Fix more issues reported by clang-analyzer

binr/rabin2/rabin2.c

@@ -259,6 +259,7 @@ static int rabin_dump_sections(char *scnname) {
 	RBinSection *section;
 	ut8 *buf;
 	char *ret;
+	int r;
 
 	if ((sections = r_bin_get_sections (bin)) == NULL)
 		return false;
@@ -267,11 +268,27 @@ static int rabin_dump_sections(char *scnname) {
 		if (!strcmp (scnname, section->name)) {
 			if (!(buf = malloc (section->size)))
 				return false;
+			if ((section->size * 2) + 1 < section->size) {
+				free (buf);
+				return false;
+			}
 			if (!(ret = malloc (section->size*2+1))) {
 				free (buf);
 				return false;
 			}
-			r_buf_read_at (bin->cur->buf, section->paddr, buf, section->size);
+			if (section->paddr > bin->cur->buf->length ||
+			section->paddr + section->size > bin->cur->buf->length) {
+				free (buf);
+				free (ret);
+				return false;
+			}
+			r = r_buf_read_at (bin->cur->buf, section->paddr,
+					buf, section->size);
+			if (r < 1) {
+				free (buf);
+				free (ret);
+				return false;
+			}
 			if (output) {
 				r_file_dump (output, buf, section->size, 0);
 			} else {

libr/asm/arch/8051/8051.c

@@ -167,19 +167,24 @@ r_8051_op r_8051_decode(const ut8 *buf, int len) {
 static char *strdup_filter (const char *str, const ut8 *buf) {
 	char *o;
 	int i, j, len;
-	if (!str)
-		return NULL;
+	if (!str) return NULL;
 	len = strlen (str);
-	o = malloc (1+len*4);
-	for (i=j=0; i<len; i++) {
+	if ((len * 4) + 1 < len) return NULL;
+	o = malloc (1 + (len * 4));
+	if (!o) return NULL;
+	for (i = j = 0; i < len; i++) {
 		if (str[i] == '$') {
 			int n = str[i+1];
 			if (n>='0' && n<='9') {
 				n -= '0';
 				i++;
 				j += sprintf (o+j, "0x%02x", buf[n]);
-			} else eprintf ("strdup_filter: Internal bug\n");
-		} else o[j++] = str[i];
+			} else {
+				eprintf ("strdup_filter: Internal bug\n");
+			}
+		} else {
+			o[j++] = str[i];
+		}
 	}
 	o[j] = 0;
 	return o;

libr/cons/dietline.c

@@ -44,11 +44,13 @@ static inline int is_valid_char (unsigned char ch) {
 
 static int inithist() {
 	ZERO_FILL (I.history);
-	I.history.data = (char **)malloc ((I.history.size+1024)*sizeof(char *));
-	if (I.history.data==NULL)
+	if ((I.history.size + 1024) * sizeof(char *) < I.history.size)
+		return false;
+	I.history.data = (char **)malloc ((I.history.size + 1024) * sizeof(char *));
+	if (!I.history.data)
 		return false;
 	I.history.size = R_LINE_HISTSIZE;
-	memset (I.history.data, 0, I.history.size*sizeof(char *));
+	memset (I.history.data, 0, I.history.size * sizeof(char *));
 	return true;
 }
 
@@ -352,7 +354,7 @@ R_API void r_line_autocomplete() {
 		p++;
 		plen = sizeof (I.buffer.data)-(int)(size_t)(p-I.buffer.data);
 	} else {
-		p = I.buffer.data; // XXX: removes current buffer 
+		p = I.buffer.data; // XXX: removes current buffer
 		plen = sizeof (I.buffer.data);
 	}
 	/* autocomplete */
@@ -816,9 +818,9 @@ R_API const char *r_line_readline_cb(RLineReadCallback cb, void *user) {
 	I.buffer.index = I.buffer.length = 0;
 	I.buffer.data[0] = '\0';
 	if (I.contents) {
-		memmove (I.buffer.data, I.contents, 
+		memmove (I.buffer.data, I.contents,
 			R_MIN (strlen (I.contents)+1, R_LINE_BUFSIZE-1));
-		I.buffer.data[R_LINE_BUFSIZE-1] = '\0'; 
+		I.buffer.data[R_LINE_BUFSIZE-1] = '\0';
 		I.buffer.index = I.buffer.length = strlen (I.contents);
 	}
 	if (I.disable) {
@@ -909,7 +911,7 @@ R_API const char *r_line_readline_cb(RLineReadCallback cb, void *user) {
 				I.buffer.data[I.buffer.length] = 0; // probably unnecessary
 				tmp_ed_cmd = I.editor_cb (I.user, I.buffer.data);
 				if (tmp_ed_cmd) {
-					/* copied from yank (case 25) */ 
+					/* copied from yank (case 25) */
 					I.buffer.length = strlen (tmp_ed_cmd);
 					if (I.buffer.length < R_LINE_BUFSIZE) {
 						I.buffer.index = I.buffer.length;
@@ -918,9 +920,9 @@ R_API const char *r_line_readline_cb(RLineReadCallback cb, void *user) {
 					} else I.buffer.length -= strlen (tmp_ed_cmd);
 					free (tmp_ed_cmd);
 				}
-			} else I.buffer.index = I.buffer.length;  
+			} else I.buffer.index = I.buffer.length;
 			break;
-		case 3: // ^C 
+		case 3: // ^C
 			if (I.echo)
 				eprintf ("^C\n");
 			I.buffer.index = I.buffer.length = 0;

