Coverity: fix assorted static analysis issues

RTF: - Coverity-344490: Use cli_realloc instead of cli_realloc2. cli_realloc2 will free the memory if the allocation fails, though we also free the memory later in SCAN_CLEANUP. - Fix warning about unused variable. AutoIt: - Fix possible memory leaks of input and output buffers. - Set pointer to NULL after handing off memory to new pointer.
2025-10-19 10:23:17 +00:00 · 2023-04-17 11:39:18 -07:00 · 2023-04-17 11:39:18 -07:00 · 3e8a9af4df
commit 3e8a9af4df
parent f79f942150
2 changed files with 17 additions and 3 deletions
--- a/libclamav/autoit.c
+++ b/libclamav/autoit.c
@ -761,6 +761,10 @@ static cl_error_t ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
            cli_dbgmsg("autoit: file is compressed\n");
            if (cli_readint32(UNP.inputbuf) != 0x35304145) {
                cli_dbgmsg("autoit: bad magic or unsupported version\n");
+                // Free this inputbuf and set back to NULL.
+                free(UNP.inputbuf);
+                UNP.inputbuf = NULL;
+
                continue;
            }

@ -769,6 +773,10 @@ static cl_error_t ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
            }

            if (cli_checklimits("autoit", ctx, UNP.usize, 0, 0) != CL_CLEAN) {
+                // Free this inputbuf and set back to NULL.
+                free(UNP.inputbuf);
+                UNP.inputbuf = NULL;
+
                continue;
            }

@ -848,12 +856,16 @@ static cl_error_t ea05(cli_ctx *ctx, const uint8_t *base, char *tmpd)
             */
            cli_dbgmsg("autoit: file is not compressed\n");
            UNP.outputbuf = UNP.inputbuf;
-            UNP.usize     = UNP.csize;
+            UNP.inputbuf  = NULL;
+
+            UNP.usize = UNP.csize;
        }

        if (UNP.usize < 4) {
            cli_dbgmsg("autoit: file is too short\n");
            free(UNP.outputbuf);
+            UNP.outputbuf = NULL;
+
            continue;
        }

--- a/libclamav/rtf.c
+++ b/libclamav/rtf.c
@ -167,9 +167,11 @@ static int push_state(struct stack* stack, struct rtf_state* state)
        /* grow stack */
        struct rtf_state* states;
        stack->stack_size += 128;
-        states = cli_realloc2(stack->states, stack->stack_size * sizeof(*stack->states));
-        if (!states)
+        states = cli_realloc(stack->states, stack->stack_size * sizeof(*stack->states));
+        if (!states) {
+            // Realloc failed. Note that stack->states has not been freed and must still be cleaned up by the caller.
            return CL_EMEM;
+        }
        stack->states = states;
    }
    stack->states[stack->stack_cnt++] = *state;