From 2f200ac49322ff8ccd13c5e8b7a22abbf6ff2610 Mon Sep 17 00:00:00 2001 From: Julien Date: Sat, 4 Jun 2011 03:43:16 +0800 Subject: ANALYSIS: Fix potential memory leak when using realloc When reallocation is unsuccessful, the passed buffer is not freed. In this case, assigning the result (NULL) will result in a leak of the original memory buffer. See http://msdn.microsoft.com/en-us/library/kkedhy7c.aspx --- engines/sword25/gfx/image/art.cpp | 42 +++++++++++++++++++++++++++++---------- engines/sword25/gfx/image/art.h | 4 +++- 2 files changed, 34 insertions(+), 12 deletions(-) (limited to 'engines/sword25/gfx') diff --git a/engines/sword25/gfx/image/art.cpp b/engines/sword25/gfx/image/art.cpp index 2df8bd4f3e..07a2be5694 100644 --- a/engines/sword25/gfx/image/art.cpp +++ b/engines/sword25/gfx/image/art.cpp @@ -167,9 +167,14 @@ ArtSVP *art_svp_from_vpath(ArtVpath *vpath) { if (points != NULL && n_points >= 2) { if (n_segs == n_segs_max) { n_segs_max <<= 1; - svp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + - (n_segs_max - 1) * - sizeof(ArtSVPSeg)); + ArtSVP *tmp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + + (n_segs_max - 1) * + sizeof(ArtSVPSeg)); + + if (!tmp) + error("Cannot reallocate memory in art_svp_from_vpath()"); + + svp = tmp; } svp->segs[n_segs].n_points = n_points; svp->segs[n_segs].dir = (dir > 0); @@ -204,9 +209,14 @@ ArtSVP *art_svp_from_vpath(ArtVpath *vpath) { y = points[n_points - 1].y; if (n_segs == n_segs_max) { n_segs_max <<= 1; - svp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + - (n_segs_max - 1) * - sizeof(ArtSVPSeg)); + ArtSVP *tmp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + + (n_segs_max - 1) * + sizeof(ArtSVPSeg)); + + if (!tmp) + error("Cannot reallocate memory in art_svp_from_vpath()"); + + svp = tmp; } svp->segs[n_segs].n_points = n_points; svp->segs[n_segs].dir = (dir > 0); @@ -246,9 +256,14 @@ ArtSVP *art_svp_from_vpath(ArtVpath *vpath) { if (n_points >= 2) { if (n_segs == n_segs_max) { n_segs_max <<= 1; - svp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + - (n_segs_max - 1) * - sizeof(ArtSVPSeg)); + ArtSVP *tmp = (ArtSVP *)realloc(svp, sizeof(ArtSVP) + + (n_segs_max - 1) * + sizeof(ArtSVPSeg)); + + if (!tmp) + error("Cannot reallocate memory in art_svp_from_vpath()"); + + svp = tmp; } svp->segs[n_segs].n_points = n_points; svp->segs[n_segs].dir = (dir > 0); @@ -1157,8 +1172,13 @@ static int art_svp_writer_rewind_add_segment(ArtSvpWriter *self, int wind_left, (swr->n_segs_max - 1) * sizeof(ArtSVPSeg)); swr->svp = svp; - swr->n_points_max = art_renew(swr->n_points_max, int, - swr->n_segs_max); + int *tmp = art_renew(swr->n_points_max, int, + swr->n_segs_max); + + if (!tmp) + error("Cannot reallocate memory in art_svp_writer_rewind_add_segment()"); + + swr->n_points_max = tmp; } seg = &svp->segs[seg_num]; seg->n_points = 1; diff --git a/engines/sword25/gfx/image/art.h b/engines/sword25/gfx/image/art.h index bfeb31cc30..942e26644f 100644 --- a/engines/sword25/gfx/image/art.h +++ b/engines/sword25/gfx/image/art.h @@ -51,7 +51,9 @@ namespace Sword25 { #define art_expand(p, type, max) \ do { \ if(max) {\ - p = art_renew(p, type, max <<= 1); \ + type *tmp = art_renew(p, type, max <<= 1); \ + if (!tmp) error("Cannot reallocate memory for art data"); \ + p = tmp; \ } else { \ max = 1; \ p = art_new(type, 1); \ -- cgit v1.2.3