Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
Examples of errors detected by the V522…

Examples of errors detected by the V522 diagnostic

V522. Possible null pointer dereference.


Chromium

V522 Dereferencing of the null pointer 'plugin_instance' might take place. Check the logical condition. chrome_frame_npapi chrome_frame_npapi.cc 517


bool ChromeFrameNPAPI::Invoke(....)
{
  ChromeFrameNPAPI* plugin_instance =
    ChromeFrameInstanceFromNPObject(header);
  if (!plugin_instance &&
      (plugin_instance->automation_client_.get()))
    return false;
  ....
}

LLVM/Clang

V522 Dereferencing of the null pointer 'DI' might take place. llvm-tblgen dagiselmatchergen.cpp 220


void MatcherGen::EmitLeafMatchCode(const TreePatternNode *N) {
  ....
  if (DI == 0) {
    errs() << "Unknown leaf kind: " << *DI << "\n";
    abort();
  }
  ....
}

PCSX2

V522 Dereferencing of the null pointer 'ptag' might take place. pcsx2 spr.cpp 376


void _SPR1interleave() {
  ....
  u32 *ptag;
  ....
  if (ptag == NULL) {
   SysPrintf("SPR1 Tag BUSERR\n");
   spr1->chcr = ( spr1->chcr & 0xFFFF ) |
                ( (*ptag) & 0xFFFF0000 );
   psHu32(DMAC_STAT)|= 1<<15;
   done = 1;
   spr1finished = done;
   return;
  }
  ....
}

GeoLib

V522 Dereferencing of the null pointer 'pRect' might take place. geOLib geolib.cpp 3282


void WINAPI _GetMonitorRectByIndex( int iMonitor, RECT* pRect )
{
 int iMonitorCount = ::GetSystemMetrics( SM_CMONITORS );

 if ( iMonitor <= iMonitorCount || pRect != NULL ) // <=
 {
  if ( iMonitorCount == 1 )
  {
    pRect->left = 0;
    pRect->top = 0;
    pRect->right = GetSystemMetrics( SM_CXSCREEN );
    pRect->bottom = GetSystemMetrics( SM_CYSCREEN );
  }
  ....
 }
 else
 {
   pRect->left   = -1;   // <=
   pRect->top    = -1;
   pRect->right  = -1;
   pRect->bottom = -1;
 }
}

Blender

V522 Dereferencing of the null pointer 'tpart' might take place. bf_render convertblender.c 1788


static int render_new_particle_system(....)
{
  ParticleSettings *part, *tpart=0;
  ....
  // tpart don't used
  ....
  psys_particle_on_emitter(psmd,tpart->from,tpa->num,
    pa->num_dmcache,tpa->fuv,tpa->foffset,
    co,nor,0,0,sd.orco,0);
  ....
}

Blender

V522 Dereferencing of the null pointer 'eraser' might take place. Check the bitwise operation. gpencil_paint.cc 1429


static bool gpencil_stroke_eraser_is_occluded (tGPsdata *p, bGPDlayer *gpl,
                                               bGPDspoint *pt, const int x,
                                               const int y)
{
  Object *obact = (Object *)p->ownerPtr.data;
  Brush *brush = p->brush;
  Brush *eraser = p->eraser;
  BrushGpencilSettings *gp_settings = nullptr;

  if (brush->gpencil_tool == GPAINT_TOOL_ERASE)
  {
    gp_settings = brush->gpencil_settings;
  }
  else
  if ((eraser != nullptr) &
           (eraser->gpencil_tool == GPAINT_TOOL_ERASE))  // <=
  {
    gp_settings = eraser->gpencil_settings;
  }

  if ((gp_settings != nullptr) &&
      (gp_settings->flag & GP_BRUSH_OCCLUDE_ERASER) ) {
    RegionView3D *rv3d = static_cast<RegionView3D *>(p->region->regiondata);

    ....
  return false;
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'eraser' might take place. Check the bitwise operation. gpencil_paint.cc 1821

Blender

V522 Dereferencing of the null pointer 'block' might take place. interface_widgets.cc 5294


void ui_draw_popover_back (ARegion *region, uiStyle * /*style*/,
                           uiBlock *block,  rcti *rect          )
{
  ....
  if (block)
  {
    float mval_origin[2] = {float(block->bounds_offset[0]),
                            float(block->bounds_offset[1])};
    ui_window_to_block_fl (region, block, &mval_origin[0], &mval_origin[1]);
    ui_draw_popover_back_impl (wt->wcol_theme, rect, block->direction,
                               U.widget_unit / block->aspect, mval_origin);
  }
  else
  {
    const float zoom = 1.0f / block->aspect;    // <=
    wt->state (wt, &STATE_INFO_NULL, UI_EMBOSS_UNDEFINED);
    wt->draw_block (&wt->wcol, rect, 0, 0, zoom);
  }
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'em' might take place. transform.cc 2117
  • V522 Dereferencing of the null pointer 'mesh' might take place. MOD_cloth.cc 108
  • V522 Dereferencing of the null pointer 'data.mval_fl' might take place. editmesh_select.cc 801

