From 965cf3d91899b5cf0ad26d292ee87f98a1756a4a Mon Sep 17 00:00:00 2001
From: Micah Snyder <micasnyd@cisco.com>
Date: Mon, 17 Apr 2023 11:39:18 -0700
Subject: [PATCH] Coverity: fix assorted static analysis issues

RTF:
- Coverity-344490: Use cli_realloc instead of cli_realloc2.
  cli_realloc2 will free the memory if the allocation fails, though we
  also free the memory later in SCAN_CLEANUP.
- Fix warning about unused variable.

AutoIt:
- Fix possible memory leaks of input and output buffers.
- Set pointer to NULL after handing off memory to new pointer.
---
 libclamav/autoit.c | 14 +++++++++++++-
 libclamav/rtf.c    |  6 ++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/libclamav/autoit.c b/libclamav/autoit.c
index 4c1b77e581..61e2dc0583 100644
--- a/libclamav/autoit.c
+++ b/libclamav/autoit.c
@@ -761,6 +761,10 @@ static cl_error_t ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
             cli_dbgmsg("autoit: file is compressed\n");
             if (cli_readint32(UNP.inputbuf) != 0x35304145) {
                 cli_dbgmsg("autoit: bad magic or unsupported version\n");
+                // Free this inputbuf and set back to NULL.
+                free(UNP.inputbuf);
+                UNP.inputbuf = NULL;
+
                 continue;
             }
 
@@ -769,6 +773,10 @@ static cl_error_t ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
             }
 
             if (cli_checklimits("autoit", ctx, UNP.usize, 0, 0) != CL_CLEAN) {
+                // Free this inputbuf and set back to NULL.
+                free(UNP.inputbuf);
+                UNP.inputbuf = NULL;
+
                 continue;
             }
 
@@ -848,12 +856,16 @@ static cl_error_t ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
              */
             cli_dbgmsg("autoit: file is not compressed\n");
             UNP.outputbuf = UNP.inputbuf;
-            UNP.usize     = UNP.csize;
+            UNP.inputbuf  = NULL;
+
+            UNP.usize = UNP.csize;
         }
 
         if (UNP.usize < 4) {
             cli_dbgmsg("autoit: file is too short\n");
             free(UNP.outputbuf);
+            UNP.outputbuf = NULL;
+
             continue;
         }
 
diff --git a/libclamav/rtf.c b/libclamav/rtf.c
index 21f022fd58..983aad0bb7 100644
--- a/libclamav/rtf.c
+++ b/libclamav/rtf.c
@@ -168,9 +168,11 @@ static int push_state(struct stack* stack, struct rtf_state* state)
         /* grow stack */
         struct rtf_state* states;
         stack->stack_size += 128;
-        states = cli_realloc2(stack->states, stack->stack_size * sizeof(*stack->states));
-        if (!states)
+        states = cli_realloc(stack->states, stack->stack_size * sizeof(*stack->states));
+        if (!states) {
+            // Realloc failed. Note that stack->states has not been freed and must still be cleaned up by the caller.
             return CL_EMEM;
+        }
         stack->states = states;
     }
     stack->states[stack->stack_cnt++] = *state;