search

k-takata / Onigmo

Onigmo is a regular expressions library forked from Oniguruma.
Other
626 stars 94 forks source link

Memory leaks reported by Scan Coverity #143

Open edsiper opened 5 years ago

edsiper commented 5 years ago

In our project, Fluent Bit, we use libonigmo for regex parsing. The static analysis system Coverity reported some possible memory leaks. Would you please validate the 3 reported issues ?:

CID 156544: (RESOURCE_LEAK)

/lib/onigmo/regcomp.c: 3680 in expand_case_fold_string()
/lib/onigmo/regcomp.c: 3599 in expand_case_fold_string()
/lib/onigmo/regcomp.c: 3630 in expand_case_fold_string()
/lib/onigmo/regcomp.c: 3599 in expand_case_fold_string()

*** CID 156544:    (RESOURCE_LEAK)
/lib/onigmo/regcomp.c: 3680 in expand_case_fold_string()
3674         Node *srem;
3675     
3676         r = expand_case_fold_make_rem_string(&srem, p, end, reg);
3677         if (r != 0) goto mem_err;
3678     
3679         if (IS_NOT_NULL(prev_node) && IS_NULL(root)) {
>>>     CID 156544:    (RESOURCE_LEAK)
>>>     Overwriting "top_root" in "top_root = root = onig_node_list_add(NULL, prev_node)" leaks the storage that "top_root" points to.
3680           top_root = root = onig_node_list_add(NULL_NODE, prev_node);
3681           if (IS_NULL(root)) {
3682            onig_node_free(srem);
3683            onig_node_free(prev_node);
3684            goto mem_err;
3685           }
/lib/onigmo/regcomp.c: 3599 in expand_case_fold_string()
3593         len = enclen(reg->enc, p, end);
3594     
3595         varlen = is_case_fold_variable_len(n, items, len);
3596         if (n == 0 || varlen == 0) {
3597           if (IS_NULL(snode)) {
3598            if (IS_NULL(root) && IS_NOT_NULL(prev_node)) {
>>>     CID 156544:    (RESOURCE_LEAK)
>>>     Overwriting "top_root" in "top_root = root = onig_node_list_add(NULL, prev_node)" leaks the storage that "top_root" points to.
3599              top_root = root = onig_node_list_add(NULL_NODE, prev_node);
3600              if (IS_NULL(root)) {
3601                onig_node_free(prev_node);
3602                goto mem_err;
3603              }
3604            }
/lib/onigmo/regcomp.c: 3630 in expand_case_fold_string()
3624            r = update_string_node_case_fold(reg, snode);
3625            if (r == 0) {
3626              NSTRING_SET_AMBIG(snode);
3627            }
3628           }
3629           if (IS_NULL(root) && IS_NOT_NULL(prev_node)) {
>>>     CID 156544:    (RESOURCE_LEAK)
>>>     Overwriting "top_root" in "top_root = root = onig_node_list_add(NULL, prev_node)" leaks the storage that "top_root" points to.
3630            top_root = root = onig_node_list_add(NULL_NODE, prev_node);
3631            if (IS_NULL(root)) {
3632              onig_node_free(prev_node);
3633              goto mem_err;
3634            }
3635           }
/lib/onigmo/regcomp.c: 3599 in expand_case_fold_string()
3593         len = enclen(reg->enc, p, end);
3594     
3595         varlen = is_case_fold_variable_len(n, items, len);
3596         if (n == 0 || varlen == 0) {
3597           if (IS_NULL(snode)) {
3598            if (IS_NULL(root) && IS_NOT_NULL(prev_node)) {
>>>     CID 156544:    (RESOURCE_LEAK)
>>>     Overwriting "top_root" in "top_root = root = onig_node_list_add(NULL, prev_node)" leaks the storage that "top_root" points to.
3599              top_root = root = onig_node_list_add(NULL_NODE, prev_node);
3600              if (IS_NULL(root)) {
3601                onig_node_free(prev_node);
3602                goto mem_err;
3603              }
3604            }

CID 156532: Null pointer dereferences (FORWARD_NULL)

/lib/onigmo/regcomp.c: 1271 in compile_length_enclose_node()

1265           len = SIZE_OP_PUSH_STOP_BT + tlen + SIZE_OP_POP_STOP_BT;
1266         }
1267         break;
1268     
1269       case ENCLOSE_CONDITION:
1270         len = SIZE_OP_CONDITION;
>>>     CID 156532:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "node->target".
1271         if (NTYPE(node->target) == NT_ALT) {
1272           Node* x = node->target;
1273     
1274           tlen = compile_length_tree(NCAR(x), reg); /* yes-node */
1275           if (tlen < 0) return tlen;
1276           len += tlen + SIZE_OP_JUMP;

CID 93270: Null pointer dereferences (FORWARD_NULL)

/lib/onigmo/regcomp.c: 1258 in compile_length_enclose_node()
1252         }
1253         break;
1254     
1255       case ENCLOSE_STOP_BACKTRACK:
1256         if (IS_ENCLOSE_STOP_BT_SIMPLE_REPEAT(node)) {
1257           QtfrNode* qn = NQTFR(node->target);
>>>     CID 93270:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "qn".
1258           tlen = compile_length_tree(qn->target, reg);
1259           if (tlen < 0) return tlen;
1260     
1261           len = tlen * qn->lower
1262              + SIZE_OP_PUSH + tlen + SIZE_OP_POP + SIZE_OP_JUMP;
1263         }