Visualization Toolkit (VTK)

V522 Dereferencing of the null pointer 'td' might take place. CommonCxxTests testconditionvariable.cxx 96


VTK_THREAD_RETURN_TYPE vtkTestCondVarThread( void* arg )
{
  ....
  if ( td )                  // <=
  {
    ....
  }
  else
  {
    cout << "No thread data!\n";
    cout << "  Thread " << ( threadId + 1 )
         << " of " << threadCount << " exiting.\n";

    -- td->NumberOfWorkers;  // <=

    cout.flush();
  }
  ....
}

ffdshow

V522 Dereferencing of the null pointer 'audio' might take place. tffdshowdecaudioinputpin.cpp 468


STDMETHODIMP_(bool) TffdshowDecAudioInputPin::getsf(
  TsampleFormat &outsf)
{
  if (!audio)
  {
    .... // audio don't used
    } else if (bitstream_codec(audio->codecId)) {
      outsf.sf = TsampleFormat::getSampleFormat(codecId);
      outsf.alternateSF = filter->insf.alternateSF;
      return true;
    }
  } else {
  ....
}

D programming language

V522 Dereferencing of the null pointer 'v' might take place. interpret.c 1711


Expression *getVarExp(Loc loc, InterState *istate,
                      Declaration *d, CtfeGoal goal)
{
  ....
  VarDeclaration *v = d->isVarDeclaration();
  if (v)
  {
    ....
  }
  else if (s)
  {
    if (s->dsym->toInitializer() == s->sym)
      ....
    else
      error(loc,
            "cannot interpret symbol %s at compile time",
            v->toChars());
  }
  ....
}

ReactOS

V522 Dereferencing of the null pointer 'device' might take place. bus.c 762


static void
acpi_bus_notify (....)
{
  struct acpi_device *device = NULL;
  ....
  switch (type) {
    ....
    case ACPI_NOTIFY_EJECT_REQUEST:
      DPRINT1("Received EJECT REQUEST "
              "notification for device [%s]\n",
              device->pnp.bus_id);
      /* TBD */
      break;
    ....
  }
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'device' might take place. bus.c 768
  • V522 Dereferencing of the null pointer 'device' might take place. bus.c 774
  • V522 Dereferencing of the null pointer 'device' might take place. bus.c 780
  • And 1 additional diagnostic messages.

ReactOS

V522 Dereferencing of the null pointer 'tag' might take place. ir_reader.cpp 904


ir_texture *
ir_reader::read_texture(s_expression *expr)
{
  s_symbol *tag = NULL;
  ....
  } else if (MATCH(expr, other_pattern)) {
    op = ir_texture::get_opcode(tag->value());
    if (op == -1)
      return NULL;
  }
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 's_shadow' might take place. ir_reader.cpp 964
  • V522 Dereferencing of the null pointer 'BootSectorInfo' might take place. disksup.c 1750
  • V522 Dereferencing of the null pointer 'BootSectorInfo' might take place. disksup.c 1751
  • And 1 additional diagnostic messages.

Windows 8 Driver Samples

V522 Dereferencing of the null pointer 'pSensor' might take place. sensorddi.cpp 903


HRESULT CSensorDDI::OnGetDataFields(....)
{
  ....
  if (nullptr != pSensor)
  {
    ....
  }
  else
  {
    hr = E_POINTER;
    Trace(TRACE_LEVEL_ERROR,
      "pSensor == NULL before getting datafield %!GUID!-%i "
      "value from %s, hr = %!HRESULT!",
      &Key.fmtid, Key.pid, pSensor->m_SensorName, hr);
  }
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'pSensor' might take place. sensorddi.cpp 1852

NetXMS

V522 Dereferencing of the null pointer 'subnet' might take place. session.cpp 10823


void ClientSession::findIpAddress(CSCPMessage *request)
{
  ....
  if (subnet != NULL)
  {
    debugPrintf(5, _T("findIpAddress(%s): found subnet %s"),
                ipAddrText,
                subnet->Name());
    found = subnet->findMacAddress(ipAddr, macAddr);
  }
  else
  {
    debugPrintf(5, _T("findIpAddress(%s): subnet not found"),
                ipAddrText,
                subnet->Name());
  }
  ....
}

