blah

Cisco-Talos · Jul 9, 2024 · 354fe85 · 354fe85
1 parent ec18f42
commit 354fe85
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 5 deletions.
diff --git a/libclamav/htmlnorm.c b/libclamav/htmlnorm.c
@@ -371,6 +371,9 @@ void html_tag_arg_add(tag_arguments_t *tags,
 {
     int len, i;
     tags->count++;
+    /*
+     * Seems like this would leak all the strdup'd values if realloc fails.  Investigate.
+     */
     tags->tag = (unsigned char **)cli_max_realloc_or_free(tags->tag,
                                                           tags->count * sizeof(char *));
     if (!tags->tag) {
@@ -652,11 +655,30 @@ static void js_process(struct parser_state *js_state, const unsigned char *js_be
 
 bool html_insert_form_data(const char * const value, form_data_t *tags) {
     bool bRet = false;
+    size_t cnt = tags->count + 1;
+    unsigned char ** tmp = NULL;
+
+    /*
+     * Do NOT use cli_max_realloc_or_free because all the previously malloc'd tag
+     * values will be leaked when tag is free'd in the case where realloc fails.
+     */
+    tmp = (unsigned char **)realloc(tags->tag, cnt * sizeof(unsigned char *));
+    if (!tmp) {
+        goto done;
+    }
+    tags->tag = tmp;
 
-    //here;
+    tags->tag[tags->count] = cli_safer_strdup(value);
+    if (tags->tag[tags->count]) {
+        tags->count = cnt;
+    }
 
     bRet = true;
 done:
+    if (!bRet){
+        memset(tags, 0, sizeof(*tags));
+    }
+
     return bRet;
 }
 
@@ -1358,7 +1380,7 @@ fprintf(stderr, "%s::%d::ENTERING\n", __FUNCTION__, __LINE__);
 fprintf(stderr, "%s::%d::SAVE VALUE HERE for FORM TAGS!!!!!\n", __FUNCTION__, __LINE__);
 fprintf(stderr, "%s::%d::%s\n", __FUNCTION__, __LINE__, in_form_action);
                                 if (form_data){
-                                    fprintf(stderr, "%s::%d::ADD THE STUFF HERE\n", __FUNCTION__, __LINE__);
+fprintf(stderr, "%s::%d::ADD THE STUFF HERE\n", __FUNCTION__, __LINE__);
                                     html_insert_form_data(in_form_action, form_data);
                                 }
                             }

diff --git a/libclamav/htmlnorm.h b/libclamav/htmlnorm.h
@@ -46,9 +46,8 @@ typedef struct m_area_tag {
 } m_area_t;
 
 typedef struct form_data_tag {
-    int count;
-
-    unsigned char * tag;
+    unsigned char ** tag;
+    size_t count;
 } form_data_t;
 
 bool html_normalise_mem(cli_ctx *ctx, unsigned char *in_buff, off_t in_size, const char *dirname, tag_arguments_t *hrefs, const struct cli_dconf *dconf);

diff --git a/libclamav/scanners.c b/libclamav/scanners.c
@@ -2571,6 +2571,7 @@ static cl_error_t cli_scanhtml(cli_ctx *ctx)
 
 fprintf(stderr, "%s::%d::SAVE THE FORM DATA TAGS HERE, TOOO!!!\n", __FUNCTION__, __LINE__); exit(11);
 
+        html_form_data_tag_free(&form_data);
     } else {
         (void)html_normalise_map(ctx, map, tempname, NULL, ctx->dconf);
     }