From eef32d02602c090c17211e800444a779b49827a1 Mon Sep 17 00:00:00 2001 From: Sven Steinbauer Date: Thu, 19 May 2016 11:32:56 +0100 Subject: [PATCH] First few fixes for infer scans Fixes a few memleaks and several NULL dereferences Signed-off-by: Riccardo Schirone --- binr/radiff2/radiff2.c | 1 + binr/rafind2/rafind2.c | 1 + libr/anal/bb.c | 2 ++ libr/anal/cc.c | 1 + libr/anal/cond.c | 1 + libr/anal/data.c | 8 +++++++ libr/anal/esil2reil.c | 48 ++++++++++++++++++++++++++++++++++++++++++ libr/core/core.c | 1 + 8 files changed, 63 insertions(+) diff --git a/binr/radiff2/radiff2.c b/binr/radiff2/radiff2.c index dd7fe64ed3..23a96fa633 100644 --- a/binr/radiff2/radiff2.c +++ b/binr/radiff2/radiff2.c @@ -34,6 +34,7 @@ static RCore* opencore(const char *f) { const ut64 baddr = UT64_MAX; RCore *c = r_core_new (); r_core_loadlibs (c, R_CORE_LOADLIBS_ALL, NULL); + if (!c) return NULL; r_config_set_i (c->config, "io.va", useva); r_config_set_i (c->config, "anal.split", true); if (f) { diff --git a/binr/rafind2/rafind2.c b/binr/rafind2/rafind2.c index 8a10c62a50..55dd1b89e1 100644 --- a/binr/rafind2/rafind2.c +++ b/binr/rafind2/rafind2.c @@ -89,6 +89,7 @@ static int rafind_open(char *file) { r_cons_new (); rs = r_search_new (mode); + if (!rs) return 1; buf = calloc (1, bsize); if (!buf) { eprintf ("Cannot allocate %"PFMT64d" bytes\n", bsize); diff --git a/libr/anal/bb.c b/libr/anal/bb.c index 92359609b6..0f405fbee7 100644 --- a/libr/anal/bb.c +++ b/libr/anal/bb.c @@ -81,6 +81,7 @@ R_API int r_anal_bb(RAnal *anal, RAnalBlock *bb, ut64 addr, ut8 *buf, ut64 len, break; } if (oplen < 1) { + r_anal_op_free (op); return R_ANAL_RET_END; } @@ -173,6 +174,7 @@ R_API void r_anal_bb_set_offset(RAnalBlock *bb, int i, ut16 v) { if (i >= bb->n_op_pos) { bb->n_op_pos = i * 2; bb->op_pos = realloc (bb->op_pos, bb->n_op_pos * sizeof (*bb->op_pos)); + if (!bb->op_pos) return; } bb->op_pos[i - 1] = v; } diff --git a/libr/anal/cc.c b/libr/anal/cc.c index a75a40d0f0..8e1a4477ea 100644 --- a/libr/anal/cc.c +++ b/libr/anal/cc.c @@ -13,6 +13,7 @@ NOTES R_API RAnalCC* r_anal_cc_new () { RAnalCC *cc = R_NEW (RAnalCC); + if (!cc) return NULL; r_anal_cc_init (cc); return cc; } diff --git a/libr/anal/cond.c b/libr/anal/cond.c index 3403b30fd6..80ec08893e 100644 --- a/libr/anal/cond.c +++ b/libr/anal/cond.c @@ -44,6 +44,7 @@ R_API void r_anal_cond_free (RAnalCond *c) { // XXX? R_API RAnalCond *r_anal_cond_clone(RAnalCond *cond) { RAnalCond *c = R_NEW (RAnalCond); + if (!c) return NULL; memcpy (c, cond, sizeof (RAnalCond)); return c; } diff --git a/libr/anal/data.c b/libr/anal/data.c index 7690cc99c5..21dd1f88b4 100644 --- a/libr/anal/data.c +++ b/libr/anal/data.c @@ -94,6 +94,10 @@ R_API char *r_anal_data_to_string(RAnalData *d) { if (!d) return NULL; line = malloc (mallocsz); + if (!line) { + eprintf ("Cannot allocate %"PFMT64d" bytes\n", mallocsz); + return NULL; + } snprintf (line, mallocsz, "0x%08" PFMT64x " ", d->addr); n32 = (ut32)d->ptr; len = R_MIN (d->len, 8); @@ -179,6 +183,10 @@ R_API RAnalData *r_anal_data_new_string(ut64 addr, const char *p, int len, int t memcpy (ad->str, p, len); ad->str[len] = 0; ad->buf = malloc (len + 1); + if (!ad->buf) { + eprintf ("Cannot allocate %"PFMT64d" bytes\n", len + 1); + return NULL; + } memcpy (ad->buf, ad->str, len + 1); ad->len = len + 1; // string length + \x00 } diff --git a/libr/anal/esil2reil.c b/libr/anal/esil2reil.c