Multi Theft Auto

V522 Dereferencing of the null pointer 'pPlayer' might take place. cgame.cpp 1895


void CGame::Packet_PlayerJoinData ( .... )
{
  ....
  // Add the player
  CPlayer* pPlayer = m_pPlayerManager->Create (....);
  if ( pPlayer )
  {
    ....
  }
  else
  {
    // Tell the console
    CLogger::LogPrintf(
      "CONNECT: %s failed to connect "
      "(Player Element Could not be created.)\n",
      pPlayer->GetSourceIP() );
  }
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'pPlayer' might take place. cgame.cpp 1901

Multi Theft Auto

V522 Dereferencing of the null pointer 'szCmdLine' might take place. Check the logical condition. clientcommands.cpp 396


void COMMAND_MessageTarget ( const char* szCmdLine )
{
  if ( !(szCmdLine || szCmdLine[0]) )
    return;
  ....
}

Trans-Proteomic Pipeline

V522 Dereferencing of the null pointer 'pepIndx' might take place. asapcgidisplay2main.cxx 534


void ASAPRatio_getDataStrctRatio(dataStrct *data, ....)
{
  ....
  int *outliers, *pepIndx=NULL;
  ....
  //pepIndx don't used
  ....
  if(data->dataCnts[i] == 1 && pepIndx[i] == 0)
     data->dataCnts[i] = 0;
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'peptides' might take place. asapcgidisplay2main.cxx 556
  • V522 Dereferencing of the null pointer 'peptides' might take place. asapcgidisplay2main.cxx 557
  • V522 Dereferencing of the null pointer 'peptides' might take place. asapcgidisplay2main.cxx 558
  • And 3 additional diagnostic messages.

Data Distribution Service

V522 Dereferencing of the null pointer 'file' might take place. util.h 24


static ACE_FILE_IO *audio_to_text (ACE_FILE_Addr &,
                                   ACE_FILE_Addr &dest)
{
  ACE_FILE_Connector connector;
  ACE_FILE_IO *file = 0;
  if (connector.connect (*file, dest) == -1)
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'file' might take place. util.h 39

Scilab

V522 Dereferencing of the null pointer 'dataPtr' might take place. scilababstractmemoryallocator.hxx 222


inline static int *alloc(void * pvApiCtx, const int position,
  const int rows, const int cols, int * ptr)
{
  int * _ptr = 0;
  SciErr err = allocMatrixOfInteger32(
    pvApiCtx, position, rows, cols, &_ptr);
  checkError(err);
  return _ptr;
}

inline static void create(void * pvApiCtx, const int position,
  const int rows, const int cols, long long * ptr)
{
  int * dataPtr = 0;
  alloc(pvApiCtx, position, rows, cols, dataPtr);
  for (int i = 0; i < rows * cols; i++)
  {
    dataPtr[i] = static_cast<int>(ptr[i]);
  }
}

This is what should have been written here: dataPtr = alloc(pvApiCtx, position, rows, cols, dataPtr);

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'dataPtr' might take place. scilababstractmemoryallocator.hxx 237
  • V522 Dereferencing of the null pointer 'ptr' might take place. scilababstractmemoryallocator.hxx 401

Unreal Engine 4

V522 Dereferencing of the null pointer 'LevelStreamingObject' might take place. unrealengine.cpp 10768


bool UEngine::CommitMapChange( FWorldContext &Context )
{
  ....
  LevelStreamingObject = Context.World()->StreamingLevels[j];
  if (LevelStreamingObject != NULL)
  {
    ....
  }
  else
  {
    check(LevelStreamingObject);
    UE_LOG(LogStreaming, Log,
           TEXT("Unable to handle streaming object %s"),
           *LevelStreamingObject->GetName());
  }
  ....
}

Unreal Engine 4

V522 Dereferencing of the null pointer 'GStreamingPauseBackground' might take place. streamingpauserendering.cpp 197


void FStreamingPause::Init()
{
  ....
  if( GStreamingPauseBackground == NULL && GUseStreamingPause )
  {
    // @todo UE4 merge andrew
    // GStreamingPauseBackground = new FFrontBufferTexture(....);
    GStreamingPauseBackground->InitRHI();
  }
}

Qt

V522 Dereferencing of the null pointer 'dn' might take place. qdocindexfiles.cpp 539


void QDocIndexFiles::readIndexSection(....)
{
  ....
  DocNode* dn = qdb_->findGroup(groupNames[i]);
  if (dn) {
    dn->addMember(node);
  }
  else {
    ....
    qDebug() << "DID NOT FIND GROUP:" << dn->name()
             << "for:" << node->name();
  }
  ....
}

