[CWE-401] malloc leak in gl4dhAnimeManager::add called by gl4dhClean

[darnuria]

Petite sœur de #11 mais pour la fonction add dans gl4dhAnimeManager, conditions de reproduction identique du warning.

En gros il est possible d'avoir un free non appelé à l'issu des appels de fonctions ça peut servir a un attaquant pour faire un gadget dans un bout de mémoire non utilisé ou pleins de choses vilaines comme vous voyez en sécurité avec @p4bl0-.

GL4D/gl4dhAnimeManager.c: In function ‘add’:
GL4D/gl4dhAnimeManager.c:168:1: warning: leak of ‘<unknown>’ [CWE-401] [-Wanalyzer-malloc-leak]
  168 | }
      | ^
  ‘gl4dhClean’: events 1-4
    |
    |   76 | void gl4dhClean(void) {
    |      |      ^~~~~~~~~~
    |      |      |
    |      |      (1) entry to ‘gl4dhClean’
    |   77 |   if(_animations) {
    |      |     ~ 
    |      |     |
    |      |     (2) following ‘true’ branch...
    |   78 |     callAllWithState(_animations, GL4DH_FREE);
    |      |     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |     |
    |      |     (3) ...to here
    |      |     (4) calling ‘callAllWithState’ from ‘gl4dhClean’
    |
    +--> ‘callAllWithState’: event 5
           |
           |  175 | static void callAllWithState(GL4DHanime * animations, int state) {
           |      |             ^~~~~~~~~~~~~~~~
           |      |             |
           |      |             (5) entry to ‘callAllWithState’
           |
         ‘callAllWithState’: event 6
           |
           |  178 |   assert(animations);
           |      |   ^~~~~~
           |      |   |
           |      |   (6) following ‘true’ branch (when ‘animations’ is non-NULL)...
           |
         ‘callAllWithState’: event 7
           |
           |cc1:
           | (7): ...to here
           |
         ‘callAllWithState’: events 8-14
           |
           |  145 |   for(i = 0; i < n; i++)
           |      |   ~~~   
           |      |   |
           |      |   (10) following ‘false’ branch...
           |......
           |  179 |   while(animations->first) {
           |      |        ^
           |      |        |
           |      |        (8) following ‘true’ branch...
           |  180 |     if(!in(animations->first, called, n)) {
           |      |       ~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |       | |
           |      |       | (9) ...to here
           |      |       (11) ...to here
           |      |       (12) following ‘true’ branch...
           |  181 |       animations->first(state);
           |      |       ~~~~~~~~~~~~~~~~~~~~~~~~
           |      |       |
           |      |       (13) ...to here
           |  182 |       add(animations->first, &called, &n, &s);
           |      |       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           |      |       |
           |      |       (14) calling ‘add’ from ‘callAllWithState’
           |
           +--> ‘add’: events 15-18
                  |
                  |  158 | static void add(void *func, void ***funcListp, int *n, int *s) {
                  |      |             ^~~
                  |      |             |
                  |      |             (15) entry to ‘add’
                  |  159 |   if(*s == 0) {
                  |      |     ~        
                  |      |     |
                  |      |     (16) following ‘true’ branch...
                  |  160 |     *n = 0;
                  |      |     ~~~~~~   
                  |      |        |
                  |      |        (17) ...to here
                  |      |        (18) allocated here
                  |
                ‘add’: event 19
                  |
                  |  162 |     assert(*funcListp);
                  |      |     ^~~~~~
                  |      |     |
                  |      |     (19) assuming ‘<unknown>’ is non-NULL
                  |
                ‘add’: event 20
                  |
                  |
                ‘add’: events 21-22
                  |
                  |  167 |   (*funcListp)[(*n)++] = func;
                  |      |   ~^~~~~~~~~~~
                  |      |    |
                  |      |    (21) ...to here
                  |  168 | }
                  |      | ~   
                  |      | |
                  |      | (22) ‘<unknown>’ leaks here; was allocated at (18)
                  |

[fiplox]

la fonction add est appelée seulement dans la fonction callAllWithState qui est la suivante:

static void callAllWithState(GL4DHanime * animations, int state) {
  int n = 0, s = 0;
  void **called = NULL;
  assert(animations);
  while(animations->first) {
    if(!in(animations->first, called, n)) {
      animations->first(state);
      add(animations->first, &called, &n, &s);
    }
    if(animations->last && !in(animations->last, called, n)) {
      animations->last(state);
      add(animations->last, &called, &n, &s);
    }
    if(animations->transition && !in(animations->transition, called, n)) {
      animations->transition(NULL, NULL, 0, 0, state);
      add(animations->transition, &called, &n, &s);
    }
    animations++;
  }
  if(called)
    free(called);
}

L'argument funcListp dans ce cas est un void** nommé called qui est bien free à la fin.
Si je me trompe pas, c'est un faux-positif de -fanalyzer.