More Coverity bug fixes

Looking through the list of issues, I spotted some easy ones and submitted some fixes: - 225229 - In cli_rarload: Leak of memory or pointers to system resources. If finding the necessary libunrar functions fails (should be rare),we now dlclose libunrar. 225224 - In main (freshclam.c): A copied piece of code is inconsistent with the original (CWE-398). A minor copy-paste error was present, and optOutList could be cleaned up in one of the failure edge cases. 225228 - In decodecdb: Out-of-bounds access to a buffer (CWE-119). Off by one error when tokenizing certain CDB sig fields for printing with sigtool. Ex: $ cat test.cdb a:CL_TYPE_7Z:1-2-3:/.*/:1-2-3:1-2-3:0:1-2-3:: $ cat test.cdb | ../installed/bin/sigtool --decode VIRUS NAME: a CONTAINER TYPE: CL_TYPE_7Z CONTAINER SIZE: WITHIN RANGE 1 to 2 FILENAME REGEX: /.*/ COMPRESSED FILESIZE: WITHIN RANGE 1 to 2 UNCOMPRESSED FILESIZE: WITHIN RANGE 1 to 2 ENCRYPTION: NO FILE POSITION: ================================================================= ==17245==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffe3136d10 at pc 0x7f0f31c3f414 bp 0x7fffe3136c70 sp 0x7fffe3136c60 WRITE of size 8 at 0x7fffe3136d10 thread T0 #0 0x7f0f31c3f413 in cli_strtokenize ../../libclamav/str.c:524 #1 0x559e9797dc91 in decodecdb ../../sigtool/sigtool.c:2929 #2 0x559e9797ea66 in decodesig ../../sigtool/sigtool.c:3058 #3 0x559e9797f31e in decodesigs ../../sigtool/sigtool.c:3162 #4 0x559e97981fbc in main ../../sigtool/sigtool.c:3638 #5 0x7f0f3100fb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #6 0x559e9795a1d9 in _start (/home/zelda/workspace/clamav-devel/installed/bin/sigtool+0x381d9) Address 0x7fffe3136d10 is located in stack of thread T0 at offset 48 in frame #0 0x559e9797d113 in decodecdb ../../sigtool/sigtool.c:2840 This frame has 1 object(s): [32, 48) 'range' <== Memory access at offset 48 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow ../../libclamav/str.c:524 in cli_strtokenize - 225223 - In cli_egg_deflate_decompress: Reads an uninitialized pointer or its target (CWE-457). Certain fail cases would call inflateEnd on an uninitialized stream. Now it’s only called after initialization occurs. - 225220 - In buildcld: Use of an uninitialized variable (CWE-457). Certain fail cases would result in oldDir being used before initialization. It now gets zeroed before the first fail case. - 225219 - In cli_egg_open: Leak of memory or pointers to system resources (CWE-404). If certain realloc’s failed, several structures would not be cleaned up - 225218 - In cli_scanhwpml: Code block is unreachable because of the syntactic structure of the code (CWE-561). With certain macros set, there could be two consecutive return statements.
6 years ago · 1d66184a7d
parent 035265b96f
commit 1d66184a7d
6 changed files with 19 additions and 8 deletions
--- a/freshclam/freshclam.c
+++ b/freshclam/freshclam.c
@ -1748,8 +1748,10 @@ int main(int argc, char **argv)
        }
        if (!optget(opts, "Bytecode")->enabled) {
            if (FC_SUCCESS != (ret = string_list_add("bytecode", &optOutList, &nOptOuts))) {
-                free_string_list(optOutList, nOptOuts);
+                free_string_list(optInList, nOptIns);
                optInList = NULL;
+                free_string_list(optOutList, nOptOuts);
+                optOutList = NULL;

                mprintf("!Failed to add bytecode to list of opt-out databases.\n");
                status = ret;
--- a/libclamav/egg.c
+++ b/libclamav/egg.c
@ -1232,6 +1232,7 @@ static cl_error_t egg_parse_file_extra_field(egg_handle* handle, egg_file* eggFi
                        (void*)eggFile->comments,
                        sizeof(char**) * (eggFile->nComments + 1));
                    if (NULL == comments_tmp) {
+                        free(comment);
                        status = CL_EMEM;
                        goto done;
                    }
@ -1681,6 +1682,7 @@ cl_error_t cli_egg_open(fmap_t* map, size_t sfx_offset, void** hArchive, char***
                    (void*)handle->files,
                    sizeof(egg_file*) * (handle->nFiles + 1));
                if (NULL == files_tmp) {
+                    egg_free_egg_file(found_file);
                    status = CL_EMEM;
                    goto done;
                }
@ -1709,6 +1711,7 @@ cl_error_t cli_egg_open(fmap_t* map, size_t sfx_offset, void** hArchive, char***
                        (void*)handle->blocks,
                        sizeof(egg_block*) * (handle->nBlocks + 1));
                    if (NULL == blocks_tmp) {
+                        egg_free_egg_block(found_block);
                        status = CL_EMEM;
                        goto done;
                    }
@ -1733,6 +1736,7 @@ cl_error_t cli_egg_open(fmap_t* map, size_t sfx_offset, void** hArchive, char***
                            (void*)eggFile->blocks,
                            sizeof(egg_block*) * (eggFile->nBlocks + 1));
                        if (NULL == blocks_tmp) {
+                            egg_free_egg_block(found_block);
                            status = CL_EMEM;
                            goto done;
                        }
@ -1806,6 +1810,7 @@ cl_error_t cli_egg_open(fmap_t* map, size_t sfx_offset, void** hArchive, char***
                (void*)handle->comments,
                sizeof(char**) * (handle->nComments + 1));
            if (NULL == comments_tmp) {
+                free(comment);
                status = CL_EMEM;
                goto done;
            }
@ -1942,6 +1947,7 @@ cl_error_t cli_egg_deflate_decompress(char* compressed, size_t compressed_size,
    uint32_t declen = 0, capacity = 0;