Qt

V522 Dereferencing of the null pointer 'm' might take place. qquickcontext2d.cpp 3169


QV4::ReturnedValue QQuickJSContext2DPixelData::getIndexed(
  QV4::Managed *m, uint index, bool *hasProperty)
{
  ....
  if (!m)
    return m->engine()->currentContext()->throwTypeError();
  ....
}

OpenJPEG

V522 Dereferencing of the null pointer 'l_image' might take place. j2k.c 5205


bool j2k_write_rgn(....)
{
  OPJ_BYTE * l_current_data = 00;
  OPJ_UINT32 l_nb_comp;
  OPJ_UINT32 l_rgn_size;
  opj_image_t *l_image = 00;
  opj_cp_t *l_cp = 00;
  opj_tcp_t *l_tcp = 00;
  opj_tccp_t *l_tccp = 00;
  OPJ_UINT32 l_comp_room;

  // preconditions
  assert(p_j2k != 00);
  assert(p_manager != 00);
  assert(p_stream != 00);

  l_cp = &(p_j2k->m_cp);
  l_tcp = &l_cp->tcps[p_tile_no];
  l_tccp = &l_tcp->tccps[p_comp_no];

  l_nb_comp = l_image->numcomps;
  ....
}

Miranda NG

V522 Dereferencing of the null pointer 'cont' might take place. EmLanProto mlan.cpp 342


void CMLan::OnRecvPacket(u_char* mes, int len, in_addr from)
{
  ....
  TContact* cont = m_pRootContact;
  ....
  if (!cont)
    RequestStatus(true, cont->m_addr.S_un.S_addr);
  ....
}

LibreOffice

V522 Dereferencing of the null pointer 'pLabelData' might take place. Check the logical condition. pivotlayouttreelistdata.cxx 157


void ScPivotLayoutTreeListData::PushDataFieldNames(
  vector<ScDPName>& rDataFieldNames)
{
  ....
  ScDPLabelData* pLabelData = mpParent->GetLabelData(nColumn);

  if (pLabelData == NULL && pLabelData->maName.isEmpty())
    continue;
  ....
}

LibreOffice

V522 Dereferencing of the null pointer 'pWindow' might take place. Check the logical condition. querycontroller.cxx 293


void grabFocusFromLimitBox( OQueryController& _rController )
{
  ....
  vcl::Window* pWindow = VCLUnoHelper::GetWindow( xWindow );
  if( pWindow || pWindow->HasChildPathFocus() )
  {
    pWindow->GrabFocusToDocument();
  }
  ....
}

LibreOffice

V522 Dereferencing of the null pointer 'piTmpConnection' might take place. adodatalinks.cxx 84


BSTR PromptNew(long hWnd)
{
  ....
  ADOConnection* piTmpConnection = NULL;

  ::CoInitialize( NULL );

  hr = CoCreateInstance(
                CLSID_DataLinks,
                NULL,
                CLSCTX_INPROC_SERVER,
                IID_IDataSourceLocator,
                (void**)&dlPrompt
                );
  if( FAILED( hr ) )
  {
    piTmpConnection->Release();
    dlPrompt->Release( );
    return connstr;
  }
  ....
}

.NET CoreCLR

V522 Dereferencing of the null pointer 'hp' might take place. cee_wks gc.cpp 4488


heap_segment* gc_heap::get_segment_for_loh (size_t size
#ifdef MULTIPLE_HEAPS
                                           , gc_heap* hp
#endif //MULTIPLE_HEAPS
                                           )
{
#ifndef MULTIPLE_HEAPS
    gc_heap* hp = 0;
#endif //MULTIPLE_HEAPS
    heap_segment* res = hp->get_segment (size, TRUE);
  ....
}

When 'MULTIPLE_HEAPS' is not defined, it's no good because the pointer will equal zero.


Godot Engine

V522 Dereferencing of the null pointer 'create_trimesh_collision_node()' might take place. mesh_instance.cpp 177


Node* MeshInstance::create_trimesh_collision_node()
{
  if (mesh.is_null())
    return NULL;
  Ref<Shape> shape = mesh->create_trimesh_shape();
  if (shape.is_null())
    return NULL;
  StaticBody * static_body = memnew( StaticBody );
  static_body->add_shape( shape );
  return static_body;
  return NULL;
}

void MeshInstance::create_trimesh_collision()
{
  StaticBody* static_body =
    create_trimesh_collision_node()->cast_to<StaticBody>();
  ERR_FAIL_COND(!static_body);
  static_body->set_name( String(get_name()) + "_col" );
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'create_convex_collision_node()' might take place. mesh_instance.cpp 211

Unreal Engine 4

V522 Dereferencing of the null pointer 'GEngine' might take place. Check the logical condition. gameplaystatics.cpp 988


void UGameplayStatics::DeactivateReverbEffect(....)
{
  if (GEngine || !GEngine->UseSound())
  {
    return;
  }
  UWorld* ThisWorld = GEngine->GetWorldFromContextObject(....);
  ....
}

Mozilla Thunderbird

V522 Dereferencing of the null pointer 'aStyleValues' might take place. sdnaccessible.cpp 252


STDMETHODIMP sdnAccessible::get_computedStyle(
                   BSTR __RPC_FAR* aStyleProperties,
                   BSTR __RPC_FAR* aStyleValues,
                   unsigned short __RPC_FAR* aNumStyleProperties)
{
  if (!aStyleProperties || aStyleValues || !aNumStyleProperties)
    return E_INVALIDARG;
  ....
  aStyleValues[realIndex] = ::SysAllocString(value.get());
  ....
}

ChakraCore

V522 Dereferencing of the null pointer 'tempNumberTracker' might take place. backwardpass.cpp 578


void
BackwardPass::MergeSuccBlocksInfo(BasicBlock * block)
{
  TempNumberTracker * tempNumberTracker = nullptr; // <= line 346
  ....
  if (!block->isDead)
  {
      ....
      if(!IsCollectionPass())
      {
          ....
          if (this->DoMarkTempNumbers())
          {
              tempNumberTracker = JitAnew(....);   // <= line 413
          }
      ....
  ....
  if (blockSucc->tempNumberTracker != nullptr)
  {
      ....
      tempNumberTracker->MergeData(....);          // <= line 578
      if (deleteData)
      {
          blockSucc->tempNumberTracker = nullptr;
      }
  }
  ....
}

FreeBSD Kernel

V522 Dereferencing of the null pointer 'sc' might take place. mrsas.c 4027


void
mrsas_aen_handler(struct mrsas_softc *sc)
{
  ....
  if (!sc) {
    device_printf(sc->mrsas_dev, "invalid instance!\n");
    return;
  }
  if (sc->evt_detail_mem) {
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'sc' might take place. mrsas.c 1279
  • V522 Dereferencing of the null pointer 'sc' might take place. tws_cam.c 1066
  • V522 Dereferencing of the null pointer 'sc' might take place. blkfront.c 677
  • And 4 additional diagnostic messages.

OpenToonz

V522 Dereferencing of the null pointer 'region' might take place. Check the logical condition. palettecmd.cpp 102


bool isStyleUsed(const TVectorImageP vi, int styleId)
{
  ....
  TRegion *region = vi->getRegion(i);
  if (region || region->getStyle() != styleId)
    return true;
  ....
}

OpenJDK

V522 Dereferencing of the null pointer 'data' might take place. util.c 2424


static jint JNICALL
cbObjectTagInstance(....)
{
    ClassInstancesData  *data;

    /* Check data structure */
    data = (ClassInstancesData*)user_data;
    if (data == NULL) {
        data->error = AGENT_ERROR_ILLEGAL_ARGUMENT;
        return JVMTI_VISIT_ABORT;
    }
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'data' might take place. util.c 2543
  • V522 Dereferencing of the null pointer 'data' might take place. util.c 2601
  • V522 Dereferencing of the null pointer 'data' might take place. util.c 2760

Blender

V522 Dereferencing of the null pointer 've' might take place. functions1d.cpp 107


int QuantitativeInvisibilityF1D::operator()(....)
{
  ViewEdge *ve = dynamic_cast<ViewEdge*>(&inter);
  if (ve) {
    result = ve->qi();
    return 0;
  }
  FEdge *fe = dynamic_cast<FEdge*>(&inter);
  if (fe) {
    result = ve->qi(); // <=
    return 0;
  }
  ....
}

