Bug Summary

File:builds/wireshark/wireshark/epan/tvbuff_lz77.c
Warning:line 148, column 7
Potential leak of memory pointed to by 'p'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name tvbuff_lz77.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan -isystem /builds/wireshark/wireshark/build/epan -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /usr/include/lua5.4 -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -D epan_EXPORTS -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -I /builds/wireshark/wireshark/wiretap -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2026-04-17-100344-3642-1 -x c /builds/wireshark/wireshark/epan/tvbuff_lz77.c
1/*
2 * Decompression code for Plain LZ77. This encoding is used by
3 * Microsoft in various file formats and protocols including SMB3.
4 *
5 * See MS-XCA.
6 *
7 * Copyright (C) 2019 Aurélien Aptel
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11
12#include <glib.h>
13#include <epan/exceptions.h>
14#include <epan/tvbuff.h>
15#include <epan/wmem_scopes.h>
16
17#define MAX_INPUT_SIZE(16*1024*1024) (16*1024*1024) /* 16MB */
18
19static bool_Bool do_uncompress(tvbuff_t *tvb, int offset, int in_size,
20 wmem_array_t *obuf)
21{
22 unsigned buf_flags = 0, buf_flag_count = 0;
23 int in_off = 0;
24 int last_length_half_byte = 0;
25 unsigned match_bytes, match_len, match_off;
26 unsigned i;
27
28 while (1) {
29 if (buf_flag_count == 0) {
30 buf_flags = tvb_get_letohl(tvb, offset+in_off);
31 in_off += 4;
32 buf_flag_count = 32;
33 }
34 buf_flag_count--;
35 if ((buf_flags & (1u << buf_flag_count)) == 0) {
36 uint8_t v = tvb_get_uint8(tvb, offset+in_off);
37 wmem_array_append_one(obuf, v)wmem_array_append((obuf), &(v), 1);
38 in_off++;
39 } else {
40 if (in_off == in_size)
41 return true1;
42 match_bytes = tvb_get_letohs(tvb, offset+in_off);
43 in_off += 2;
44 match_len = match_bytes % 8;
45 match_off = (match_bytes/8) + 1;
46 if (match_len == 7) {
47 if (last_length_half_byte == 0) {
48 match_len = tvb_get_uint8(tvb, offset+in_off);
49 match_len = match_len % 16;
50 last_length_half_byte = in_off;
51 in_off++;
52 } else {
53 match_len = tvb_get_uint8(tvb, offset+last_length_half_byte);
54 match_len = match_len / 16;
55 last_length_half_byte = 0;
56 }
57 if (match_len == 15) {
58 match_len = tvb_get_uint8(tvb, offset+in_off);
59 in_off++;
60 if (match_len == 255) {
61 match_len = tvb_get_letohs(tvb, offset+in_off);
62 in_off += 2;
63 if (match_len == 0) {
64 match_len = tvb_get_letohl(tvb, offset+in_off);
65 in_off += 4;
66 }
67 if (match_len < 15+7)
68 return false0;
69 match_len -= (15 + 7);
70 }
71 match_len += 15;
72 }
73 match_len += 7;
74 }
75 /* XXX - We could instead fail inside the loops, e.g.
76 * testing wmem_array_get_count(obuf) > MAX_INPUT_SIZE,
77 * and return what we could decompress in a tvb with
78 * reported length greater than captured length. */
79 if (match_len > MAX_INPUT_SIZE(16*1024*1024))
80 return false0;
81 match_len += 3;
82 /* We can copy up to match_off bytes at a time.
