Coverity: fix assorted static analysis issues

RTF: - Coverity-344490: Use cli_realloc instead of cli_realloc2. cli_realloc2 will free the memory if the allocation fails, though we also free the memory later in SCAN_CLEANUP. - Fix warning about unused variable. AutoIt: - Fix possible memory leaks of input and output buffers. - Set pointer to NULL after handing off memory to new pointer.
Cisco-Talos · Aug 11, 2023 · 965cf3d · 965cf3d
1 parent f20a124
commit 965cf3d
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/libclamav/autoit.c b/libclamav/autoit.c
@@ -761,6 +761,10 @@ static cl_error_t ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
             cli_dbgmsg("autoit: file is compressed\n");
             if (cli_readint32(UNP.inputbuf) != 0x35304145) {
                 cli_dbgmsg("autoit: bad magic or unsupported version\n");
+                // Free this inputbuf and set back to NULL.
+                free(UNP.inputbuf);
+                UNP.inputbuf = NULL;
+
                 continue;
             }
 
@@ -769,6 +773,10 @@ static cl_error_t ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
             }
 
             if (cli_checklimits("autoit", ctx, UNP.usize, 0, 0) != CL_CLEAN) {
+                // Free this inputbuf and set back to NULL.
+                free(UNP.inputbuf);
+                UNP.inputbuf = NULL;
+
                 continue;
             }
 
@@ -848,12 +856,16 @@ static cl_error_t ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
              */
             cli_dbgmsg("autoit: file is not compressed\n");
             UNP.outputbuf = UNP.inputbuf;
-            UNP.usize     = UNP.csize;
+            UNP.inputbuf  = NULL;
+
+            UNP.usize = UNP.csize;
         }
 
         if (UNP.usize < 4) {
             cli_dbgmsg("autoit: file is too short\n");
             free(UNP.outputbuf);
+            UNP.outputbuf = NULL;
+
             continue;
         }
 

diff --git a/libclamav/rtf.c b/libclamav/rtf.c
@@ -168,9 +168,11 @@ static int push_state(struct stack* stack, struct rtf_state* state)
         /* grow stack */
         struct rtf_state* states;
         stack->stack_size += 128;
-        states = cli_realloc2(stack->states, stack->stack_size * sizeof(*stack->states));
-        if (!states)
+        states = cli_realloc(stack->states, stack->stack_size * sizeof(*stack->states));
+        if (!states) {
+            // Realloc failed. Note that stack->states has not been freed and must still be cleaned up by the caller.
             return CL_EMEM;
+        }
         stack->states = states;
     }
     stack->states[stack->stack_cnt++] = *state;