    z_stream stream;
+    int stream_initialized = 0;
    int zstat;

    if (NULL == compressed || compressed_size == 0 || NULL == decompressed || NULL == decompressed_size) {
@ -1973,6 +1979,7 @@ cl_error_t cli_egg_deflate_decompress(char* compressed, size_t compressed_size,
        status = CL_EMEM;
        goto done;
    }
+    stream_initialized = 1;

    /* initial inflate */
    zstat = inflate(&stream, Z_NO_FLUSH);
@ -2045,7 +2052,9 @@ cl_error_t cli_egg_deflate_decompress(char* compressed, size_t compressed_size,

 done:

-    (void)inflateEnd(&stream);
+    if (stream_initialized) {
+        (void)inflateEnd(&stream);
+    }

    if (CL_SUCCESS != status) {
        free(decoded);
--- a/libclamav/hwp.c
+++ b/libclamav/hwp.c
@ -2143,7 +2143,6 @@ cl_error_t cli_scanhwpml(cli_ctx *ctx)

    xmlTextReaderClose(reader);
    xmlFreeTextReader(reader);
-    return ret;
 #else
    UNUSEDPARAM(ctx);
    cli_dbgmsg("in cli_scanhwpml()\n");
--- a/libclamav/others.c
+++ b/libclamav/others.c
@ -186,6 +186,7 @@ static void cli_rarload(void)
        !(cli_unrar_close = (void (*)(void *))lt_dlsym(rhandle, "libclamunrar_iface_LTX_unrar_close"))) {
        /* ideally we should never land here, we'd better warn so */
        cli_warnmsg("Cannot resolve: %s (version mismatch?) - unrar support unavailable\n", lt_dlerror());
+        lt_dlclose(rhandle);
        return;
    }
    have_rar = 1;
--- a/libfreshclam/libfreshclam_internal.c
+++ b/libfreshclam/libfreshclam_internal.c
@ -1378,7 +1378,7 @@ static fc_error_t buildcld(
 {
    fc_error_t status = FC_EARG;

-    char olddir[PATH_MAX];
+    char olddir[PATH_MAX] = {0};
    char info[DB_FILENAME_MAX];
    char buff[CVD_HEADER_SIZE + 1];
    char *pt;
--- a/sigtool/sigtool.c
+++ b/sigtool/sigtool.c
@ -2852,7 +2852,7 @@ static int decodecdb(char **tokens)
            mprintf("ANY\n");

        } else if (strchr(tokens[2], '-')) {
-            sz = cli_strtokenize(tokens[2], '-', 2 + 1, (const char **)range);
+            sz = cli_strtokenize(tokens[2], '-', 2, (const char **)range);
            if (sz != 2 || !cli_isnumber(range[0]) || !cli_isnumber(range[1])) {
                mprintf("!decodesig: Invalid container size range\n");
                return -1;
@ -2873,7 +2873,7 @@ static int decodecdb(char **tokens)
            mprintf("ANY\n");

        } else if (strchr(tokens[4], '-')) {
-            sz = cli_strtokenize(tokens[4], '-', 2 + 1, (const char **)range);
+            sz = cli_strtokenize(tokens[4], '-', 2, (const char **)range);
            if (sz != 2 || !cli_isnumber(range[0]) || !cli_isnumber(range[1])) {
                mprintf("!decodesig: Invalid container size range\n");
                return -1;
@ -2893,7 +2893,7 @@ static int decodecdb(char **tokens)
            mprintf("ANY\n");

        } else if (strchr(tokens[5], '-')) {
-            sz = cli_strtokenize(tokens[5], '-', 2 + 1, (const char **)range);
+            sz = cli_strtokenize(tokens[5], '-', 2, (const char **)range);
            if (sz != 2 || !cli_isnumber(range[0]) || !cli_isnumber(range[1])) {
                mprintf("!decodesig: Invalid container size range\n");
                return -1;
@ -2926,7 +2926,7 @@ static int decodecdb(char **tokens)
            mprintf("ANY\n");

        } else if (strchr(tokens[7], '-')) {
-            sz = cli_strtokenize(tokens[7], '-', 2 + 1, (const char **)range);
+            sz = cli_strtokenize(tokens[7], '-', 2, (const char **)range);
            if (sz != 2 || !cli_isnumber(range[0]) || !cli_isnumber(range[1])) {
                mprintf("!decodesig: Invalid container size range\n");
                return -1;