Merge branch 'fix/coverity_issue_483747' into 'master'

Fix possible double memory free in esp_http_client Closes IDF-13757, IDF-13758, and IDF-13755 See merge request espressif/esp-idf!40934
2025-10-02 18:10:57 +02:00 · 2025-08-20 14:29:20 +05:30
parent 65a6e9c294 414397c048
commit 1a615729d5
3 changed files with 31 additions and 30 deletions
--- a/components/esp_driver_usb_serial_jtag/src/usb_serial_jtag_vfs.c
+++ b/components/esp_driver_usb_serial_jtag/src/usb_serial_jtag_vfs.c
@@ -429,24 +429,38 @@ static esp_err_t unregister_select(usb_serial_jtag_select_args_t *args)
        for (int i = 0; i < s_registered_select_num; ++i) {
            if (s_registered_selects[i] == args) {
                const int new_size = s_registered_select_num - 1;
-                // The item is removed by overwriting it with the last item. The subsequent rellocation will drop the
-                // last item.
-                s_registered_selects[i] = s_registered_selects[new_size];
-                usb_serial_jtag_select_args_t **new_selects = heap_caps_realloc(s_registered_selects, new_size * sizeof(usb_serial_jtag_select_args_t *), USJ_VFS_MALLOC_FLAGS);
-                if (new_selects == NULL && new_size > 0) {
-                    ret = ESP_ERR_NO_MEM;
-                } else {
-                    s_registered_selects = new_selects;
+                // Move last element to fill gap (only if not removing the last element)
+                if (i < new_size) {
+                    s_registered_selects[i] = s_registered_selects[new_size];
+                }
+                if (new_size == 0) {
+                    // Free the entire array
+                    free(s_registered_selects);
+                    s_registered_selects = NULL;
+                    s_registered_select_num = 0;
+                    ret = ESP_OK;
+                } else {
+                    // Shrink the array
+                    usb_serial_jtag_select_args_t **new_selects = heap_caps_realloc(s_registered_selects, new_size * sizeof(usb_serial_jtag_select_args_t *), USJ_VFS_MALLOC_FLAGS);
+                    if (new_selects == NULL) {
+                        // Realloc failed - restore moved element
+                        if (i < new_size) {
+                            s_registered_selects[new_size] = s_registered_selects[i];
+                        }
+                        ret = ESP_ERR_NO_MEM;
+                    } else {
+                        // Success - update pointer
+                        s_registered_selects = new_selects;
+                        s_registered_select_num = new_size;
+                        ret = ESP_OK;
+                    }
                }
-                // Shrinking a buffer with realloc is guaranteed to succeed.
-                s_registered_select_num = new_size;

                /* when the last select is unregistered, also unregister the callback  */
                if (s_registered_select_num == 0) {
                    usb_serial_jtag_set_select_notif_callback(NULL);
                }

-                ret = ESP_OK;
                break;
            }
        }
--- a/components/esp_http_client/esp_http_client.c
+++ b/components/esp_http_client/esp_http_client.c
@@ -350,6 +350,7 @@ static int http_on_body(http_parser *parser, const char *at, size_t length)
                ESP_LOGE(TAG, "Failed to allocate memory for storing decoded data");
                free(res_buffer->orig_raw_data);
                res_buffer->orig_raw_data = NULL;
+                res_buffer->raw_data = NULL;
                return -1;
            }
            res_buffer->orig_raw_data = tmp;
--- a/components/esp_http_client/lib/http_utils.c
+++ b/components/esp_http_client/lib/http_utils.c
@@ -45,16 +45,9 @@ char *http_utils_assign_string(char **str, const char *new_str, int len)
        l = strlen(new_str);
    }
    if (old_str) {
-        // old_str should not be reallocated directly, as in case of memory exhaustion,
-        // it will be lost and we will not be able to free it.
-        char *tmp = realloc(old_str, l + 1);
-        if (tmp == NULL) {
-            free(old_str);
-            old_str = NULL;
-            ESP_RETURN_ON_FALSE(old_str, NULL, TAG, "Memory exhausted");
-        }
-        old_str = tmp;
-        old_str[l] = 0; // Ensure the new string is null-terminated
+        old_str = realloc(old_str, l + 1);
+        ESP_RETURN_ON_FALSE(old_str, NULL, TAG, "Memory exhausted");
+        old_str[l] = 0;
    } else {
        old_str = calloc(1, l + 1);
        ESP_RETURN_ON_FALSE(old_str, NULL, TAG, "Memory exhausted");
@@ -75,15 +68,8 @@ char *http_utils_append_string(char **str, const char *new_str, int len)
        }
        if (old_str) {
            old_len = strlen(old_str);
-            // old_str should not be reallocated directly, as in case of memory exhaustion,
-            // it will be lost and we will not be able to free it.
-            char *tmp = realloc(old_str, old_len + l + 1);
-            if (tmp == NULL) {
-                free(old_str);
-                old_str = NULL;
-                ESP_RETURN_ON_FALSE(old_str, NULL, TAG, "Memory exhausted");
-            }
-            old_str = tmp;
+            old_str = realloc(old_str, old_len + l + 1);
+            ESP_RETURN_ON_FALSE(old_str, NULL, TAG, "Memory exhausted");
            // Ensure the new string is null-terminated
            old_str[old_len + l] = 0;
        } else {