Bug Summary

File:builds/wireshark/wireshark/epan/tvbuff_brotli.c
Warning:line 149, column 17
Potential leak of memory pointed to by 'uncompr'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name tvbuff_brotli.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-22/lib/clang/22 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan -isystem /builds/wireshark/wireshark/build/epan -isystem /usr/include/mit-krb5 -isystem /usr/include/lua5.5 -isystem /usr/include/libxml2 -D CARES_NO_DEPRECATED -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -D epan_EXPORTS -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -I /builds/wireshark/wireshark/wiretap -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-22/lib/clang/22/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/16/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu17 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -fdwarf2-cfi-asm -o /builds/wireshark/wireshark/sbout/2026-06-04-100425-3529-1 -x c /builds/wireshark/wireshark/epan/tvbuff_brotli.c
1/* tvbuff_brotli.c
2 *
3 * Wireshark - Network traffic analyzer
4 * By Gerald Combs <[email protected]>
5 * Copyright 1998 Gerald Combs
6 *
7 * SPDX-License-Identifier: GPL-2.0-or-later
8 */
9
10#include <config.h>
11
12#include <glib.h>
13
14#include <string.h>
15
16#ifdef HAVE_BROTLI1
17#include <brotli/decode.h>
18#endif
19
20#include "tvbuff.h"
21
22#ifdef HAVE_BROTLI1
23
24/*
25 * 512KiB is the buffer size used by the brotli tool, so we
26 * use that too.
27 */
28#define TVB_BROTLI_BUFSIZ(1 << 19) (1 << 19)
29
30static void*
31brotli_g_malloc_wrapper(void *opaque _U___attribute__((unused)), size_t size)
32{
33 return g_malloc(size);
34}
35
36static void
37brotli_g_free_wrapper(void *opaque _U___attribute__((unused)), void *address)
38{
39 g_free(address)(__builtin_object_size ((address), 0) != ((size_t) - 1)) ? g_free_sized
(address, __builtin_object_size ((address), 0)) : (g_free) (
address);
40}
41
42/*
43 * Uncompresses a brotli compressed packet inside a message of tvb at offset with
44 * length comprlen. Returns an uncompressed tvbuffer if uncompression
45 * succeeded or NULL if uncompression failed.
46 */
47
48tvbuff_t *
49tvb_uncompress_brotli(tvbuff_t *tvb, const unsigned offset, unsigned comprlen)
50{
51 uint8_t *compr;
52 uint8_t *uncompr = NULL((void*)0);
53 tvbuff_t *uncompr_tvb;
54 BrotliDecoderState *decoder;
55 uint8_t *strmbuf;
56 const size_t bufsiz = TVB_BROTLI_BUFSIZ(1 << 19);
57 size_t available_in;
58 const uint8_t *next_in;
59 size_t available_out;
60 uint8_t *next_out;
61 size_t total_out;
62 unsigned needs_more_output;
63 unsigned finished;
64
65 if (tvb == NULL((void*)0) || comprlen <= 0) {
2
Assuming 'tvb' is not equal to NULL
3
Assuming 'comprlen' is > 0
4
Taking false branch
66 return NULL((void*)0);
67 }
68
69 compr = (uint8_t *)tvb_memdup(NULL((void*)0), tvb, offset, comprlen);
70 if (compr == NULL((void*)0)) {
5
Assuming 'compr' is not equal to NULL
6
Taking false branch
71 return NULL((void*)0);
72 }
73
74 decoder = BrotliDecoderCreateInstance(
75 &brotli_g_malloc_wrapper /*alloc_func*/,
76 &brotli_g_free_wrapper /*free_func*/,
77 NULL((void*)0) /*opaque*/);
78 if (decoder == NULL((void*)0)) {
7
Assuming 'decoder' is not equal to NULL
8
Taking false branch
79 wmem_free(NULL((void*)0), compr);
80 return NULL((void*)0);
81 }
82 strmbuf = (uint8_t *)g_malloc(bufsiz);
83
84 available_in = comprlen;
85 next_in = compr;
86 total_out = 0;
87 needs_more_output = 0;
88 finished = 0;
89 while (available_in
8.1
'available_in' is > 0
 > 0 || needs_more_output) {
16
Assuming 'available_in' is <= 0
17
Loop condition is false. Execution continues on line 137
90 needs_more_output = 0;
91 available_out = bufsiz;
92 next_out = strmbuf;
93
94 BrotliDecoderResult result = BrotliDecoderDecompressStream(
95 decoder, &available_in, &next_in, &available_out, &next_out, &total_out);
96 switch (result) {
9
Control jumps to 'case BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:' at line 106
97 case BROTLI_DECODER_RESULT_SUCCESS:
98 if (available_in > 0) {
99 goto cleanup;
100 }
101 finished = 1;
102 break;
103 case BROTLI_DECODER_RESULT_NEEDS_MORE_OUTPUT:
104 needs_more_output = 1;
105 break;
106 case BROTLI_DECODER_RESULT_NEEDS_MORE_INPUT:
107 /*
108 * It's possible that not enough frames were captured
109 * to decompress this fully, so return what we've done
110 * so far, if any.
