From dce629b2f8260010a06ea5a9bd31f5c65f483f3d Mon Sep 17 00:00:00 2001
From: Patrick Georgi <pgeorgi@chromium.org>
Date: Fri, 13 Jan 2017 13:30:54 +0100
Subject: [PATCH] util/cbfstool: avoid memleaks and off-by-ones

Change-Id: Iac136a5dfe76f21aa7c0d5ee4e974e50b955403b
Signed-off-by: Patrick Georgi <pgeorgi@chromium.org>
Found-by: scan-build 3.8
Reviewed-on: https://review.coreboot.org/18134
Tested-by: build bot (Jenkins)
Reviewed-by: Nico Huber <nico.h@gmx.de>
---
 util/cbfstool/cbfs_image.c   | 19 +++++++++++++++++--
 util/cbfstool/cbfscomptool.c |  5 +++++
 util/cbfstool/fmd.c          |  2 +-
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/util/cbfstool/cbfs_image.c b/util/cbfstool/cbfs_image.c
index e530224fac..1f4b49a48d 100644
--- a/util/cbfstool/cbfs_image.c
+++ b/util/cbfstool/cbfs_image.c
@@ -1150,13 +1150,22 @@ static int cbfs_payload_make_elf(struct buffer *buff, uint32_t arch)
 				       segs[i].len);
 		} else if (segs[i].type == PAYLOAD_SEGMENT_ENTRY) {
 			break;
+		} else {
+			ERROR("unknown ELF segment type\n");
+			goto out;
 		}
 
+		if (!name) {
+			ERROR("out of memory\n");
+			goto out;
+		}
 
 		if (elf_writer_add_section(ew, &shdr, &tbuff, name)) {
 			ERROR("Unable to add ELF section: %s\n", name);
+			free(name);
 			goto out;
 		}
+		free(name);
 
 		if (empty_sz != 0) {
 			struct buffer b;
@@ -1168,10 +1177,16 @@ static int cbfs_payload_make_elf(struct buffer *buff, uint32_t arch)
 			shdr.sh_addr = segs[i].load_addr + segs[i].len;
 			shdr.sh_size = empty_sz;
 			name = strdup(".empty");
-			if (elf_writer_add_section(ew, &shdr, &b, name)) {
-				ERROR("Unable to add ELF section: %s\n", name);
+			if (!name) {
+				ERROR("out of memory\n");
 				goto out;
 			}
+			if (elf_writer_add_section(ew, &shdr, &b, name)) {
+				ERROR("Unable to add ELF section: %s\n", name);
+				free(name);
+				goto out;
+			}
+			free(name);
 		}
 	}
 
diff --git a/util/cbfstool/cbfscomptool.c b/util/cbfstool/cbfscomptool.c
index 9e804860a9..3430809e0d 100644
--- a/util/cbfstool/cbfscomptool.c
+++ b/util/cbfstool/cbfscomptool.c
@@ -49,6 +49,7 @@ int benchmark()
 	}
 	char *compressed_data = malloc(bufsize);
 	if (!compressed_data) {
+		free(data);
 		fprintf(stderr, "out of memory\n");
 		return 1;
 	}
@@ -64,6 +65,8 @@ int benchmark()
 		comp_func_ptr comp = compression_function(algo->type);
 		if (comp == NULL) {
 			printf("no handler associated with algorithm\n");
+			free(data);
+			free(compressed_data);
 			return 1;
 		}
 
@@ -80,6 +83,8 @@ int benchmark()
 			bufsize, outsize,
 			t_e.tv_sec - t_s.tv_sec);
 	}
+	free(data);
+	free(compressed_data);
 	return 0;
 }
 
diff --git a/util/cbfstool/fmd.c b/util/cbfstool/fmd.c
index afd87015f8..7a289d7743 100644
--- a/util/cbfstool/fmd.c
+++ b/util/cbfstool/fmd.c
@@ -289,7 +289,7 @@ static void print_with_prefix(const struct flashmap_descriptor *tree,
 	if (tree->list_len) {
 		puts(":");
 
-		char child_prefix[strlen(pre) + 1];
+		char child_prefix[strlen(pre) + 2];
 		strcpy(child_prefix, pre);
 		strcat(child_prefix, "\t");
 		fmd_foreach_child(each, tree)