Merge zlib double-free bug forwarded by Mark J Cox.

diff --git a/zlib/infblock.c b/zlib/infblock.c
index 1c221dd..58f0628 100644 (file)
--- a/zlib/infblock.c
+++ b/zlib/infblock.c
@@ -249,10 +249,12 @@ int r;
                              &s->sub.trees.tb, s->hufts, z);
       if (t != Z_OK)
       {
-        ZFREE(z, s->sub.trees.blens);
         r = t;
         if (r == Z_DATA_ERROR)
-          s->mode = zBAD;
+         {
+           ZFREE(z, s->sub.trees.blens);
+           s->mode = zBAD;
+         }
         LEAVE
       }
       s->sub.trees.index = 0;
@@ -317,10 +319,14 @@ int r;
         if (t != Z_OK)
         {
           if (t == (uInt)Z_DATA_ERROR)
-            s->mode = zBAD;
+           {
+             ZFREE(z, s->sub.trees.blens);
+             s->mode = zBAD;
+           }
           r = t;
           LEAVE
         }
+       ZFREE(z, s->sub.trees.blens);
         Tracev((stderr, "inflate:       trees ok\n"));
         if ((c = inflate_codes_new(bl, bd, tl, td, z)) == Z_NULL)
         {