index b74669af5d..15b6f1bd93 100644 --- a/libr/anal/esil2reil.c +++ b/libr/anal/esil2reil.c @@ -159,6 +159,7 @@ void reil_cast_size(RAnalEsil *esil, RAnalReilArg *src, RAnalReilArg *dst) { snprintf (tmp_buf, REGBUFSZ-1, "0:%d", dst->size); r_anal_esil_push (esil, tmp_buf); ins = R_NEW0 (RAnalReilInst); + if (!ins) return; ins->opcode = REIL_OR; ins->arg[0] = src; ins->arg[1] = reil_pop_arg (esil); @@ -197,10 +198,19 @@ static int reil_eq(RAnalEsil *esil) { } else if (src_type == ARG_REG) { // No direct register to register transfer. ins = R_NEW0 (RAnalReilInst); + if (!ins) return false; ins->opcode = REIL_STR; ins->arg[0] = src; ins->arg[1] = R_NEW0(RAnalReilArg); + if (!ins->arg[1]) { + reil_free_inst (ins); + return false; + } ins->arg[2] = R_NEW0(RAnalReilArg); + if (!ins->arg[2]) { + reil_free_inst(ins); + return false; + } reil_make_arg(esil, ins->arg[1], " "); get_next_temp_reg(esil, tmp_buf); reil_make_arg(esil, ins->arg[2], tmp_buf); @@ -213,12 +223,21 @@ static int reil_eq(RAnalEsil *esil) { // First, make a copy of the dst. We will need this to set the flags later on. ins = R_NEW0 (RAnalReilInst); + if (!ins) return false; dst_type = dst->type; if (src_type != ARG_ESIL_INTERNAL && dst_type == ARG_REG) { ins->opcode = REIL_STR; ins->arg[0] = dst; ins->arg[1] = R_NEW0(RAnalReilArg); + if (!ins->arg[1]) { + reil_free_inst (ins); + return false; + } ins->arg[2] = R_NEW0(RAnalReilArg); + if (!ins->arg[2]) { + reil_free_inst(ins); + return false; + } reil_make_arg(esil, ins->arg[1], " "); get_next_temp_reg(esil, tmp_buf); reil_make_arg(esil, ins->arg[2], tmp_buf); @@ -286,7 +305,14 @@ static int reil_binop(RAnalEsil *esil, RAnalReilOpcode opcode) { ins->opcode = opcode; ins->arg[0] = op2; ins->arg[1] = op1; + if (!ins->arg[1]) return false; ins->arg[2] = R_NEW0(RAnalReilArg); + if (!ins->arg[2]) { + R_FREE (op1); + R_FREE (op2); + reil_free_inst (ins); + return false; + } get_next_temp_reg(esil, tmp_buf); reil_make_arg(esil, ins->arg[2], tmp_buf); // Choose the larger of the two sizes as the size of dst @@ -351,10 +377,21 @@ static int reil_cmp(RAnalEsil *esil) { } ins = R_NEW0 (RAnalReilInst); + if (!ins) { + R_FREE (op1); + R_FREE (op2); + return false; + } ins->opcode = REIL_EQ; ins->arg[0] = op2; ins->arg[1] = op1; ins->arg[2] = R_NEW0(RAnalReilArg); + if (!ins->arg[2]) { + R_FREE (op1); + R_FREE (op2); + reil_free_inst (ins); + return false; + } get_next_temp_reg(esil, tmp_buf); reil_make_arg(esil, ins->arg[2], tmp_buf); ins->arg[2]->size = 1; @@ -491,11 +528,22 @@ static int reil_neg(RAnalEsil *esil) { if (!op) return false; ins = R_NEW0 (RAnalReilInst); + if (!ins) return false; ins->opcode = REIL_EQ; ins->arg[0] = op; r_anal_esil_pushnum (esil, 0); ins->arg[1] = reil_pop_arg(esil); + if (!ins->arg[1]) { + R_FREE (op); + reil_free_inst (ins); + return false; + } ins->arg[2] = R_NEW0 (RAnalReilArg); + if (!ins->arg[2]) { + R_FREE (op); + reil_free_inst (ins); + return false; + } get_next_temp_reg(esil, tmp_buf); reil_make_arg(esil, ins->arg[2], tmp_buf); if (ins->arg[0]->size < ins->arg[1]->size) diff --git a/libr/core/core.c b/libr/core/core.c index d362809ff1..f0594c41ba 100644 --- a/libr/core/core.c +++ b/libr/core/core.c @@ -453,6 +453,7 @@ static ut64 num_callback(RNum *userptr, const char *str, int *ok) { R_API RCore *r_core_new() { RCore *c = R_NEW0 (RCore); + if (!c) return NULL; r_core_init (c); return c; }