Browse code
Fixed leaks in petite
git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@790 77e5149b-7576-45b1-b177-96237e5ba77b
aCaB authored on 2004/08/25 17:16:21Showing 2 changed files
| ... | ... |
@@ -92,6 +92,7 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 92 | 92 |
uint32_t thisrva=0, bottom = 0, enc_ep=0, irva=0, workdone=0, grown=0x355, skew=0x35; |
| 93 | 93 |
int j = 0, oob, mangled = 0, check4resources=0; |
| 94 | 94 |
struct SECTION *usects = NULL; |
| 95 |
+ void *tmpsct = NULL; |
|
| 95 | 96 |
|
| 96 | 97 |
/* |
| 97 | 98 |
-] The real thing [- |
| ... | ... |
@@ -117,8 +118,11 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 117 | 117 |
uint32_t size, srva; |
| 118 | 118 |
int backbytes, oldback, backsize, addsize; |
| 119 | 119 |
|
| 120 |
- if ( packed < buf || packed >= buf+bufsz-4) |
|
| 120 |
+ if ( packed < buf || packed >= buf+bufsz-4) {
|
|
| 121 |
+ if (usects) |
|
| 122 |
+ free(usects); |
|
| 121 | 123 |
return -1; |
| 124 |
+ } |
|
| 122 | 125 |
srva = cli_readint32(packed); |
| 123 | 126 |
|
| 124 | 127 |
if (! srva) {
|
| ... | ... |
@@ -229,6 +233,7 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 229 | 229 |
} else |
| 230 | 230 |
cli_dbgmsg("Petite: Rebuilding failed\n");
|
| 231 | 231 |
|
| 232 |
+ free(usects); |
|
| 232 | 233 |
return workdone; |
| 233 | 234 |
} |
| 234 | 235 |
|
| ... | ... |
@@ -243,15 +248,21 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 243 | 243 |
- 1 time for the all_the_rest section |
| 244 | 244 |
*/ |
| 245 | 245 |
|
| 246 |
- if ( packed < buf || packed >= buf+bufsz-12) |
|
| 246 |
+ if ( packed < buf || packed >= buf+bufsz-12) {
|
|
| 247 |
+ if (usects) |
|
| 248 |
+ free(usects); |
|
| 247 | 249 |
return -1; |
| 250 |
+ } |
|
| 248 | 251 |
/* Save the end of current packed section for later use */ |
| 249 | 252 |
bottom = cli_readint32(packed+8) + 4; |
| 250 | 253 |
ssrc = adjbuf + cli_readint32(packed+4) - (size-1)*4; |
| 251 | 254 |
ddst = adjbuf + cli_readint32(packed+8) - (size-1)*4; |
| 252 | 255 |
|
| 253 |
- if ( ssrc < buf || ssrc + size*4 >= buf + bufsz || ddst < buf || ddst + size*4 >= buf + bufsz ) |
|
| 256 |
+ if ( ssrc < buf || ssrc + size*4 >= buf + bufsz || ddst < buf || ddst + size*4 >= buf + bufsz ) {
|
|
| 257 |
+ if (usects) |
|
| 258 |
+ free(usects); |
|
| 254 | 259 |
return -1; |
| 260 |
+ } |
|
| 255 | 261 |
|
| 256 | 262 |
/* Copy packed data to the end of the current packed section */ |
| 257 | 263 |
memmove(ddst, ssrc, size*4); |
| ... | ... |
@@ -263,17 +274,24 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 263 | 263 |
|
| 264 | 264 |
/* Unpak each original section in turn */ |
| 265 | 265 |
|
| 266 |
- if ( packed < buf || packed >= buf+bufsz-16) |
|
| 266 |
+ if ( packed < buf || packed >= buf+bufsz-16) {
|
|
| 267 |
+ if (usects) |
|
| 268 |
+ free(usects); |
|
| 267 | 269 |
return -1; |
| 270 |
+ } |
|
| 268 | 271 |
|
| 269 | 272 |
size = cli_readint32(packed+4); /* How many bytes to unpack */ |
| 270 | 273 |
packed += 0x10; |
| 271 | 274 |
thisrva=cli_readint32(packed-8); /* RVA of the original section */ |
| 272 | 275 |
|
| 273 | 276 |
/* Alloc 1 more struct */ |
| 274 |
- if ( ! (usects = (struct SECTION *) realloc(usects, sizeof(struct SECTION) * (j+1))) ) |
|
| 277 |
+ if ( ! (tmpsct = realloc(usects, sizeof(struct SECTION) * (j+1))) ) {
|
|
| 278 |
+ if (usects) |
|
| 279 |
+ free(usects); |
|
| 275 | 280 |
return -1; |
| 281 |
+ } |
|
| 276 | 282 |
|
| 283 |
+ usects = (struct SECTION *) tmpsct; |
|
| 277 | 284 |
/* Save section spex for later rebuilding */ |
| 278 | 285 |
usects[j].rva = thisrva; |
| 279 | 286 |
usects[j].rsz = size; |
| ... | ... |
@@ -331,8 +349,10 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 331 | 331 |
* func to get called instead... ehehe very smart ;) |
| 332 | 332 |
*/ |
| 333 | 333 |
|
| 334 |
- if ( ddst < buf || ddst >= buf+bufsz-1 || ssrc < buf || ssrc >= buf+bufsz-1 ) |
|
| 334 |
+ if ( ddst < buf || ddst >= buf+bufsz-1 || ssrc < buf || ssrc >= buf+bufsz-1 ) {
|
|
| 335 |
+ free(usects); |
|