libr/cons/less.c

@@ -60,18 +60,32 @@ static void printpage (const char *line, int *index, RList **mla,
 
 static int *splitlines (char *s, int *lines_count) {
 	int lines_size = 128;
-	int *lines = malloc (lines_size*sizeof(int));
+	int *lines = NULL;
 	int i, row = 0;
 	int sidx = 0;
+
+	if (lines_size * sizeof(int) < lines_size) return NULL;
+	lines = malloc (lines_size * sizeof(int));
+	if (!lines) return NULL;
 	lines[row++] = 0;
-	for (i=0; s[i]; i++) {
-		if (row>=lines_size) {
+	for (i = 0; s[i]; i++) {
+		if (row >= lines_size) {
+			int *tmp;
 			lines_size += 128;
-			lines = realloc (lines, lines_size*sizeof(int));
+			if (lines_size * sizeof(int) < lines_size) {
+				free (lines);
+				return NULL;
+			}
+			tmp = realloc (lines, lines_size * sizeof(int));
+			if (!tmp) {
+				free (lines);
+				return NULL;
+			}
+			lines = tmp;
 		}
-		if (s[i]=='\n') {
+		if (s[i] == '\n') {
 			s[i] = 0;
-			lines[row++] = i+1;
+			lines[row++] = i + 1;
 		}
 		sidx++;
 	}

libr/core/core.c

@@ -1184,7 +1184,12 @@ R_API int r_core_init(RCore *core) {
 	core->flags = r_flag_new ();
 	core->graph = r_agraph_new (r_cons_canvas_new (1, 1));
 	core->asmqjmps_size = R_CORE_ASMQJMPS_NUM;
-	core->asmqjmps = R_NEWS (ut64, core->asmqjmps_size);
+	if (sizeof(ut64) * core->asmqjmps_size < core->asmqjmps_size) {
+		core->asmqjmps_size = 0;
+		core->asmqjmps = NULL;
+	} else {
+		core->asmqjmps = R_NEWS (ut64, core->asmqjmps_size);
+	}
 
 	r_bin_bind (core->bin, &(core->assembler->binb));
 	r_bin_bind (core->bin, &(core->anal->binb));

libr/core/graph.c

@@ -541,12 +541,17 @@ static void create_layers (RAGraph *g) {
 
 	/* create a starting ordering of nodes for each layer */
 	g->n_layers++;
+	if (sizeof (struct layer_t) * g->n_layers < g->n_layers) return;
 	g->layers = R_NEWS0 (struct layer_t, g->n_layers);
 
 	graph_foreach_anode (nodes, it, gn, n)
 		g->layers[n->layer].n_nodes++;
 
 	for (i = 0; i < g->n_layers; ++i) {
+		if (sizeof(RGraphNode*) * g->layers[i].n_nodes < g->layers[i].n_nodes) {
+			//FIXME how to handle properly this error ret2libc?
+			continue;
+		}
 		g->layers[i].nodes = R_NEWS (RGraphNode *, g->layers[i].n_nodes);
 		g->layers[i].position = 0;
 	}

libr/core/hack.c

@@ -139,10 +139,12 @@ R_API int r_core_hack_x86(RCore *core, const char *op, const RAnalOp *analop) {
 	const ut8 *b = core->block;
 	const int size = analop->size;
 	if (!strcmp (op, "nop")) {
-		char* str = malloc (size*2 + 1);
+		if (size * 2 + 1 < size) return false;
+		char *str = malloc (size * 2 + 1);
+		if (!str) return false;
 		int i;
-		for (i=0;i<size;i++)
-			memcpy(str+(i*2), "90", 2);
+		for (i = 0; i < size; i++)
+			memcpy(str + (i * 2), "90", 2);
 		str[size*2] = '\0';
 		r_core_cmdf(core, "wx %s\n", str);
 		free(str);