Blender

V522 Dereferencing of the null pointer 'ibuf' might take place. tracking_util.c 765


static ImBuf *accessor_get_ibuf(....)
{
  ImBuf *ibuf, *orig_ibuf, *final_ibuf;
  ....
  /* First try to get fully processed image from the cache. */
  ibuf = accesscache_get(accessor,
                         clip_index,
                         frame,
                         input_mode,
                         downscale,
                         transform_key);
  if (ibuf != NULL) {
        return ibuf;
    }
  /* And now we do postprocessing of the original frame. */
  orig_ibuf = accessor_get_preprocessed_ibuf(accessor,
                                             clip_index,
                                             frame);
  if (orig_ibuf == NULL) {
        return NULL;
  }
  ....
  if (downscale > 0) {
      if (final_ibuf == orig_ibuf) {
          final_ibuf = IMB_dupImBuf(orig_ibuf);
      }
      IMB_scaleImBuf(final_ibuf,
                     ibuf->x / (1 << downscale),  // <=
                     ibuf->y / (1 << downscale)); // <=
  }
  ....
  if (input_mode == LIBMV_IMAGE_MODE_RGBA) {
      BLI_assert(ibuf->channels == 3 ||           // <=
                 ibuf->channels == 4);            // <=
  }
  ....
  return final_ibuf;
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'ibuf' might take place. tracking_util.c 766
  • V522 Dereferencing of the null pointer 'ibuf' might take place. tracking_util.c 783

Chromium

V522 Dereferencing of the null pointer 'item' might take place. action_wait.cc 41


// Returns the item associated with the component |id| or nullptr
// in case of errors.
CrxUpdateItem* FindUpdateItemById(const std::string& id) const;

void ActionWait::Run(UpdateContext* update_context,
                     Callback callback)
{
....
  while (!update_context->queue.empty())
  {
      auto* item =
        FindUpdateItemById(update_context->queue.front());
      if (!item) {                                         // <=
        item->error_category =                             // <=
          static_cast<int>(ErrorCategory::kServiceError);
        item->error_code =                                 // <=
          static_cast<int>(ServiceError::ERROR_WAIT);
        ChangeItemState(item, CrxUpdateItem::State::kNoUpdate);
      } else {
        NOTREACHED();
      }
      update_context->queue.pop();
  }
....
}

LLVM/Clang

V522 Dereferencing of the null pointer 'PdbFileBuffer' might take place. PDBFileBuilder.cpp 106


Expected<std::unique_ptr<PDBFile>>
PDBFileBuilder::build(
  std::unique_ptr<msf::WritableStream> PdbFileBuffer)
{
  ....
  auto File = llvm::make_unique<PDBFile>(
    std::move(PdbFileBuffer), Allocator);

  File->ContainerLayout = *ExpectedLayout;

  if (Info) {
    auto ExpectedInfo = Info->build(*File, *PdbFileBuffer);
  ....
}

The code is not clear to me, as I have not studied what llvm::make_unique is, and how it works in general. Nevertheless, both myself and the analyzer are confused by the fact that at first glance the possession of an object from a smart pointer PdbFileBuffer goes to File. After that we have dereferencing of a null pointer PdbFileBuffer that already contains nullptr

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'PdbFileBuffer' might take place. PDBFileBuilder.cpp 113
  • V522 Dereferencing of the null pointer 'PdbFileBuffer' might take place. PDBFileBuilder.cpp 120
  • V522 Dereferencing of the null pointer 'PdbFileBuffer' might take place. PDBFileBuilder.cpp 127

FreeBSD Kernel

V522 Dereferencing of the null pointer 'ccb' might take place. The null pointer is passed into 'iscsi_outstanding_add' function. Inspect the third argument. Check lines: 'iscsi.c:2157'. iscsi.c 2091


static struct iscsi_outstanding *
iscsi_outstanding_add(struct iscsi_session *is,
                      struct icl_pdu *request,
                      union ccb *ccb,
                      uint32_t *initiator_task_tagp)
{
  struct iscsi_outstanding *io;
  int error;

  ISCSI_SESSION_LOCK_ASSERT(is);

  io = uma_zalloc(iscsi_outstanding_zone, M_NOWAIT | M_ZERO);
  if (io == NULL) {
    ISCSI_SESSION_WARN(is, "failed to allocate %zd bytes",
        sizeof(*io));
    return (NULL);
  }

  error = icl_conn_task_setup(is->is_conn, request, &ccb->csio,
    initiator_task_tagp, &io->io_icl_prv);
  ....
}

static void
iscsi_action_abort(struct iscsi_session *is, union ccb *ccb)
{
  ....
  io = iscsi_outstanding_add(is, request, NULL,
                             &initiator_task_tag);
  ....
}

CryEngine V

V522 Dereferencing of the null pointer 'pCEntity' might take place. BreakableManager.cpp 2396


int CBreakableManager::HandlePhysics_UpdateMeshEvent(....)
{
  CEntity* pCEntity = 0;
  ....
  if (pmu && pSrcStatObj && GetSurfaceType(pSrcStatObj))
  {
    ....
    if (pEffect)
    {
      ....
      if (normal.len2() > 0)
        pEffect->Spawn(true, pCEntity->GetSlotWorldTM(...); // <=
    }
  }

