tdf#120703 (PVS): handle malloc/realloc failures

V769 The 'pTmpTarget' pointer in the 'pTmpTarget - pTarget' expression could be
nullptr. In such case, resulting value will be senseless and it should not
be used. Check lines: 81, 67.

V701 realloc() possible leak: when realloc() fails in allocating memory, original
pointer 'pTarget' is lost. Consider assigning realloc() to a temporary
pointer.

V769 The 'pTarget' pointer in the 'pTarget + nOffset' expression could be nullptr.
In such case, resulting value will be senseless and it should not be used.
Check lines: 85, 82.

Change-Id: I883ea42fca66467edfe26382c78636c1d48c5260
Reviewed-on: https://gerrit.libreoffice.org/62115
Tested-by: Jenkins
Reviewed-by: Mike Kaganski <mike.kaganski@collabora.com>

1 files changed, 9 insertions, 2 deletions

diff --git a/vcl/source/filter/igif/decode.cxx b/vcl/source/filter/igif/decode.cxx
index 276d75c64e24..2aeccb335483 100644
--- a/vcl/source/filter/igif/decode.cxx
+++ b/vcl/source/filter/igif/decode.cxx
@@ -71,7 +71,7 @@ Scanline GIFLZWDecompressor::DecompressBlock( sal_uInt8* pSrc, sal_uInt8 cBufSiz
     nBlockBufPos = 0;
     pBlockBuf = pSrc;
 
-    while( ProcessOneCode() )
+    while (pTarget && ProcessOneCode())
     {
         nCount += nOutBufDataLen;
 
@@ -79,7 +79,14 @@ Scanline GIFLZWDecompressor::DecompressBlock( sal_uInt8* pSrc, sal_uInt8 cBufSiz
         {
             sal_uLong   nNewSize = nTargetSize << 1;
             sal_uLong   nOffset = pTmpTarget - pTarget;
-            pTarget = static_cast<sal_uInt8*>(std::realloc( pTarget, nNewSize ));
+            if (auto p = static_cast<sal_uInt8*>(std::realloc(pTarget, nNewSize)))
+                pTarget = p;
+            else
+            {
+                free(pTarget);
+                pTarget = nullptr;
+                break;
+            }
 
             nTargetSize = nNewSize;
             pTmpTarget = pTarget + nOffset;