Date: Wed, 17 Aug 2016 07:25:22 +0000 (UTC) From: Garrett Cooper <ngie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r304267 - projects/fix-libarchive-tests-after-r304075/contrib/libarchive/libarchive/test Message-ID: <201608170725.u7H7PMZ6007666@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ngie Date: Wed Aug 17 07:25:21 2016 New Revision: 304267 URL: https://svnweb.freebsd.org/changeset/base/304267 Log: Fix leaks with test_fuzz(..) - Prevent a segfault from occurring if allocating rawimage failed. - tmp was leaked if realloc(3) failed; free it and NULL it out to avoid a use-after-free. - Don't leak rawimage if size == 0. - Remove useless assert for image right before checking that it was NULL to fix some deadcode in the MK_ASSERT_DEBUG != no case. CID: 1361651, 1361669, 1361679 Reported by: Coverity Modified: projects/fix-libarchive-tests-after-r304075/contrib/libarchive/libarchive/test/test_fuzz.c Modified: projects/fix-libarchive-tests-after-r304075/contrib/libarchive/libarchive/test/test_fuzz.c ============================================================================== --- projects/fix-libarchive-tests-after-r304075/contrib/libarchive/libarchive/test/test_fuzz.c Wed Aug 17 07:17:16 2016 (r304266) +++ projects/fix-libarchive-tests-after-r304075/contrib/libarchive/libarchive/test/test_fuzz.c Wed Aug 17 07:25:21 2016 (r304267) @@ -63,7 +63,7 @@ test_fuzz(const struct files *filesets) const size_t buffsize = 30000000; struct archive_entry *ae; struct archive *a; - char *rawimage = NULL, *image = NULL, *tmp = NULL; + char *rawimage = NULL, *image = NULL; size_t size = 0, oldsize = 0; int i, q; @@ -89,6 +89,8 @@ test_fuzz(const struct files *filesets) assertEqualIntA(a, ARCHIVE_OK, archive_read_next_header(a, &ae)); rawimage = malloc(buffsize); + if (rawimage == NULL) + return; size = archive_read_data(a, rawimage, buffsize); assertEqualIntA(a, ARCHIVE_EOF, archive_read_next_header(a, &ae)); @@ -109,11 +111,13 @@ test_fuzz(const struct files *filesets) } else { for (i = 0; filesets[n].names[i] != NULL; ++i) { - tmp = slurpfile(&size, filesets[n].names[i]); - char *newraw = (char *)realloc(rawimage, oldsize + size); + char *tmp = slurpfile(&size, filesets[n].names[i]); + char *newraw = realloc(rawimage, oldsize + size); if (!assert(newraw != NULL)) { free(rawimage); + rawimage = NULL; + free(tmp); continue; } rawimage = newraw; @@ -123,10 +127,13 @@ test_fuzz(const struct files *filesets) free(tmp); } } - if (size == 0) + if (rawimage == NULL) + return; + if (size == 0) { + free(rawimage); continue; + } image = malloc(size); - assert(image != NULL); if (image == NULL) { free(rawimage); return; @@ -195,7 +202,7 @@ test_fuzz(const struct files *filesets) archive_read_close(a); } archive_read_free(a); -} + } free(image); free(rawimage); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608170725.u7H7PMZ6007666>