A few days ago, I reported some potential null pointer dereferences.
Those are part of reports our tool produced.
After checking other reports manually, I also found some reprots that seem to be real bugs:
1. Bug D400-28
When realloc returns null, the original "string" is not freed.
2. Bug D400-17
line 466:
pvalue = (char *) osip_malloc (comma - equal);override pvalue without any free.
3. Bug D400-1
file: osip_from.c
function: __osip_generic_param_parseall
line 563: osip_generic_param_add (gen_params, pname, pvalue);
does not assure pname is added.
4. Bug D400-18
file: osip_uri.c
The same explanation with 2, but with different allocation site. (pname)
5. Bug D400-15
file: osip_uri.c
The same explanation with 2, but with different allocation site. (pname)
6. Bug D400-26
file: osip.c
function: osip_start_200ok_retransmissions
line 187: osip_add_ixt (osip, ixt);
osip_list_add does not assure ixt is added to list.
7. Bug D400-19
file: osip_uri.c
The same explanation with 2, but with different allocation site.
8. Bug D400-20
file: osip_uri.c
The same explanation with 2, but with different allocation site.
9. Bug D400-2
file: osip_from.c
function: __osip_generic_param_parseall
The same explanation with 2, but at different file.
Allocation site line 509: pname = (char *) osip_malloc (equal - params);
Overrided at line 556: pname = (char *) osip_malloc (equal - params);
10. Bug D400-21
file: osip_uri.c
function: __osip_uri_escape_nonascii_and_nondef
line 879: ns = osip_realloc (ns, alloc);
Function realloc don't make sure ns is freed when returning null.
11. Bug D400-16
file: osip_uri.c
function: osip_uri_parse_headers
line 381: hvalue = (char *) osip_malloc (headers + strlen (headers) - equal + 1);
Function osip_uri_uheader_add does not assure hvalue is added to the list.
All of the use after free reports are caused by function __osip_sdp_append_string (string, size, tmp, "a=");
in which "string" may be freed (by calling realloc(string, size)).
And the double locking report is sort of too complicated to confirm...It is ok if you ignore it.
The full list of reports are
here. Or you can download them from
here.
Hope for your replies.
BTW: If I have been boring you or you don't concern about the bugs I reported, please let me know :)
Best Regards
--
Zhenbo Xu