The result of malloc is not checked, which risks privacy leakage.

[jmp0x7c00]

same to #14

ad may be NULL, but it is not checked.

Fidelius/web_enclave/isv_enclave/isv_enclave.cpp

Line 996 in ab0d846

uint8_t* ad = (uint8_t*)malloc(mac_len);

when ad is NULL, the content of origin will be copied outside enclave

Fidelius/web_enclave/isv_enclave/isv_enclave.cpp

Line 999 in ab0d846

memcpy(&ad[4], origin.c_str(), origin.length());

oName will be leaked.

Fidelius/web_enclave/isv_enclave/isv_enclave.cpp

Line 653 in ab0d846

origin = oName;

same problem:

Fidelius/web_enclave/isv_enclave/isv_enclave.cpp

Line 996 in ab0d846

uint8_t* ad = (uint8_t*)malloc(mac_len);

Fidelius/web_enclave/isv_enclave/isv_enclave.cpp

Line 999 in ab0d846

memcpy(&ad[4], origin.c_str(), origin.length());

Fidelius/web_enclave/isv_app/sgx_display/hdmichannel/xoverlay.cpp

Line 28 in ab0d846

data = (char*) malloc(sizeof(char) * w * h * 4);

Fidelius/web_enclave/isv_app/sgx_display/hdmichannel/xoverlay.cpp

Line 29 in ab0d846

rgb_to_rgba(data, rgb_array, w*h*sizeof(char));

Fidelius/web_enclave/isv_app/sgx_display/hdmichannel/rgbencoder.c

Line 18 in ab0d846

*dst = *src++;

4. ii may be NULL.
   

   Fidelius/web_enclave/isv_app/sgx_display/btchannel.cpp

   Line 77 in ab0d846

   ii = (inquiry_info*)malloc(max_rsp * sizeof(inquiry_info));

   
   

   Fidelius/web_enclave/isv_app/sgx_display/btchannel.cpp

   Line 79 in ab0d846

   num_rsp = hci_inquiry(dev_id, len, max_rsp, NULL, &ii, flags);