83 * (The overlap handling is *not* like memmove,
84 * see [MS-XCA] 2.4.4.) */
85 /* wmem_array_get_count only increases, so we only need
86 * test this once. */
87 if (match_off > wmem_array_get_count(obuf))
88 return false0;
89 uint8_t *src;
90 ws_assert(match_off != 0)do { if ((1) && !(match_off != 0)) ws_log_fatal_full(
"", LOG_LEVEL_ERROR, "epan/tvbuff_lz77.c", 90, __func__, "assertion failed: %s"
, "match_off != 0"); } while (0); // Guaranteed by line 45
91 /* Must call grow first, to realloc the array first
92 * if needed and avoid invalidating pointers returned
93 * from wmem_array_index when appending. */
94 if (!wmem_array_grow(obuf, match_len))
95 return false0;
96 for (i = 0; i < match_len / match_off; i++) {
97 src = wmem_array_index(obuf, wmem_array_get_count(obuf) - match_off);
98 wmem_array_append(obuf, src, match_off);
99 }
100 for (i *= match_off; i < match_len; i++) {
101 src = wmem_array_index(obuf, wmem_array_get_count(obuf) - match_off);
102 wmem_array_append(obuf, src, 1);
103 }
104 }
105 }
106
107 return true1;
108}
109
110tvbuff_t *
111tvb_uncompress_lz77(tvbuff_t *tvb, const unsigned offset, unsigned in_size)
112{
113 volatile bool_Bool ok = false0;
114 wmem_allocator_t *pool;
115 wmem_array_t *obuf;
116 tvbuff_t *out;
117
118 if (!tvb)
2
Assuming 'tvb' is non-null
119 return NULL((void*)0);
120
121 if (!in_size || in_size > MAX_INPUT_SIZE(16*1024*1024))
3
Assuming 'in_size' is not equal to 0
4
Assuming the condition is false
5
Taking false branch
122 return NULL((void*)0);
123
124 pool = wmem_allocator_new(WMEM_ALLOCATOR_SIMPLE);
125 obuf = wmem_array_sized_new(pool, 1, in_size*2);
126
127 TRY{ except_t *volatile exc; volatile int except_state = 0; static
const except_id_t catch_spec[] = { { 1, 0 } }; { struct except_stacknode
except_sn; struct except_catch except_ch; except_setup_try(&
except_sn, &except_ch, catch_spec, 1); if (_setjmp (except_ch
.except_jmp)) *(&exc) = &except_ch.except_obj; else *
(&exc) = 0; if(except_state & 1) except_state |= 2; except_state
&= ~1; if (except_state == 0 && exc == 0) {
6
Assuming the condition is false
7
Taking false branch
8
Taking false branch
9
Taking true branch
128 ok = do_uncompress(tvb, offset, in_size, obuf);
129 } CATCH_ALLif (except_state == 0 && exc != 0 && (except_state
|=1)) {
130 ok = false0;
131 }
132 ENDTRYif(!(except_state&1) && exc != 0) except_rethrow(
exc); except_free(except_ch.except_obj.except_dyndata); except_pop
(); };};
10
Taking false branch
133
134 if (ok) {
11
Assuming 'ok' is true
12
Taking true branch
135 /*
136 * Cannot pass a tvb free callback that frees the wmem
137 * pool, so we make an extra copy that uses bare
138 * pointers. This could be optimized if tvb API had a
139 * free pool callback of some sort.
140 *
141 * XXX - Maybe a tvb_set_free_cb_with_data or similar
142 * that takes functions that take a void* userdata
143 * parameter?
144 */
145 unsigned size = wmem_array_get_count(obuf);
146 uint8_t *p = (uint8_t *)g_malloc(size);
13
Memory is allocated
147 memcpy(p, wmem_array_get_raw(obuf), size);
148 out = tvb_new_real_data(p, size, size);
14
Potential leak of memory pointed to by 'p'
149 tvb_set_free_cb(out, g_free);
150 } else {
151 out = NULL((void*)0);
152 }
153
154 wmem_destroy_allocator(pool);
155
156 return out;
157}
158
159tvbuff_t *
160tvb_child_uncompress_lz77(tvbuff_t *parent, tvbuff_t *tvb, const unsigned offset, unsigned in_size)
161{
162 tvbuff_t *new_tvb = tvb_uncompress_lz77(tvb, offset, in_size);
1
Calling 'tvb_uncompress_lz77'
163 if (new_tvb)
164 tvb_set_child_real_data_tvbuff(parent, new_tvb);
165 return new_tvb;
166}
167
168
169/*
170 * Editor modelines - https://www.wireshark.org/tools/modelines.html
171 *
172 * Local variables:
173 * c-basic-offset: 8
174 * tab-width: 8
175 * indent-tabs-mode: t
176 * End:
177 *
178 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
179 * :indentSize=8:tabSize=8:noTabs=false:
180 */