libr/hash/hash.c

@@ -181,10 +181,14 @@ R_API char *r_hash_to_string(RHash *ctx, const char *name, const ut8 *data, int
 	digest_size = r_hash_calculate (ctx, algo, data, len);
 	r_hash_do_end (ctx, algo);
 	if (digest_size > 0) {
-		digest_hex = malloc ((digest_size * 2) + 1);
-		for (i = 0; i < digest_size; i++)
-			sprintf (digest_hex + (i * 2), "%02x", ctx->digest[i]);
-		digest_hex[digest_size * 2] = 0;
+		if (digest_size * 2 < digest_size) {
+			digest_hex = NULL;
+		} else {
+			digest_hex = malloc ((digest_size * 2) + 1);
+			for (i = 0; i < digest_size; i++)
+				sprintf (digest_hex + (i * 2), "%02x", ctx->digest[i]);
+			digest_hex[digest_size * 2] = 0;
+		}
 	}
 	if (myctx) {
 		r_hash_free (myctx);

libr/include/r_flist.h

@@ -37,7 +37,8 @@ static inline void **r_flist_init(void **it, int n) {
 
 static inline void **r_flist_new(int n) {
 	void **it;
-	if (!(it = (void **)malloc ((n+2) * sizeof (void*))))
+	if (((n + 2) * sizeof(void*)) < sizeof(void*)) return NULL;
+	if (!(it = (void **)malloc ((n + 2) * sizeof (void*))))
 		return NULL;
 	return r_flist_init (it, n);
 }

libr/io/p/io_r2web.c

@@ -19,8 +19,9 @@ static int __write(RIO *io, RIODesc *fd, const ut8 *buf, int count) {
 	char *out, *url, *hexbuf;
 	if (fd == NULL || fd->data == NULL)
 		return -1;
-
+	if (count * 3 < count) return -1;
 	hexbuf = malloc (count * 3);
+	if (!hexbuf) return -1;
 	hexbuf[0] = 0;
 	r_hex_bin2str (buf, count, hexbuf);
 	url = r_str_newf ("%s/wx%%20%s@%"PFMT64d,

libr/util/base64.c

@@ -77,15 +77,16 @@ R_API int r_base64_encode(char *bout, const ut8 *bin, int len) {
 }
 
 R_API char *r_base64_encode_dyn(const char *str, int len) {
-	char *bout;
+	char *bout, *tmp;
 	int in, out;
 	if (!str) return NULL;
-	if (len<0) len = strlen (str);
-	bout = (char *)malloc ((len * 4)+1);
+	if (len < 0) len = strlen (str);
+	if ((len * 4) + 2 < len) return NULL;
+	bout = (char *)malloc ((len * 4) + 2);
 	if (!bout) return NULL;
-	for (in=out=0; in<len; in+=3,out+=4)
-		b64_encode ((const ut8*)str+in, (char*)bout+out,
-			(len-in)>3?3:len-in);
+	for (in = out = 0; in < len; in += 3, out += 4)
+		b64_encode ((const ut8*)str + in, (char*)bout + out,
+			(len - in) > 3 ? 3 : len - in);
 	bout[out] = 0;
-	return realloc (bout, out+1);
+	return bout;
 }

libr/util/hex.c

@@ -164,8 +164,12 @@ R_API int r_hex_bin2str(const ut8 *in, int len, char *out) {
 
 R_API char *r_hex_bin2strdup(const ut8 *in, int len) {
 	int i, idx;
-	char tmp[5], *out = malloc ((len+1)*2);
-	for (i=idx=0; i<len; i++, idx+=2)  {
+	char tmp[5], *out;
+
+	if ((len + 1) * 2 < len) return NULL;
+	out = malloc ((len + 1) * 2);
+	if (!out) return NULL;
+	for (i = idx = 0; i < len; i++, idx += 2)  {
 		snprintf (tmp, sizeof (tmp), "%02x", in[i]);
 		memcpy (out+idx, tmp, 2);
 	}
@@ -289,11 +293,11 @@ R_API st64 r_hex_bin_truncate (ut64 in, int n) {
 		if ((in&UT8_GT0))
 			return UT64_8U|in;
 		return in&UT8_MAX;
-	case 2: 
+	case 2:
 		if ((in&UT16_GT0))
 			return UT64_16U|in;
 		return in&UT16_MAX;
-	case 4: 
+	case 4:
 		if ((in&UT32_GT0))
 			return UT64_32U|in;
 		return in&UT32_MAX;

libr/util/regex/engine.c

@@ -169,6 +169,9 @@ matcher(struct re_guts *g, char *string, size_t nmatch, RRegexMatch pmatch[],
 	m->offp = string;
 	m->beginp = start;
 	m->endp = stop;
+
+	if (m->g->nstates * 4 < m->g->nstates)
+		return R_REGEX_NOMATCH;
 	STATESETUP(m, 4);
 	SETUP(m->st);
 	SETUP(m->fresh);
@@ -202,9 +205,13 @@ matcher(struct re_guts *g, char *string, size_t nmatch, RRegexMatch pmatch[],
 			break;		/* no further info needed */
 
