From f3849618086cf9a8e7e6c06065b10546e0130fa6 Mon Sep 17 00:00:00 2001
From: Thomas Schmitt <scdbackup@gmx.net>
Date: Thu, 19 Apr 2012 09:29:31 +0200
Subject: [PATCH] Bug fix: Memory corruption when reading bootable image that
 was truncated          before the storage location of the boot catalog

---
 libisofs/fs_image.c | 16 ++++++++++------
 libisofs/node.c     |  2 ++
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/libisofs/fs_image.c b/libisofs/fs_image.c
index 9ec372e..842e8af 100644
--- a/libisofs/fs_image.c
+++ b/libisofs/fs_image.c
@@ -3556,12 +3556,6 @@ int iso_image_import(IsoImage *image, IsoDataSource *src,
 
     iso_node_builder_unref(image->builder);
 
-    /* free old root */
-    iso_node_unref((IsoNode*)oldroot);
-
-    /* free old boot catalog */
-    el_torito_boot_catalog_free(oldbootcat);
-
     /* set volume attributes */
     iso_image_set_volset_id(image, data->volset_id);
     iso_image_set_volume_id(image, data->volume_id);
@@ -3650,7 +3644,9 @@ int iso_image_import(IsoImage *image, IsoDataSource *src,
     iso_node_unref((IsoNode*)image->root);
     el_torito_boot_catalog_free(image->bootcat);
     image->root = oldroot;
+    oldroot = NULL;
     image->bootcat = oldbootcat;
+    oldbootcat = NULL;
     image->checksum_array = old_checksum_array;
     old_checksum_array = NULL;
 
@@ -3660,6 +3656,14 @@ int iso_image_import(IsoImage *image, IsoDataSource *src,
     image->fs = fsback;
     image->builder = blback;
 
+    /* free old root */
+    if (oldroot != NULL)
+        iso_node_unref((IsoNode*)oldroot);
+
+    /* free old boot catalog */
+    if (oldbootcat != NULL)
+        el_torito_boot_catalog_free(oldbootcat);
+
     if (catalog != NULL)
         el_torito_boot_catalog_free(catalog);
     if (boot_image != NULL)
diff --git a/libisofs/node.c b/libisofs/node.c
index 721c645..ae04974 100644
--- a/libisofs/node.c
+++ b/libisofs/node.c
@@ -55,6 +55,8 @@ void iso_node_ref(IsoNode *node)
  */
 void iso_node_unref(IsoNode *node)
 {
+    if (node == NULL)
+        return;
     if (--node->refcount == 0) {
         switch (node->type) {
         case LIBISO_DIR: