From fa3cf6cdc68cb6d6f2c440f2653258d68eae1015 Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Tue, 1 Aug 2023 01:55:13 +0300
Subject: [PATCH] cd9660: do not leak buffers in cd9660_rrip_loop()

Reported by:	 Robert Morris <rtm@lcs.mit.edu>
PR:	272856
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
---
 sys/fs/cd9660/cd9660_rrip.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/sys/fs/cd9660/cd9660_rrip.c b/sys/fs/cd9660/cd9660_rrip.c
index 26a09f9be38..21b176a3f0f 100644
--- a/sys/fs/cd9660/cd9660_rrip.c
+++ b/sys/fs/cd9660/cd9660_rrip.c
@@ -520,12 +520,18 @@ cd9660_rrip_loop(struct iso_directory_record *isodir, ISO_RRIP_ANALYZE *ana,
 		}
 
 		if (ana->fields && ana->iso_ce_len) {
-			if (ana->iso_ce_blk >= ana->imp->volume_space_size
-			    || ana->iso_ce_off + ana->iso_ce_len > ana->imp->logical_block_size
-			    || bread(ana->imp->im_devvp,
-				     ana->iso_ce_blk <<
-				     (ana->imp->im_bshift - DEV_BSHIFT),
-				     ana->imp->logical_block_size, NOCRED, &bp))
+			if (ana->iso_ce_blk >= ana->imp->volume_space_size ||
+			    ana->iso_ce_off + ana->iso_ce_len >
+			    ana->imp->logical_block_size)
+				break;
+			if (bp != NULL) {
+				brelse(bp);
+				bp = NULL;
+			}
+			if (bread(ana->imp->im_devvp,
+			    ana->iso_ce_blk <<
+			    (ana->imp->im_bshift - DEV_BSHIFT),
+			    ana->imp->logical_block_size, NOCRED, &bp) != 0)
 				/* what to do now? */
 				break;
 			phead = (ISO_SUSP_HEADER *)(bp->b_data + ana->iso_ce_off);