 		/* oh my, he wants the subexpressions... */
-		if (m->pmatch == NULL)
+		if (m->pmatch == NULL) {
+			if ((m->g->nsub + 1) * sizeof(RRegexMatch) < m->g->nsub) {
+				return R_REGEX_ESPACE;
+			}
 			m->pmatch = (RRegexMatch *)malloc((m->g->nsub + 1) *
 							sizeof(RRegexMatch));
+		}
 		if (m->pmatch == NULL) {
 			STATETEARDOWN(m);
 			return(R_REGEX_ESPACE);
@@ -216,6 +223,11 @@ matcher(struct re_guts *g, char *string, size_t nmatch, RRegexMatch pmatch[],
 			dp = dissect(m, m->coldp, endp, gf, gl);
 		} else {
 			if (g->nplus > 0 && m->lastpos == NULL)
+				if ((g->nplus + 1) * sizeof(char *) < g->nplus) {
+					free (m->pmatch);
+					STATETEARDOWN(m);
+					return R_REGEX_ESPACE;
+				}
 				m->lastpos = (char **)malloc((g->nplus+1) *
 							sizeof(char *));
 			if (g->nplus > 0 && m->lastpos == NULL) {
@@ -968,7 +980,7 @@ print(struct match *m, char *caption, states st, int ch, FILE *d)
 	(void)fprintf(d, "\n");
 }
 
-/* 
+/*
  - at - print current situation
  */
 static void

libr/util/slist.c

@@ -118,7 +118,11 @@ R_API void r_slist_optimize (RSList *s) {
 	s->min = min;
 	s->max = max;
 	s->mod = ((max-min));
-	s->items = malloc (1+ (sizeof (void*) * s->nitems));
+	if (s->nitems * sizeof(void*) < s->nitems) {
+		s->items = NULL;
+	} else {
+		s->items = malloc (1 + (sizeof (void*) * s->nitems));
+	}
 	//eprintf ("MOD %d (block size)\n", s->mod);
 // store integers as indexes inside the allocated heap
 
@@ -156,7 +160,7 @@ OUTPUT
 
 #if 0
 typedef struct {
-	
+
 } SListStore;
 typedef struct {
 	IntArray news;
@@ -170,9 +174,9 @@ typedef struct {
 -+- QueueList # new additions are here
  `- idxlist   |_
 --- RangeCmp  # user provided comparator function
---- IndexList # 
+--- IndexList #
 --- Storage   # Heap Array storing all elements
-              | We always use 
+              | We always use
 --- StoreList # Heap Array of integers pointing to storage
               | we can probably just store a list of removed
               | items and the length

libr/util/str.c

@@ -1528,13 +1528,14 @@ R_API char *r_str_uri_encode (const char *s) {
 
 R_API char *r_str_utf16_encode (const char *s, int len) {
 	int i;
-	char ch[4], *d, *od;
+	char ch[4], *d, *od, *tmp;
 	if (!s) return NULL;
-	if (len<0) len = strlen (s);
-	od = d = malloc (1+(len*7));
+	if (len < 0) len = strlen (s);
+	if ((len * 7) + 1 < len) return NULL;
+	od = d = malloc (1 + (len * 7));
 	if (!d) return NULL;
-	for (i=0; i<len; s++, i++) {
-		if ((*s>=0x20) && (*s<=126)) {
+	for (i = 0; i < len; s++, i++) {
+		if ((*s >= 0x20) && (*s <= 126)) {
 			*d++ = *s;
 		} else {
 			*d++ = '\\';
@@ -1548,7 +1549,12 @@ R_API char *r_str_utf16_encode (const char *s, int len) {
 		}
 	}
 	*d = 0;
-	return realloc (od, strlen (od)+1); // FIT
+	tmp = realloc (od, strlen (od)+1); // FIT
+	if (!tmp) {
+		free (od);
+		return NULL;
+	}
+	return tmp;
 }
 
 // TODO: merge print inside rutil