diff options
| author | Julien | 2011-06-04 03:43:16 +0800 |
|---|---|---|
| committer | Julien | 2011-06-23 15:11:36 +0800 |
| commit | 2f200ac49322ff8ccd13c5e8b7a22abbf6ff2610 (patch) | |
| tree | d22f6efae6ac234cbe0b73783aa8a8962a84a3b6 | |
| parent | a8b13e8a6be900995c85f08fd527750e2620c215 (diff) | |
| download | scummvm-rg350-2f200ac49322ff8ccd13c5e8b7a22abbf6ff2610.tar.gz scummvm-rg350-2f200ac49322ff8ccd13c5e8b7a22abbf6ff2610.tar.bz2 scummvm-rg350-2f200ac49322ff8ccd13c5e8b7a22abbf6ff2610.zip | |
ANALYSIS: Fix potential memory leak when using realloc
When reallocation is unsuccessful, the passed buffer is not freed. In this case, assigning the result (NULL) will result in a leak of the original memory buffer.
See http://msdn.microsoft.com/en-us/library/kkedhy7c.aspx
| -rw-r--r-- | audio/decoders/voc.cpp | 6 | ||||
| -rw-r--r-- | engines/lure/memory.cpp | 8 | ||||
| -rw-r--r-- | engines/sword25/gfx/image/art.cpp | 42 | ||||
| -rw-r--r-- | engines/sword25/gfx/image/art.h | 4 | ||||
| -rw-r--r-- | engines/touche/resource.cpp | 22 |
5 files changed, 60 insertions, 22 deletions
diff --git a/audio/decoders/voc.cpp b/audio/decoders/voc.cpp index 74ea4440a1..be53f945ac 100644 --- a/audio/decoders/voc.cpp +++ b/audio/decoders/voc.cpp @@ -118,7 +118,11 @@ static byte *loadVOCFromStream(Common::ReadStream &stream, int &size, int &rate, debug(9, "VOC Data Block: %d, %d, %d", rate, packing, len); if (packing == 0) { if (size) { - ret_sound = (byte *)realloc(ret_sound, size + len); + byte *tmp = (byte *)realloc(ret_sound, size + len); + if (!tmp) + error("Cannot reallocate memory for VOC Data Block"); + + ret_sound = tmp; } else { ret_sound = (byte *)malloc(len); } diff --git a/engines/lure/memory.cpp b/engines/lure/memory.cpp index c5c28fa8bc..137a8f6bee 100644 --- a/engines/lure/memory.cpp +++ b/engines/lure/memory.cpp @@ -93,8 +93,12 @@ void MemoryBlock::copyFrom(const byte *src, uint32 srcPos, uint32 destPos, uint3 void MemoryBlock::reallocate(uint32 size1) { _size = size1; - _data = (byte *) realloc(_data, size1); - if (!_data) error ("Failed reallocating memory block"); + + byte *tmp = (byte *) realloc(_data, size1); + if (!tmp) + error ("[MemoryBlock::reallocate] Failed reallocating memory block"); + + _data = tmp; } } // End of namespace Lure diff --git a/engines/sword25/gfx/image/art.cpp b/engines/sword25/gfx/image/art.cpp index 2df8bd4f3e..07a2be5694 100644 --- a/engines/sword25/gfx/image/art.cpp +++ b/engines/sword25/gfx/image/art.cpp @@ -167,9 +167,14 @@ ArtSVP *art_svp_from_vpath(ArtVpath *vpath) { if (points != NULL && n_points >= 2) { if (n_segs == n_segs_max) { n_segs_max <<= 1; - svp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + - (n_segs_max - 1) * - sizeof(ArtSVPSeg)); + ArtSVP *tmp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + + (n_segs_max - 1) * + sizeof(ArtSVPSeg)); + + if (!tmp) + error("Cannot reallocate memory in art_svp_from_vpath()"); + + svp = tmp; } svp->segs[n_segs].n_points = n_points; svp->segs[n_segs].dir = (dir > 0); @@ -204,9 +209,14 @@ ArtSVP *art_svp_from_vpath(ArtVpath *vpath) { y = points[n_points - 1].y; if (n_segs == n_segs_max) { n_segs_max <<= 1; - svp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + - (n_segs_max - 1) * - sizeof(ArtSVPSeg)); + ArtSVP *tmp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + + (n_segs_max - 1) * + sizeof(ArtSVPSeg)); + + if (!tmp) + error("Cannot reallocate memory in art_svp_from_vpath()"); + + svp = tmp; } svp->segs[n_segs].n_points = n_points; svp->segs[n_segs].dir = (dir > 0); @@ -246,9 +256,14 @@ ArtSVP *art_svp_from_vpath(ArtVpath *vpath) { if (n_points >= 2) { if (n_segs == n_segs_max) { n_segs_max <<= 1; - svp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + - (n_segs_max - 1) * - sizeof(ArtSVPSeg)); + ArtSVP *tmp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + + (n_segs_max - 1) * + sizeof(ArtSVPSeg)); + + if (!tmp) + error("Cannot reallocate memory in art_svp_from_vpath()"); + + svp = tmp; } svp->segs[n_segs].n_points = n_points; svp->segs[n_segs].dir = (dir > 0); @@ -1157,8 +1172,13 @@ static int art_svp_writer_rewind_add_segment(ArtSvpWriter *self, int wind_left, (swr->n_segs_max - 1) * sizeof(ArtSVPSeg)); swr->svp = svp; - swr->n_points_max = art_renew(swr->n_points_max, int, - swr->n_segs_max); + int *tmp = art_renew(swr->n_points_max, int, + swr->n_segs_max); + + if (!tmp) + error("Cannot reallocate memory in art_svp_writer_rewind_add_segment()"); + + swr->n_points_max = tmp; } seg = &svp->segs[seg_num]; seg->n_points = 1; diff --git a/engines/sword25/gfx/image/art.h b/engines/sword25/gfx/image/art.h index bfeb31cc30..942e26644f 100644 --- a/engines/sword25/gfx/image/art.h +++ b/engines/sword25/gfx/image/art.h @@ -51,7 +51,9 @@ namespace Sword25 { #define art_expand(p, type, max) \ do { \ if(max) {\ - p = art_renew(p, type, max <<= 1); \ + type *tmp = art_renew(p, type, max <<= 1); \ + if (!tmp) error("Cannot reallocate memory for art data"); \ + p = tmp; \ } else { \ max = 1; \ p = art_new(type, 1); \ diff --git a/engines/touche/resource.cpp b/engines/touche/resource.cpp index 8f4752e912..6df6fc0e5f 100644 --- a/engines/touche/resource.cpp +++ b/engines/touche/resource.cpp @@ -468,14 +468,22 @@ void ToucheEngine::res_loadSprite(int num, int index) { if (size > spr->size) { debug(8, "Reallocating memory for sprite %d (index %d), %d bytes needed", num, index, size - spr->size); spr->size = size; - if (spr->ptr) { - spr->ptr = (uint8 *)realloc(spr->ptr, size); - } else { - spr->ptr = (uint8 *)malloc(size); - } - if (!spr->ptr) { - error("Unable to reallocate memory for sprite %d (%d bytes)", num, size); + + uint8 *buffer = NULL; + if (spr->ptr) + buffer = (uint8 *)realloc(spr->ptr, size); + + if (!buffer) { + // Free previously allocated sprite (when realloc failed) + free(spr->ptr); + + buffer = (uint8 *)malloc(size); } + + if (!buffer) + error("[ToucheEngine::res_loadSprite] Unable to reallocate memory for sprite %d (%d bytes)", num, size); + + spr->ptr = buffer; } for (int i = 0; i < _currentImageHeight; ++i) { res_decodeScanLineImageRLE(spr->ptr + _currentImageWidth * i, _currentImageWidth); |