111 */
112 break;
113 case BROTLI_DECODER_RESULT_ERROR:
114 default:
115 goto cleanup;
116 }
117
118 /*
119 * Check if decompressed size is too large.
120 */
121 if (total_out > INT_MAX2147483647) {
10
 Execution continues on line 121
11
Assuming 'total_out' is <= INT_MAX
12
Taking false branch
122 goto cleanup;
123 }
124
125 /*
126 * BrotliDecoderDecompressStream sets available_out to the number of bytes
127 * left unused from the buffer. But we are interested in the bytes it wrote
128 * to the buffer in this pass, so we calculate pass_out.
129 */
130 size_t pass_out = bufsiz - available_out;
131 if (pass_out > 0) {
13
Assuming 'pass_out' is > 0
14
Taking true branch
132 uncompr = (uint8_t *)g_realloc(uncompr, total_out);
15
Memory is allocated
133 memcpy(uncompr + (total_out - pass_out), strmbuf, pass_out);
134 }
135 }
136
137 if (uncompr
17.1
'uncompr' is not equal to NULL
 == NULL((void*)0)) {
18
Taking false branch
138 /*
139 * This is for the case when the validly decompressed
140 * length is 0.
141 */
142 if (finished) {
143 uncompr = (uint8_t *)g_strdup("")g_strdup_inline ("");
144 } else {
145 goto cleanup;
146 }
147 }
148
149 uncompr_tvb = tvb_new_real_data((uint8_t *)uncompr, (unsigned)total_out, (unsigned)total_out);
19
Potential leak of memory pointed to by 'uncompr'
150 tvb_set_free_cb(uncompr_tvb, g_free);
151
152 g_free(strmbuf)(__builtin_object_size ((strmbuf), 0) != ((size_t) - 1)) ? g_free_sized
(strmbuf, __builtin_object_size ((strmbuf), 0)) : (g_free) (
strmbuf);
153 wmem_free(NULL((void*)0), compr);
154 BrotliDecoderDestroyInstance(decoder);
155 return uncompr_tvb;
156
157cleanup:
158 g_free(strmbuf)(__builtin_object_size ((strmbuf), 0) != ((size_t) - 1)) ? g_free_sized
(strmbuf, __builtin_object_size ((strmbuf), 0)) : (g_free) (
strmbuf);
159 g_free(uncompr)(__builtin_object_size ((uncompr), 0) != ((size_t) - 1)) ? g_free_sized
(uncompr, __builtin_object_size ((uncompr), 0)) : (g_free) (
uncompr);
160 wmem_free(NULL((void*)0), compr);
161 BrotliDecoderDestroyInstance(decoder);
162 return NULL((void*)0);
163}
164#else
165tvbuff_t *
166tvb_uncompress_brotli(tvbuff_t *tvb _U___attribute__((unused)), const unsigned offset _U___attribute__((unused)), unsigned comprlen _U___attribute__((unused)))
167{
168 return NULL((void*)0);
169}
170#endif
171
172tvbuff_t *
173tvb_child_uncompress_brotli(tvbuff_t *parent, tvbuff_t *tvb, const unsigned offset, unsigned comprlen)
174{
175 tvbuff_t *new_tvb = tvb_uncompress_brotli(tvb, offset, comprlen);
1
Calling 'tvb_uncompress_brotli'
176 if (new_tvb)
177 tvb_set_child_real_data_tvbuff(parent, new_tvb);
178 return new_tvb;
179}
180
181/*
182 * Editor modelines - https://www.wireshark.org/tools/modelines.html
183 *
184 * Local variables:
185 * c-basic-offset: 4
186 * tab-width: 8
187 * indent-tabs-mode: nil
188 * End:
189 *
190 * vi: set shiftwidth=4 tabstop=8 expandtab:
191 * :indentSize=4:tabSize=8:noTabs=true:
192 */