Fix 11396, doublefree on munmap in if-statement (#4594)

2022-11-26 15:45:27 +01:00 · 2022-11-26 15:45:27 +01:00 · 8465d901c8
parent 926bab9aba
commit 8465d901c8
2 changed files with 32 additions and 1 deletions
--- a/lib/checkleakautovar.cpp
+++ b/lib/checkleakautovar.cpp
@ -477,9 +477,10 @@ bool CheckLeakAutoVar::checkScope(const Token * const startToken,
                // check for function call
                const Token * const openingPar = isFunctionCall(innerTok);
                if (openingPar) {
+                    const Library::AllocFunc* allocFunc = mSettings->library.getDeallocFuncInfo(innerTok);
                    // innerTok is a function name
                    const VarInfo::AllocInfo allocation(0, VarInfo::NOALLOC);
-                    functionCall(innerTok, openingPar, varInfo, allocation, nullptr);
+                    functionCall(innerTok, openingPar, varInfo, allocation, allocFunc);
                    innerTok = openingPar->link();
                }
            }
--- a/test/cfg/posix.c
+++ b/test/cfg/posix.c
@ -892,6 +892,36 @@ void * identicalCondition_mmap(int fd, size_t size) // #9940
    return buffer;
 }

+int munmap_no_double_free(int tofd, // #11396
+                          int fromfd,
+                          size_t len)
+{
+    int rc;
+    void* fptr = mmap(NULL,len,PROT_READ|PROT_WRITE,MAP_SHARED,fromfd,(off_t)0);
+    if (fptr == MAP_FAILED) {
+        return -1;
+    }
+
+    void* tptr = mmap(NULL,len,PROT_READ|PROT_WRITE,MAP_SHARED,tofd,(off_t)0);
+    if (tptr == MAP_FAILED) {
+        // cppcheck-suppress memleak
+        return -1;
+    }
+
+    memcpy(tptr,fptr,len);
+
+    if ((rc = munmap(fptr,len)) != 0) {
+        // cppcheck-suppress memleak
+        return -1;
+    }
+
+    if ((rc = munmap(tptr,len)) != 0) {
+        return -1;
+    }
+
+    return rc;
+}
+
 void resourceLeak_fdopen(int fd)
 {
    // cppcheck-suppress unreadVariable