[Bug 37133] New: Clang Static Analyzer: Null path

Sat Aug 16 13:41:35 CDT 2014

https://bugs.winehq.org/show_bug.cgi?id=37133

            Bug ID: 37133
           Summary: Clang Static Analyzer:  Null path
           Product: Wine
           Version: 1.7.22
          Hardware: x86-64
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: lukebenes at hotmail.com

Clang Static Analyzer identifies Null path

File: dlls/crypt32/rootstore.c

Location: line 413, column 10

Description: Null pointer passed as an argument to a 'nonnull' parameter

static BOOL import_certs_from_path(LPCSTR path,
  HCERTSTORE store, BOOL allow_dir)
{
  ...
  fd = open(path, O_RDONLY);
  //Clang: Null pointer passed as
  //an argument to a 'nonnull' parameter
  ...
}

To understand why Clang suspects that NULL may get here, let's examine the
fragment where this function is called:

static BOOL import_certs_from_dir(LPCSTR path, HCERTSTORE store)
{
  ...
  char *filebuf = NULL;
  //Clang: 'filebuf' initialized to a null pointer value
  struct dirent *entry;
  while ((entry = readdir(dir)))
  {
    ...
    size_t name_len = strlen(entry->d_name);

    //Calling function to change filebuf

    if (!check_buffer_resize(&filebuf, &bufsize,
                              path_len + 1 + name_len + 1))
    {
      ERR(...);
      break;
    }
    snprintf(filebuf, bufsize, "%s/%s", path, entry->d_name);
    if (import_certs_from_path(filebuf, store, FALSE) && !ret)
      //Clang: Passing null pointer value via 1st parameter 'path'
      //Clang: Calling 'import_certs_from_path'
      ret = TRUE;
    ...
  }
}

In this code, the check_buffer_resize function is called where either the value
of the filebuf variable must change or FALSE must be returned; but the function
may fail to change filebuf and return TRUE instead. Take a look at the
function's code below:

static BOOL check_buffer_resize(char **ptr_buf,
  size_t *buf_size, size_t check_size)
{
  if (check_size > *buf_size)
  {
    ...
    *ptr_buf = CryptMemAlloc(*buf_size);
    ...
  }
  return TRUE;
}

The function contains only one condition where the ptr_buf variable is changed,
and if this condition is false, the true return result will allow you to use
this variable further on.

A similar issue is with the memcpy() function:

File: server/directory.c

Location: line 548, column 21

Description: Null pointer passed as an argument to a 'nonnull' parameter

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.