| 335 | 336 |
return -1; |
| 337 |
+ } |
|
| 336 | 338 |
|
| 337 | 339 |
size--; |
| 338 | 340 |
*ddst++=*ssrc++; /* eheh u C gurus gotta luv these monsters :P */ |
| ... | ... |
@@ -342,22 +362,30 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 342 | 342 |
/* No surprises here... NRV any1??? ;) */ |
| 343 | 343 |
while (size > 0) {
|
| 344 | 344 |
oob = doubledl(&ssrc, &mydl, buf, bufsz); |
| 345 |
- if ( oob == -1 ) |
|
| 345 |
+ if ( oob == -1 ) {
|
|
| 346 |
+ free(usects); |
|
| 346 | 347 |
return -1; |
| 348 |
+ } |
|
| 347 | 349 |
if (!oob) {
|
| 348 |
- if ( ddst < buf || ddst >= buf+bufsz-1 || ssrc < buf || ssrc >= buf+bufsz-1 ) |
|
| 350 |
+ if ( ddst < buf || ddst >= buf+bufsz-1 || ssrc < buf || ssrc >= buf+bufsz-1 ) {
|
|
| 351 |
+ free(usects); |
|
| 349 | 352 |
return -1; |
| 353 |
+ } |
|
| 350 | 354 |
*ddst++ = (char)((*ssrc++)^(size & 0xff)); |
| 351 | 355 |
size--; |
| 352 | 356 |
} else {
|
| 353 | 357 |
addsize = 0; |
| 354 | 358 |
backbytes++; |
| 355 | 359 |
while (1) {
|
| 356 |
- if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) |
|
| 360 |
+ if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) {
|
|
| 361 |
+ free(usects); |
|
| 357 | 362 |
return -1; |
| 363 |
+ } |
|
| 358 | 364 |
backbytes = backbytes*2 + oob; |
| 359 |
- if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) |
|
| 365 |
+ if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) {
|
|
| 366 |
+ free(usects); |
|
| 360 | 367 |
return -1; |
| 368 |
+ } |
|
| 361 | 369 |
if (!oob) |
| 362 | 370 |
break; |
| 363 | 371 |
} |
| ... | ... |
@@ -365,8 +393,10 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 365 | 365 |
if ( backbytes >= 0 ) {
|
| 366 | 366 |
backsize = goback; |
| 367 | 367 |
do {
|
| 368 |
- if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) |
|
| 369 |
- return -1; |
|
| 368 |
+ if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) {
|
|
| 369 |
+ free(usects); |
|
| 370 |
+ return -1; |
|
| 371 |
+ } |
|
| 370 | 372 |
backbytes = backbytes*2 + oob; |
| 371 | 373 |
backsize--; |
| 372 | 374 |
} while (backsize); |
| ... | ... |
@@ -378,20 +408,28 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 378 | 378 |
backbytes = oldback; |
| 379 | 379 |
} |
| 380 | 380 |
|
| 381 |
- if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) |
|
| 381 |
+ if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) {
|
|
| 382 |
+ free(usects); |
|
| 382 | 383 |
return -1; |
| 384 |
+ } |
|
| 383 | 385 |
backsize = backsize*2 + oob; |
| 384 |
- if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) |
|
| 385 |
- return -1; |
|
| 386 |
+ if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) {
|
|
| 387 |
+ free(usects); |
|
| 388 |
+ return -1; |
|
| 389 |
+ } |
|
| 386 | 390 |
backsize = backsize*2 + oob; |
| 387 | 391 |
if (!backsize) {
|
| 388 | 392 |
backsize++; |
| 389 | 393 |
while (1) {
|
| 390 |
- if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) |
|
| 391 |
- return -1; |
|
| 394 |
+ if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) {
|
|
| 395 |
+ free(usects); |
|
| 396 |
+ return -1; |
|
| 397 |
+ } |
|
| 392 | 398 |
backsize = backsize*2 + oob; |
| 393 |
- if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) |
|
| 399 |
+ if ( (oob = doubledl(&ssrc, &mydl, buf, bufsz)) == -1 ) {
|
|
| 400 |
+ free(usects); |
|
| 394 | 401 |
return -1; |
| 402 |
+ } |
|
| 395 | 403 |
if (!oob) |
| 396 | 404 |
break; |
| 397 | 405 |
} |
| ... | ... |
@@ -399,8 +437,10 @@ int petite_inflate2x_1to9(char *buf, uint32_t minrva, int bufsz, struct pe_image |
| 399 | 399 |
} |
| 400 | 400 |
backsize+=addsize; |
| 401 | 401 |
size-=backsize; |
| 402 |
- if ( ddst<buf || ddst+backsize>=buf+bufsz || ddst+backbytes<buf || ddst+backbytes+backsize>=buf+bufsz ) |
|
| 402 |
+ if ( ddst<buf || ddst+backsize>=buf+bufsz || ddst+backbytes<buf || ddst+backbytes+backsize>=buf+bufsz ) {
|
|
| 403 |
+ free(usects); |
|
| 403 | 404 |
return -1; |
| 405 |
+ } |
|
| 404 | 406 |
while(backsize--) {
|
| 405 | 407 |
*ddst=*(ddst+backbytes); |
| 406 | 408 |
ddst++; |