mirrors/FreeRDP
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

winpr/utils/lodepng: Fix USE_AFTER_FREE reported by Coverity

Browse Source 
Although the `lodepng_zlib_compress` function expects the `*out` parameter
to be `NULL`, it uses `uvector_init_buffer` internally, which takes the
`*out` value. This confuses covscan, which consequently reports the following
defects:

```
double_free: Calling "ucvector_cleanup" frees pointer "zlibdata.data" which has already been freed.
double_free: Calling "ucvector_cleanup" frees pointer "compressed.data" which has already been freed.
double_free: Calling "ucvector_cleanup" frees pointer "compressed_data.data" which has already been freed.
```

Let's use the `uvector_init` function instead as in other cases to make
covscan happy and to make the code more bulletproof. Consequently, also
remove the outdated comments.
This commit is contained in:
Ondrej Holy 2021-04-16 10:19:52 +02:00 committed by akallabeth
parent 18ceebb774
commit 637413daf4
1 changed files with 1 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
winpr/libwinpr/utils/lodepng/lodepng.c
View File

@ -2429,8 +2429,6 @@ static unsigned zlib_decompress(unsigned char** out, size_t* outsize, const unsi
unsigned lodepng_zlib_compress(unsigned char** out, size_t* outsize, const unsigned char* in,
size_t insize, const LodePNGCompressSettings* settings)
{
/*initially, *out must be NULL and outsize 0, if you just give some random *out
that's pointing to a non allocated buffer, this'll crash*/
ucvector outv;
size_t i;
unsigned error;
@ -2448,8 +2446,7 @@ unsigned lodepng_zlib_compress(unsigned char** out, size_t* outsize, const unsig
unsigned FCHECK = 31 - CMFFLG % 31;
CMFFLG += FCHECK;
/*ucvector-controlled version of the output buffer, for dynamic array*/
ucvector_init_buffer(&outv, *out, *outsize);
ucvector_init(&outv);
if (!ucvector_push_back(&outv, (unsigned char)(CMFFLG / 256)))
return 83;