  ....

  if (iForeignData == PHYS_FOREIGN_ID_ENTITY)
  {
    pCEntity = (CEntity*)pForeignData;
    if (!pCEntity || !pCEntity->GetPhysicalProxy())
      return 1;
  }
  ....
}

Scilab

V522 Dereferencing of the null pointer 'dataz' might take place. polylinedata_wrap.c 373


BOOL translatePolyline(int uid, double x, double y, double z,
                       int flagX, int flagY, int flagZ)
{
  double *datax = NULL;
  double *datay = NULL;
  double *dataz = NULL;                          // <=

  int i = 0;
  if (x != 0.0)
  {
    datax = getDataX(uid);
    if (datax == NULL) return FALSE;
  ....
  if (z != 0 && isZCoordSet(uid))
  {
    if (flagZ) {
      for (i = 0; i < getDataSize_(uid); ++i)
      {
        dataz[i] = pow(10.,log10(dataz[i]) + z); // <=
      }
    } else {
      for (i = 0; i < getDataSize_(uid); ++i)
      {
        dataz[i] += z;                           // <=
      }
    }
  }

  return TRUE;
}

Bind

V522 Dereferencing of the null pointer 'stylep' might take place. Check the logical condition. delv.c 500


static isc_result_t
setup_style(dns_master_style_t **stylep) {
  isc_result_t result;
  dns_master_style_t *style = NULL;

  REQUIRE(stylep != NULL || *stylep == NULL);
  ....
}

Aspell

V522 There might be dereferencing of a potential null pointer 'first'. objstack.cpp 21


ObjStack::ObjStack(size_t chunk_s, size_t align)
  : chunk_size(chunk_s), min_align(align), temp_end(0)
{
  first_free = first = (Node *)malloc(chunk_size);
  first->next = 0;
  reserve = 0;
  setup_chunk();
}

Similar errors can be found in some other places:

  • V522 There might be dereferencing of a potential null pointer 'reinterpret_cast< void * * > (block)'. block_slist-t.hpp 27
  • V522 There might be dereferencing of a potential null pointer 'w1.str'. prezip.c 87
  • V522 There might be dereferencing of a potential null pointer 'w'. prezip.c 164
  • And 2 additional diagnostic messages.

Tizen

V522 There might be dereferencing of a potential null pointer 'list'. storage-plugin-sample.c 564


storage_error_code_t sample_get_list(....)
{
  ....
  storage_adaptor_file_info_h *list = NULL;
  int len = g_list_length(_file_list);
  if (0 < len) {
    list = (storage_adaptor_file_info_h *)                 // <=
      calloc(len, sizeof(storage_adaptor_file_info_h));
    for (int i = 0; i < len; i++)
      list[i] = (storage_adaptor_file_info_h)              // <=
                g_list_nth_data(_file_list, i);
  }
  ....
}

Tizen

V522 There might be dereferencing of a potential null pointer 'plugin_task'. storage-plugin-sample.c 1016


static async_job_t *create_job_s(int fd)
{
  async_job_t *job =
    (async_job_t *) calloc(1, sizeof(async_job_t));        // <=
  if (job) {
    job->local_path = NULL;
    job->cloud_path = NULL;
    job->fd = fd;
  }

  return job;                                              // <=
}

storage_error_code_t sample_upload_async(....)
{
  ....
  async_job_t *plugin_task = create_job_s(src_file_descriptor);

  char *path = NULL;
  path = g_strconcat(VIRTUAL_ROOT_PATH(context),
    dir_path ? dir_path : "", "/", file_name, NULL);

  plugin_task->cloud_path = path;                          // <=
  ....
}

Tizen

V522 There might be dereferencing of a potential null pointer 'cb_data'. util.c 37


void back_button_cb_push(....)
{
  back_button_cb_data *cb_data = malloc(sizeof(*cb_data));
  cb_data->cb = cb;
  ....
}

Tizen

V522 There might be dereferencing of a potential null pointer 'info'. navigator.c 2819


static void on_gesture_detected(void *data,
                                const Eldbus_Message *msg)
{
  ....
  Gesture_Info *info = calloc(sizeof(Gesture_Info), 1);    // <=
  int g_type;
  if (!msg) {
    DEBUG("Incoming message is empty");
    free(info);
    return;
  }

  if (!eldbus_message_arguments_get(....)) {
    DEBUG("Getting message arguments failed");
    free(info);
    return;
  }
  info->type = (Gesture)g_type;                            // <=
  ....
}

Tizen

V522 There might be dereferencing of a potential null pointer 'item_type'. list_util.c 72


