsdload.c
index 6d9bb6fb4e..2abc7136e0 100644
--- a/bsd-user/bsdload.c
+++ b/bsd-user/bsdload.c
@@ -196,7 +196,7 @@ int loader_exec(const char * filename, char ** argv, char ** envp,
 
     /* Something went wrong, return the inode and free the argument pages*/
     for (i=0 ; i<MAX_ARG_PAGES ; i++) {
-        free(bprm.page[i]);
+        g_free(bprm.page[i]);
     }
     return(retval);
 }
diff --git a/bsd-user/elfload.c b/bsd-user/elfload.c
index 1ef1f972fc..12888840a4 100644
--- a/bsd-user/elfload.c
+++ b/bsd-user/elfload.c
@@ -641,8 +641,7 @@ static abi_ulong copy_elf_strings(int argc,char ** argv, void **page,
                 offset = p % TARGET_PAGE_SIZE;
                 pag = (char *)page[p/TARGET_PAGE_SIZE];
                 if (!pag) {
-                    pag = (char *)malloc(TARGET_PAGE_SIZE);
-                    memset(pag, 0, TARGET_PAGE_SIZE);
+                    pag = g_try_malloc0(TARGET_PAGE_SIZE);
                     page[p/TARGET_PAGE_SIZE] = pag;
                     if (!pag)
                         return 0;
@@ -696,7 +695,7 @@ static abi_ulong setup_arg_pages(abi_ulong p, struct linux_binprm *bprm,
             info->rss++;
             /* FIXME - check return value of memcpy_to_target() for failure */
             memcpy_to_target(stack_base, bprm->page[i], TARGET_PAGE_SIZE);
-            free(bprm->page[i]);
+            g_free(bprm->page[i]);
         }
         stack_base += TARGET_PAGE_SIZE;
     }