From 798959bd6f37951bae76ee6786898328d39c35b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?n4=E2=98=A00r?= Date: Thu, 15 Sep 2016 19:11:15 +0200 Subject: [PATCH] Fix coverities related to dmh --- libr/core/linux_heap_glibc_32.c | 163 ++++++++++++++++++-------------- libr/core/linux_heap_glibc_64.c | 143 ++++++++++++++++------------ 2 files changed, 176 insertions(+), 130 deletions(-) diff --git a/libr/core/linux_heap_glibc_32.c b/libr/core/linux_heap_glibc_32.c index 3384a4790a..063beb3a53 100644 --- a/libr/core/linux_heap_glibc_32.c +++ b/libr/core/linux_heap_glibc_32.c @@ -189,6 +189,10 @@ static bool r_resolve_main_arena_32(RCore *core, ut32 *m_arena, RHeap_MallocStat RListIter *iter; RDebugMap *map; + if (!core || !core->dbg || !core->dbg->maps){ + return false; + } + if (*m_arena == UT32_MAX) { const char *dir_dbg = "/usr/lib/debug"; const char *dir_build_id = "/.build-id"; @@ -198,9 +202,6 @@ static bool r_resolve_main_arena_32(RCore *core, ut32 *m_arena, RHeap_MallocStat bool is_debug_file[4]; ut32 libc_addr = UT32_MAX, vaddr = UT32_MAX; - if (!core || !core->dbg || !core->dbg->maps){ - return false; - } r_debug_map_sync (core->dbg); r_list_foreach (core->dbg->maps, iter, map) { if (strstr (map->name, "/libc-")) { @@ -269,11 +270,11 @@ arena: } not_arena: eprintf ("Warning: glibc library with symbol main_arena could not be found. Is libc6-dbg installed?\n"); + free (path); return false; } else { update_main_arena_32 (core, *m_arena, main_arena); } - return true; } @@ -344,6 +345,7 @@ static int print_double_linked_list_bin_simple_32(RCore *core, ut32 bin, RHeap_M next = cnk->fd; if (next < brk_start || next > main_arena->top) { PRINT_RA ("Double linked list corrupted\n"); + free (cnk); return -1; } r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk32)); @@ -354,6 +356,7 @@ static int print_double_linked_list_bin_simple_32(RCore *core, ut32 bin, RHeap_M if (next != bin) { PRINT_RA ("Double linked list corrupted\n"); + free (cnk); return -1; } r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk32)); @@ -364,6 +367,7 @@ static int print_double_linked_list_bin_simple_32(RCore *core, ut32 bin, RHeap_M next = cnk->bk; if (next < brk_start || next > main_arena->top) { PRINT_RA ("Double linked list corrupted\n"); + free (cnk); return -1; } r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk32)); @@ -371,7 +375,7 @@ static int print_double_linked_list_bin_simple_32(RCore *core, ut32 bin, RHeap_M PRINTF_GA ("->bk = 0x%"PFMT32x, cnk->bk); free (cnk); - return 1; + return 0; } static int print_double_linked_list_bin_graph_32(RCore *core, ut32 bin, RHeap_MallocState32 *main_arena, ut32 brk_start) { @@ -382,7 +386,9 @@ static int print_double_linked_list_bin_graph_32(RCore *core, ut32 bin, RHeap_Ma RANode *bin_node = NULL, *prev_node = NULL, *next_node = NULL; RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32); - if (!cnk) { + if (!cnk || !g) { + free (cnk); + free (g); return -1; } @@ -396,6 +402,8 @@ static int print_double_linked_list_bin_graph_32(RCore *core, ut32 bin, RHeap_Ma next = cnk->bk; if (next < brk_start || next > main_arena->top) { PRINT_RA ("Double linked list corrupted\n"); + free (cnk); + free (g); return -1; } @@ -414,26 +422,28 @@ static int print_double_linked_list_bin_graph_32(RCore *core, ut32 bin, RHeap_Ma free (cnk); r_agraph_free (g); - - return 1; + return 0; } -static int print_double_linked_list_bin_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 m_arena, ut32 offset, ut32 num_bin, int graph) { - int ret = 0; - ut32 brk_start = UT32_MAX, brk_end = UT32_MAX; - ut32 bin = main_arena->bins[num_bin]; - if (!bin) { - return ret; - } - +static int print_double_linked_list_bin_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 m_arena, ut32 offset, ut32 num_bin, int graph) { if (!core || !core->dbg || !core->dbg->maps) { - return ret; + return -1; + } + int ret = 0; + ut32 brk_start = UT32_MAX, brk_end = UT32_MAX; + if (num_bin < 0 || num_bin > 126) { + return -1; + } + ut32 bin = main_arena->bins[num_bin]; + + if (!bin) { + return -1; } get_brks_32 (core, &brk_start, &brk_end); if (brk_start == UT32_MAX || brk_end == UT32_MAX) { eprintf ("No Heap section\n"); - return ret; + return -1; } bin = m_arena + offset + SZ * num_bin * 2 - SZ * 2; @@ -457,7 +467,6 @@ static int print_double_linked_list_bin_32(RCore *core, RHeap_MallocState32 *ma } PRINT_GA ("\n }\n"); - return ret; } @@ -496,27 +505,26 @@ static void print_heap_bin_32(RCore *core, ut32 m_arena, RHeap_MallocState32 *ma } static int print_single_linked_list_bin_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 m_arena, ut32 offset, ut32 bin_num) { + if (!core || !core->dbg || !core->dbg->maps) { + return -1; + } ut32 next = UT32_MAX, brk_start = UT32_MAX, brk_end = UT32_MAX; ut32 bin = main_arena->fastbinsY[bin_num]; if (!bin) { - return 0; + return -1; } - RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32); + if (!cnk) { return 0; } - - if (!core || !core->dbg || !core->dbg->maps) { - return 0; - } - bin = m_arena + offset + SZ * bin_num; r_core_read_at (core, bin, (ut8 *)&next, SZ); get_brks_32 (core, &brk_start, &brk_end); if (brk_start == UT32_MAX || brk_end == UT32_MAX) { eprintf ("No Heap section\n"); + free (cnk); return 0; } @@ -545,6 +553,7 @@ static int print_single_linked_list_bin_32(RCore *core, RHeap_MallocState32 *mai PRINTF_RA (" 0x%"PFMT32x, next); PRINT_RA (" Linked list corrupted\n"); PRINT_GA ("\n }\n"); + free (cnk); return -1; } @@ -553,6 +562,7 @@ static int print_single_linked_list_bin_32(RCore *core, RHeap_MallocState32 *mai PRINTF_RA ("0x%"PFMT32x, next); PRINT_RA (" Double free detected\n"); PRINT_GA ("\n }\n"); + free (cnk); return -1; } } @@ -561,11 +571,13 @@ static int print_single_linked_list_bin_32(RCore *core, RHeap_MallocState32 *mai PRINTF_RA ("0x%"PFMT32x, next); PRINT_RA (" Linked list corrupted\n"); PRINT_GA ("\n }\n"); - return 1; + free (cnk); + return -1; } PRINT_GA ("\n }\n"); - return -1; + free (cnk); + return 0; } void print_heap_fastbin_32(RCore *core, ut32 m_arena, RHeap_MallocState32 *main_arena, const char *input) { @@ -600,24 +612,24 @@ void print_heap_fastbin_32(RCore *core, ut32 m_arena, RHeap_MallocState32 *main_ } static void print_mmap_graph_32(RCore *core, RHeap_MallocState32 *malloc_state, ut32 m_state) { - int w, h; - ut32 top_size = UT32_MAX; - if (!core || !core->dbg || !core->dbg->maps) { return; } - + + int w, h; + ut32 top_size = UT32_MAX; w = r_cons_get_size (&h); RConsCanvas *can = r_cons_canvas_new (w, h); can->color = r_config_get_i (core->config, "scr.color"); RAGraph *g = r_agraph_new (can); RANode *top = {0}, *chunk_node = {0}, *prev_node = {0}; - RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32), - *prev_c = R_NEW0 (RHeapChunk32); + RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32),*prev_c = R_NEW0 (RHeapChunk32); - if (!cnk || !prev_c) { + if (!cnk || !prev_c || !g || !can) { free (cnk); free (prev_c); + free (can); + free (g); return; } @@ -640,7 +652,7 @@ static void print_mmap_graph_32(RCore *core, RHeap_MallocState32 *malloc_state, r_core_read_at (core, next_chunk_ref, (ut8 *)prev_c, sizeof (RHeapChunk32)); node_title = r_str_newf (" Malloc chunk @ 0x%"PFMT32x" ", prev_chunk_ref); size_tmp = (prev_c->size >> 3) << 3; - if (top_size != UT64_MAX && (size_tmp > top_size || next_chunk_ref + size_tmp > malloc_state->top)) { + if (size_tmp > top_size || next_chunk_ref + size_tmp > malloc_state->top) { node_data = r_str_newf ("[corrupted] size: 0x%x\n fd: 0x%"PFMT32x", bk: 0x%"PFMT64x"\nHeap graph could not be recovered\n", prev_c->size, prev_c->fd, prev_c->bk) ; r_agraph_add_node (g, node_title, node_data); if (first_node) first_node = false; @@ -665,14 +677,19 @@ static void print_mmap_graph_32(RCore *core, RHeap_MallocState32 *malloc_state, free (node_title); } r_agraph_print (g); - + free (g); free (cnk); + free (can); free (prev_c); free (top_data); free (top_title); } static void print_heap_graph_32(RCore *core, RHeap_MallocState32 *main_arena, ut32 *initial_brk) { + if (!core || !core->dbg || !core->dbg->maps) { + return; + } + int w, h; ut32 top_size = UT32_MAX; w = r_cons_get_size (&h); @@ -683,6 +700,10 @@ static void print_heap_graph_32(RCore *core, RHeap_MallocState32 *main_arena, ut RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32), *prev_c = R_NEW0 (RHeapChunk32); if (!cnk || !prev_c) { + free (can); + free (cnk); + free (prev_c); + free (g); return; } @@ -693,14 +714,15 @@ static void print_heap_graph_32(RCore *core, RHeap_MallocState32 *main_arena, ut r_agraph_set_title (g, "Heap Layout"); top_title = r_str_newf ("Top chunk @ 0x%"PFMT32x"\n", main_arena->top); - if (!core || !core->dbg || !core->dbg->maps) { - return; - } - get_brks_32 (core, &brk_start, &brk_end); *initial_brk = (brk_start >> 12) << 12; if (brk_start == UT32_MAX || brk_end == UT32_MAX || *initial_brk == UT32_MAX) { eprintf ("No Heap section\n"); + free (can); + free (cnk); + free (prev_c); + free (g); + free (top_title); return; } @@ -738,39 +760,42 @@ static void print_heap_graph_32(RCore *core, RHeap_MallocState32 *main_arena, ut free (node_title); } r_agraph_print (g); - free (cnk); + free (g); + free (can); free (prev_c); free (top_data); free (top_title); } static void print_heap_segment32(RCore *core, RHeap_MallocState32 *main_arena, ut32 *initial_brk) { + if (!core || !core->dbg || !core->dbg->maps){ + return; + } + ut32 brk_start = UT32_MAX, brk_end = UT32_MAX, size_tmp, top_size = UT32_MAX; RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32); if (!cnk) { return; } - - if (!core || !core->dbg || !core->dbg->maps){ - return; - } - + get_brks_32 (core, &brk_start, &brk_end); *initial_brk = (brk_start >> 12) << 12; + if (brk_start == UT32_MAX || brk_end == UT32_MAX || *initial_brk == UT32_MAX) { eprintf ("No Heap section\n"); + free (cnk); return; } ut32 next_chunk = *initial_brk, prev_chunk = next_chunk; top_size = main_arena->top - brk_start; - bool list_corrupted = false; + while (next_chunk && next_chunk >= brk_start && next_chunk < main_arena->top) { r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32)); size_tmp = (cnk->size >> 3) << 3; - if (top_size != UT32_MAX && (size_tmp > top_size || next_chunk + size_tmp > main_arena->top)) { + if (size_tmp > top_size || next_chunk + size_tmp > main_arena->top) { PRINT_YA ("\n Malloc chunk @ "); PRINTF_BA ("0x%"PFMT32x" ", next_chunk); PRINT_RA ("[corrupted]\n"); @@ -801,11 +826,6 @@ static void print_heap_segment32(RCore *core, RHeap_MallocState32 *main_arena, u } } } - - if (list_corrupted) { - break; - } - next_chunk += size_tmp; prev_chunk = next_chunk; r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32)); @@ -832,16 +852,18 @@ static void print_heap_segment32(RCore *core, RHeap_MallocState32 *main_arena, u } static void print_heap_mmaped32(RCore *core, ut32 malloc_state) { + if (!core || !core->dbg || !core->dbg->maps){ + return; + } + ut32 mmap_start = UT32_MAX, mmap_end = UT32_MAX, size_tmp; ut32 top_size = UT32_MAX; RHeapChunk32 *cnk = R_NEW0 (RHeapChunk32); RHeap_MallocState32 *ms = R_NEW0 (RHeap_MallocState32); - if (!cnk) { - return; - } - - if (!core || !core->dbg || !core->dbg->maps){ + if (!cnk || !ms) { + free (cnk); + free (ms); return; } @@ -849,13 +871,11 @@ static void print_heap_mmaped32(RCore *core, ut32 malloc_state) { r_core_read_at (core, malloc_state, (ut8*)ms, sizeof (RHeap_MallocState32)); mmap_end = ms->top; - ut32 next_chunk = mmap_start, prev_chunk = next_chunk; r_core_read_at (core, malloc_state, (ut8*)ms, sizeof (RHeap_MallocState32)); r_core_read_at (core, ms->top, (ut8*)cnk, sizeof (RHeapChunk32)); top_size = (cnk->size >> 3) << 3; - bool list_corrupted = false; while (next_chunk && next_chunk >= mmap_start && next_chunk < ms->top) { r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32)); size_tmp = (cnk->size >> 3) << 3; @@ -890,14 +910,10 @@ static void print_heap_mmaped32(RCore *core, ut32 malloc_state) { } } } - - if (list_corrupted) { - break; - } - next_chunk += size_tmp; prev_chunk = next_chunk; r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk32)); + if (is_free) { PRINT_GA ("[free]"); } else { @@ -924,10 +940,17 @@ static void print_heap_mmaped32(RCore *core, ut32 malloc_state) { void print_malloc_states32 ( RCore *core, ut32 m_arena, RHeap_MallocState32 *main_arena) { RHeap_MallocState32 *ta = R_NEW0 (RHeap_MallocState32); + if (!ta) { + return; + } + PRINT_YA ("main_arena @ "); PRINTF_BA ("0x%"PFMT32x"\n", m_arena); - if (main_arena->next == m_arena) return; + if (main_arena->next == m_arena) { + free (ta); + return; + } else { ta->next = main_arena->next; while (ta->next != UT32_MAX && ta->next != m_arena) { @@ -1059,7 +1082,8 @@ static int cmd_dbg_map_heap_glibc_32(RCore *core, const char *input) { RHeap_MallocState32 *malloc_state = R_NEW0 (RHeap_MallocState32); r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState32)); print_heap_bin_32 (core, m_state, malloc_state, bin); - free(malloc_state); + free (malloc_state); + free (dup); } } break; @@ -1082,7 +1106,8 @@ static int cmd_dbg_map_heap_glibc_32(RCore *core, const char *input) { RHeap_MallocState32 *malloc_state = R_NEW0 (RHeap_MallocState32); r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState32)); print_heap_fastbin_32 (core, m_state, malloc_state, bin); - free(malloc_state); + free (malloc_state); + free (dup); } } break; diff --git a/libr/core/linux_heap_glibc_64.c b/libr/core/linux_heap_glibc_64.c index 4e1a777895..7307d25fe7 100644 --- a/libr/core/linux_heap_glibc_64.c +++ b/libr/core/linux_heap_glibc_64.c @@ -270,11 +270,11 @@ arena: } not_arena: eprintf ("Warning: glibc library with symbol main_arena could not be found. Is libc6-dbg installed?\n"); + free (path); return false; } else { update_main_arena_64 (core, *m_arena, main_arena); } - return true; } @@ -316,7 +316,7 @@ static void print_heap_chunk_64(RCore *core) { PRINT_GA (",\n}\n"); ut64 size = ((cnk->size >> 3) << 3) - SZ * 2; - if (size > SZ * 128) { + if (size > (ut64)SZ * 128) { PRINT_GA ("chunk too big to be displayed\n"); size = SZ * 128; } @@ -345,6 +345,7 @@ static int print_double_linked_list_bin_simple_64(RCore *core, ut64 bin, RHeap_M next = cnk->fd; if (next < brk_start || next > main_arena->top) { PRINT_RA ("Double linked list corrupted\n"); + free (cnk); return -1; } r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk64)); @@ -355,6 +356,7 @@ static int print_double_linked_list_bin_simple_64(RCore *core, ut64 bin, RHeap_M if (next != bin) { PRINT_RA ("Double linked list corrupted\n"); + free (cnk); return -1; } r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk64)); @@ -365,6 +367,7 @@ static int print_double_linked_list_bin_simple_64(RCore *core, ut64 bin, RHeap_M next = cnk->bk; if (next < brk_start || next > main_arena->top) { PRINT_RA ("Double linked list corrupted\n"); + free (cnk); return -1; } r_core_read_at (core, next, (ut8 *)cnk, sizeof (RHeapChunk64)); @@ -372,7 +375,7 @@ static int print_double_linked_list_bin_simple_64(RCore *core, ut64 bin, RHeap_M PRINTF_GA ("->bk = 0x%"PFMT64x, cnk->bk); free (cnk); - return 1; + return 0; } static int print_double_linked_list_bin_graph_64(RCore *core, ut64 bin, RHeap_MallocState64 *main_arena, ut64 brk_start) { @@ -383,7 +386,9 @@ static int print_double_linked_list_bin_graph_64(RCore *core, ut64 bin, RHeap_Ma RANode *bin_node = NULL, *prev_node = NULL, *next_node = NULL; RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64); - if (!cnk) { + if (!cnk || !g) { + free (cnk); + free (g); return -1; } @@ -397,6 +402,8 @@ static int print_double_linked_list_bin_graph_64(RCore *core, ut64 bin, RHeap_Ma next = cnk->bk; if (next < brk_start || next > main_arena->top) { PRINT_RA ("Double linked list corrupted\n"); + free (g); + free (cnk); return -1; } @@ -412,32 +419,34 @@ static int print_double_linked_list_bin_graph_64(RCore *core, ut64 bin, RHeap_Ma r_agraph_add_edge (g, prev_node, bin_node); r_agraph_add_edge (g, bin_node, prev_node); r_agraph_print (g); - free (cnk); r_agraph_free (g); - - return 1; + return 0; } static int print_double_linked_list_bin_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 m_arena, ut64 offset, ut64 num_bin, int graph) { - int ret = 0; - ut64 brk_start = UT64_MAX, brk_end = UT64_MAX; - ut64 bin = main_arena->bins[num_bin]; - if (!bin) { - return ret; + if (!core || !core->dbg || !core->dbg->maps) { + return -1; } - if (!core || !core->dbg || !core->dbg->maps) { - return ret; + int ret = 0; + ut64 brk_start = UT64_MAX, brk_end = UT64_MAX; + if (num_bin > 126 || num_bin < 0) { + return; + } + ut64 bin = main_arena->bins[num_bin]; + + if (!bin) { + return -1; } get_brks_64 (core, &brk_start, &brk_end); if (brk_start == UT64_MAX || brk_end == UT64_MAX) { eprintf ("No Heap section\n"); - return ret; + return -1; } - bin = m_arena + offset + SZ * num_bin * 2 - SZ * 2; + bin = m_arena + offset + SZ * num_bin * 2 - (unsigned long long)SZ * 2; switch (num_bin) { case 0: @@ -458,7 +467,6 @@ static int print_double_linked_list_bin_64(RCore *core, RHeap_MallocState64 *ma } PRINT_GA ("\n }\n"); - return ret; } @@ -497,28 +505,30 @@ static void print_heap_bin_64(RCore *core, ut64 m_arena, RHeap_MallocState64 *ma } static int print_single_linked_list_bin_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 m_arena, ut64 offset, ut64 bin_num) { + if (!core || !core->dbg || !core->dbg->maps) { + return 0; + } + ut64 next = UT64_MAX, brk_start = UT64_MAX, brk_end = UT64_MAX; - ut64 bin = main_arena->fastbinsY[bin_num]; + ut64 bin = main_arena->fastbinsY[bin_num]; if (!bin) { return 0; } RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64); + if (!cnk) { return 0; } - if (!core || !core->dbg || !core->dbg->maps) { - return 0; - } - bin = m_arena + offset + SZ * bin_num; r_core_read_at (core, bin, (ut8 *)&next, SZ); get_brks_64 (core, &brk_start, &brk_end); if (brk_start == UT64_MAX || brk_end == UT64_MAX) { eprintf ("No Heap section\n"); - return 0; + free (cnk); + return -1; } PRINTF_GA (" fastbin %d @ ", bin_num + 1); @@ -546,6 +556,7 @@ static int print_single_linked_list_bin_64(RCore *core, RHeap_MallocState64 *mai PRINTF_RA (" 0x%"PFMT64x, next); PRINT_RA (" Linked list corrupted\n"); PRINT_GA ("\n }\n"); + free (cnk); return -1; } @@ -554,6 +565,7 @@ static int print_single_linked_list_bin_64(RCore *core, RHeap_MallocState64 *mai PRINTF_RA ("0x%"PFMT64x, next); PRINT_RA (" Double free detected\n"); PRINT_GA ("\n }\n"); + free (cnk); return -1; } } @@ -562,11 +574,13 @@ static int print_single_linked_list_bin_64(RCore *core, RHeap_MallocState64 *mai PRINTF_RA ("0x%"PFMT64x, next); PRINT_RA (" Linked list corrupted\n"); PRINT_GA ("\n }\n"); - return 1; + free (cnk); + return -1; } PRINT_GA ("\n }\n"); - return -1; + free (cnk); + return 0; } static void print_heap_fastbin_64(RCore *core, ut64 m_arena, RHeap_MallocState64 *main_arena, const char *input) { @@ -601,13 +615,12 @@ static void print_heap_fastbin_64(RCore *core, ut64 m_arena, RHeap_MallocState64 } static void print_mmap_graph_64(RCore *core, RHeap_MallocState64 *malloc_state, ut64 m_state) { - int w, h; - ut64 top_size = UT64_MAX; - if (!core || !core->dbg || !core->dbg->maps) { return; } - + + int w, h; + ut64 top_size = UT64_MAX; w = r_cons_get_size (&h); RConsCanvas *can = r_cons_canvas_new (w, h); can->color = r_config_get_i (core->config, "scr.color"); @@ -615,9 +628,11 @@ static void print_mmap_graph_64(RCore *core, RHeap_MallocState64 *malloc_state, RANode *top = {0}, *chunk_node = {0}, *prev_node = {0}; RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64), *prev_c = R_NEW0 (RHeapChunk64); - if (!cnk || !prev_c) { + if (!cnk || !prev_c || !can || !g) { free (cnk); free (prev_c); + free (can); + free (g); return; } @@ -665,14 +680,19 @@ static void print_mmap_graph_64(RCore *core, RHeap_MallocState64 *malloc_state, free (node_title); } r_agraph_print (g); - + + free (g); free (cnk); + free (can); free (prev_c); free (top_data); free (top_title); } -static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 *initial_brk) { +static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut64 *initial_brk) { + if (!core || !core->dbg || !core->dbg->maps) { + return; + } int w, h; ut64 top_size = UT64_MAX; w = r_cons_get_size (&h); @@ -682,7 +702,11 @@ static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut RANode *top = {0}, *chunk_node = {0}, *prev_node = {0}; RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64), *prev_c = R_NEW0 (RHeapChunk64); - if (!cnk || !prev_c) { + if (!cnk || !prev_c || !can || !g) { + free (cnk); + free (prev_c); + free (can); + free (g); return; } @@ -693,14 +717,15 @@ static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut r_agraph_set_title (g, "Heap Layout"); top_title = r_str_newf ("Top chunk @ 0x%"PFMT64x"\n", main_arena->top); - if (!core || !core->dbg || !core->dbg->maps) { - return; - } - get_brks_64 (core, &brk_start, &brk_end); *initial_brk = (brk_start >> 12) << 12; if (brk_start == UT64_MAX || brk_end == UT64_MAX || *initial_brk == UT64_MAX) { eprintf ("No Heap section\n"); + free (cnk); + free (prev_c); + free (can); + free (g); + free (top_title); return; } @@ -738,35 +763,36 @@ static void print_heap_graph_64(RCore *core, RHeap_MallocState64 *main_arena, ut free (node_title); } r_agraph_print (g); - + free (g); free (cnk); + free (can); free (prev_c); free (top_data); free (top_title); } static void print_heap_segment64(RCore *core, RHeap_MallocState64 *main_arena, ut64 *initial_brk) { - ut64 brk_start = UT64_MAX, brk_end = UT64_MAX, size_tmp; + if (!core || !core->dbg || !core->dbg->maps){ + return; + } + ut64 brk_start = UT64_MAX, brk_end = UT64_MAX, size_tmp; ut64 top_size = UT64_MAX; RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64); if (!cnk) { return; } - - if (!core || !core->dbg || !core->dbg->maps){ - return; - } get_brks_64 (core, &brk_start, &brk_end); *initial_brk = (brk_start >> 12) << 12; - if (brk_start == UT64_MAX || brk_end == UT64_MAX || *initial_brk == UT64_MAX) { + + if (brk_start == UT64_MAX || brk_end == UT64_MAX || *initial_brk == UT64_MAX) { eprintf ("No Heap section\n"); + free (cnk); return; } ut64 next_chunk = *initial_brk, prev_chunk = next_chunk; top_size = main_arena->top - brk_start; - bool list_corrupted = false; while (next_chunk && next_chunk >= brk_start && next_chunk < main_arena->top) { r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64)); size_tmp = (cnk->size >> 3) << 3; @@ -779,8 +805,8 @@ static void print_heap_segment64(RCore *core, RHeap_MallocState64 *main_arena, u } PRINT_YA ("\n Malloc chunk @ "); PRINTF_BA ("0x%"PFMT64x" ", prev_chunk); - - bool is_free = false; + + bool is_free = false; ut64 double_free = UT64_MAX; if (size_tmp >= SZ * 4 && size_tmp <= SZ * 24) { int i = (size_tmp / (SZ * 2)) - 2; @@ -801,11 +827,6 @@ static void print_heap_segment64(RCore *core, RHeap_MallocState64 *main_arena, u } } } - - if (list_corrupted) { - break; - } - next_chunk += size_tmp; prev_chunk = next_chunk; r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64)); @@ -832,12 +853,11 @@ static void print_heap_segment64(RCore *core, RHeap_MallocState64 *main_arena, u } static void print_heap_mmaped64(RCore *core, ut64 malloc_state) { - ut64 mmap_start = UT64_MAX, mmap_end = UT64_MAX, size_tmp; - ut64 top_size = UT64_MAX; - if (!core || !core->dbg || !core->dbg->maps){ return; } + ut64 mmap_start = UT64_MAX, mmap_end = UT64_MAX, size_tmp; + ut64 top_size = UT64_MAX; RHeapChunk64 *cnk = R_NEW0 (RHeapChunk64); if (!cnk) { @@ -854,7 +874,6 @@ static void print_heap_mmaped64(RCore *core, ut64 malloc_state) { r_core_read_at (core, ms->top, (ut8*)cnk, sizeof (RHeapChunk64)); top_size = (cnk->size >> 3) << 3; - bool list_corrupted = false; while ( next_chunk && next_chunk >= mmap_start && next_chunk < ms->top) { r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64)); @@ -872,7 +891,7 @@ static void print_heap_mmaped64(RCore *core, ut64 malloc_state) { bool is_free = false; ut64 double_free = UT64_MAX; - if (size_tmp >= SZ * 4 && size_tmp <= SZ * 24) { + if (size_tmp >= (ut64)SZ * 4 && size_tmp <= SZ * 24) { int i = (size_tmp / (SZ * 2)) - 2; ut64 next = ms->fastbinsY[i]; double_free = next; @@ -892,10 +911,6 @@ static void print_heap_mmaped64(RCore *core, ut64 malloc_state) { } } - if (list_corrupted) { - break; - } - next_chunk += size_tmp; prev_chunk = next_chunk; r_core_read_at (core, next_chunk, (ut8 *)cnk, sizeof (RHeapChunk64)); @@ -925,10 +940,14 @@ static void print_heap_mmaped64(RCore *core, ut64 malloc_state) { void print_malloc_states64( RCore *core, ut64 m_arena, RHeap_MallocState64 *main_arena) { RHeap_MallocState64 *ta = R_NEW0 (RHeap_MallocState64); + if (!ta) { + return; + } PRINT_YA ("main_arena @ "); PRINTF_BA ("0x%"PFMT64x"\n", m_arena); if (main_arena->next == m_arena) { + free (ta); return; } ta->next = main_arena->next; @@ -1062,6 +1081,7 @@ static int cmd_dbg_map_heap_glibc_64(RCore *core, const char *input) { r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState64)); print_heap_bin_64 (core, m_state, malloc_state, bin); free (malloc_state); + free (dup); } } break; @@ -1085,6 +1105,7 @@ static int cmd_dbg_map_heap_glibc_64(RCore *core, const char *input) { r_core_read_at (core, m_state, (ut8*)malloc_state, sizeof (RHeap_MallocState64)); print_heap_fastbin_64 (core, m_state, malloc_state, bin); free (malloc_state); + free (dup); } } break;