fixed misuse of realloc

calling it with size 0 leads to a free, which eventually may lead to a
double free corruption.

src/libopensc/asn1.c

@@ -1225,6 +1225,8 @@ static int asn1_encode_se_info(sc_context_t *ctx,
 		if (ret != SC_SUCCESS)
 			goto err;
 
+		if (!ptrlen)
+			continue;
 		p = (unsigned char *) realloc(out, outlen + ptrlen);
 		if (!p)   {
 			ret = SC_ERROR_OUT_OF_MEMORY;

src/libopensc/card-sc-hsm.c

@@ -520,6 +520,10 @@ static int sc_hsm_perform_chip_authentication(sc_card_t *card)
 		r = sc_read_binary(card, 0, all_certs, all_certs_len, 0);
 		if (r < 0)
 			goto err;
+		if (r == 0) {
+			r = SC_ERROR_FILE_NOT_FOUND;
+			goto err;
+		}
 
 		all_certs_len = r;
 

src/libopensc/dir.c

@@ -307,6 +307,8 @@ static int update_transparent(sc_card_t *card, sc_file_t *file)
 				free(buf);
 			return r;
 		}
+		if (!rec_size)
+			continue;
 		tmp = (u8 *) realloc(buf, buf_size + rec_size);
 		if (!tmp) {
 			if (rec)

src/libopensc/pkcs15.c

@@ -1983,6 +1983,8 @@ sc_pkcs15_encode_df(struct sc_context *ctx, struct sc_pkcs15_card *p15card, stru
 			free(buf);
 			return r;
 		}
+		if (!tmpsize)
+			continue;
 		p = (u8 *) realloc(buf, bufsize + tmpsize);
 		if (!p) {
 			free(tmp);

src/libopensc/sc.c

@@ -672,7 +672,7 @@ int sc_file_set_prop_attr(sc_file_t *file, const u8 *prop_attr,
 		return SC_ERROR_INVALID_ARGUMENTS;
 	}
 
-	if (prop_attr == NULL) {
+	if (prop_attr == NULL || prop_attr_len == 0) {
 		if (file->prop_attr != NULL)
 			free(file->prop_attr);
 		file->prop_attr = NULL;
@@ -702,7 +702,7 @@ int sc_file_set_type_attr(sc_file_t *file, const u8 *type_attr,
 		return SC_ERROR_INVALID_ARGUMENTS;
 	}
 
-	if (type_attr == NULL) {
+	if (type_attr == NULL || type_attr_len == 0) {
 		if (file->type_attr != NULL)
 			free(file->type_attr);
 		file->type_attr = NULL;
@@ -733,7 +733,7 @@ int sc_file_set_content(sc_file_t *file, const u8 *content,
 		return SC_ERROR_INVALID_ARGUMENTS;
 	}
 
-	if (content == NULL) {
+	if (content == NULL || content_len == 0) {
 		if (file->encoded_content != NULL)
 			free(file->encoded_content);
 		file->encoded_content = NULL;

src/pkcs15init/pkcs15-oberthur-awp.c

@@ -219,6 +219,8 @@ awp_update_blob(struct sc_context *ctx,
 		*blob_size += 1 + lv->len;
 		break;
 	case TLV_TYPE_V :
+		if (0 == *blob_size + lv->len)
+			return SC_ERROR_INVALID_DATA;
 		if (!(pp = realloc(*blob, *blob_size + lv->len)))
 			return SC_ERROR_OUT_OF_MEMORY;
 		memcpy(pp + *blob_size, lv->value, lv->len);

src/sm/sm-eac.c

@@ -478,7 +478,7 @@ static int format_mse_cdata(struct sc_context *ctx, int protocol,
 		r = SC_ERROR_INTERNAL;
 		goto err;
 	}
-	if (length < 0) {
+	if (length <= 0) {
 		r = SC_ERROR_INTERNAL;
 		goto err;
 	}
@@ -1321,6 +1321,10 @@ int perform_pace(sc_card_t *card,
 			r = SC_ERROR_INTERNAL;
 			goto err;
 		}
+		if (comp_pub_opp->length == 0) {
+			r = SC_ERROR_INTERNAL;
+			goto err;
+		}
 		p = realloc(pace_output->id_icc, comp_pub_opp->length);
 		if (!p) {
 			sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID ICC.\n");
@@ -1333,6 +1337,10 @@ int perform_pace(sc_card_t *card,
 		memcpy(pace_output->id_icc, comp_pub_opp->data, comp_pub_opp->length);
 		sc_debug_hex(card->ctx, SC_LOG_DEBUG_SM, "ID ICC", pace_output->id_icc,
 				pace_output->id_icc_length);
+		if (comp_pub->length == 0) {
+			r = SC_ERROR_INTERNAL;
+			goto err;
+		}
 		p = realloc(pace_output->id_pcd, comp_pub->length);
 		if (!p) {
 			sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Not enough memory for ID PCD.\n");
@@ -1927,7 +1935,7 @@ eac_sm_encrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
 
 	databuf = BUF_MEM_create_init(data, datalen);
 	encbuf = EAC_encrypt(eacsmctx->ctx, databuf);
-	if (!databuf || !encbuf) {
+	if (!databuf || !encbuf || !encbuf->length) {
 		sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not encrypt data.");
 		ssl_error(card->ctx);
 		r = SC_ERROR_INTERNAL;
@@ -1969,7 +1977,7 @@ eac_sm_decrypt(sc_card_t *card, const struct iso_sm_ctx *ctx,
 
 	encbuf = BUF_MEM_create_init(enc, enclen);
 	databuf = EAC_decrypt(eacsmctx->ctx, encbuf);
-	if (!encbuf || !databuf) {
+	if (!encbuf || !databuf || !databuf->length) {
 		sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE, "Could not decrypt data.");
 		ssl_error(card->ctx);
 		r = SC_ERROR_INTERNAL;
@@ -2016,7 +2024,7 @@ eac_sm_authenticate(sc_card_t *card, const struct iso_sm_ctx *ctx,
 	}
 
 	macbuf = EAC_authenticate(eacsmctx->ctx, inbuf);
-	if (!macbuf) {
+	if (!macbuf || !macbuf->length) {
 		sc_debug(card->ctx, SC_LOG_DEBUG_VERBOSE,
 				"Could not compute message authentication code (MAC).");
 		ssl_error(card->ctx);
@@ -2105,7 +2113,7 @@ add_tag(unsigned char **asn1new, int constructed, int tag,
 		return -1;
 
 	newlen = ASN1_object_size(constructed, len, tag);
-	if (newlen < 0)
+	if (newlen <= 0)
 		return newlen;
 
 	p = OPENSSL_realloc(*asn1new, newlen);

src/sm/sm-iso.c

@@ -92,7 +92,12 @@ add_padding(const struct iso_sm_ctx *ctx, const u8 *data, size_t datalen,
 	switch (ctx->padding_indicator) {
 		case SM_NO_PADDING:
 			if (*padded != data) {
-				p = realloc(*padded, datalen);
+				if (datalen == 0) {
+					free(*padded);
+					p = malloc(datalen);
+				} else {
+					p = realloc(*padded, datalen);
+				}
 				if (!p)
 					return SC_ERROR_OUT_OF_MEMORY;
 				*padded = p;
@@ -146,7 +151,7 @@ static int format_le(size_t le, struct sc_asn1_entry *le_entry,
 {
 	u8 *p;
 
-	if (!lebuf || !le_len)
+	if (!lebuf || !le_len || !*le_len)
 		return SC_ERROR_INVALID_ARGUMENTS;
 
 	p = realloc(*lebuf, *le_len);