From 1eb743ba8b63daf773ed4628504a3bb95ee2c156 Mon Sep 17 00:00:00 2001
From: Colin Cross
Date: Mon, 1 Feb 2016 11:15:30 -0800
Subject: Fix static analyzer issues caught by clang

system/core/libsparse/sparse_read.c:260:51: warning: Dereference of null pointer (loaded from variable 'crc_ptr')
                        ret = process_crc32_chunk(fd, chunk_data_size, *crc_ptr);
system/core/libsparse/sparse_read.c:404:9: warning: Potential leak of memory pointed to by 'buf'
        return 0;

Fixes leak in sparse_file_read_normal, and null pointer dereference
crash if an image with an obsolete CRC chunk was read with CRC checking
disabled.

Bug: 26904425

Change-Id: Ibc72cd37602929ae2c248bea1cdd1d22ea03baaf
---
 libsparse/sparse_read.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'libsparse')

diff --git a/libsparse/sparse_read.c b/libsparse/sparse_read.c
index ec63850d8..dbb4daba6 100644
--- a/libsparse/sparse_read.c
+++ b/libsparse/sparse_read.c
@@ -199,7 +199,7 @@ static int process_skip_chunk(struct sparse_file *s, unsigned int chunk_size,
 	return 0;
 }
 
-static int process_crc32_chunk(int fd, unsigned int chunk_size, uint32_t crc32)
+static int process_crc32_chunk(int fd, unsigned int chunk_size, uint32_t *crc32)
 {
 	uint32_t file_crc32;
 	int ret;
@@ -213,7 +213,7 @@ static int process_crc32_chunk(int fd, unsigned int chunk_size, uint32_t crc32)
 		return ret;
 	}
 
-	if (file_crc32 != crc32) {
+	if (crc32 != NULL && file_crc32 != *crc32) {
 		return -EINVAL;
 	}
 
@@ -257,7 +257,7 @@ static int process_chunk(struct sparse_file *s, int fd, off64_t offset,
 			}
 			return chunk_header->chunk_sz;
 		case CHUNK_TYPE_CRC32:
-			ret = process_crc32_chunk(fd, chunk_data_size, *crc_ptr);
+			ret = process_crc32_chunk(fd, chunk_data_size, crc_ptr);
 			if (ret < 0) {
 				verbose_error(s->verbose, -EINVAL, "crc block at %" PRId64,
 						offset);
@@ -374,6 +374,7 @@ static int sparse_file_read_normal(struct sparse_file *s, int fd)
 		ret = read_all(fd, buf, to_read);
 		if (ret < 0) {
 			error("failed to read sparse file");
+			free(buf);
 			return ret;
 		}
 
@@ -401,6 +402,7 @@ static int sparse_file_read_normal(struct sparse_file *s, int fd)
 		block++;
 	}
 
+	free(buf);
 	return 0;
 }
 
-- 
cgit v1.2.3-54-g00ecf