HAPI void quickpanel_list_util_set_item_type(....)
{
  ....
  if (item_type == NULL) {
    item_type = (int*)malloc(sizeof(int));

    *item_type = type;

    evas_object_data_set(item, E_DATA_ITEM_LABEL_H,
                         (void*)item_type);
  }
}

Tizen

V522 There might be dereferencing of a potential null pointer 'popup_data'. popup.c 1167


void
popup_cb(void *data, Evas_Object *obj, void *event_info)
{
  ....
  win_data *popup_data = (win_data*)malloc(sizeof(win_data));

  elm_theme_extension_add(NULL, ELM_DEMO_EDJ);
  /* We convince the top widget is a window */
  win = ad->win;
  list = elm_list_add(ad->nf);
  elm_list_mode_set(list, ELM_LIST_COMPRESS);
  popup_data->list = list;
  popup_data->win = win;
  ....
}

Tizen

V522 There might be dereferencing of a potential null pointer 'inputHandle'. cpp_audio_io.cpp 928


int cpp_audio_in_peek(audio_in_h input, const void **buffer,
                      unsigned int *length) {
  ....
  CAudioInput* inputHandle =
    dynamic_cast<CAudioInput*>(handle->audioIoHandle);
  assert(inputHandle);
  inputHandle->peek(buffer, &_length);
  ....
}

Tizen

V522 There might be dereferencing of a potential null pointer 'preedit_attr'. ise.cpp 392


void ise_update_preedit_string(....)
{
  ....
  ime_preedit_attribute *preedit_attr;
  ....
  preedit_attr = (ime_preedit_attribute *)
                 calloc(1, sizeof(ime_preedit_attribute));
  preedit_attr->start = 0;
  ....
}

Tizen

V522 There might be dereferencing of a potential null pointer 'msg'. QuickAccess.cpp 743


void QuickAccess::setButtonColor(Evas_Object* button,
                                 int r, int g, int b, int a)
{
  Edje_Message_Int_Set* msg =
  (Edje_Message_Int_Set *)malloc(sizeof(*msg) + 3 * sizeof(int));
  msg->count = 4;
  msg->val[0] = r;
  msg->val[1] = g;
  msg->val[2] = b;
  msg->val[3] = a;
  edje_object_message_send(elm_layout_edje_get(button),
                           EDJE_MESSAGE_INT_SET, 0, msg);
  free(msg);
}

Tizen

V522 There might be dereferencing of a potential null pointer 'selected_device'. setting_item_device_list.c 121


static void device_list_select_cb(void *data, Evas_Object *obj,
                                  void *event_info)
{
  do_haptic(50);

  device_info_s *info = (device_info_s *) data;

  selected_device = (device_info_s *)
                    calloc(sizeof(device_info_s), 1);
  selected_device->index = info->index;
  ....
}

Tizen

V522 There might be dereferencing of a potential null pointer 'sql_callback'. download-db-service.cpp 75


void initialize_datacontrol_provider()
{
  DM_LOGI("initialize_datacontrol_provider");

  int result;

  sql_callback = (data_control_provider_sql_cb *)
                 malloc(sizeof(data_control_provider_sql_cb));
  sql_callback->select_cb = select_request_cb;
  ....
}

Tizen

V522 There might be dereferencing of a potential null pointer 'msg'. util.c 113


void util_bg_color_rgba_set(Evas_Object *layout,
                            char r, char g, char b, char a)
{
  Edje_Message_Int_Set *msg;

  ret_if(!layout);

  msg = malloc(sizeof(*msg) + 3 * sizeof(int));

  msg->count = 4;
  msg->val[0] = r;
  msg->val[1] = g;
  msg->val[2] = b;
  msg->val[3] = a;

  edje_object_message_send(elm_layout_edje_get(layout),
                           EDJE_MESSAGE_INT_SET, 1, msg);
  free(msg);
}

Similar errors can be found in some other places:

  • V522 There might be dereferencing of a potential null pointer 'pkg_data'. privacy_package_list_view.c 320
  • V522 There might be dereferencing of a potential null pointer 'data'. privacy_guard_package_list_view.c 126
  • V522 There might be dereferencing of a potential null pointer 'id'. privacy_package_list_view.c 470
  • And 58 additional diagnostic messages.

EFL Core Libraries

V522 There might be dereferencing of a potential null pointer 't'. eina_tiler.c 1146


EAPI Eina_Tiler *eina_tiler_new(int w, int h)
{
  Eina_Tiler *t;

  EINA_SAFETY_ON_TRUE_RETURN_VAL((w <= 0) || (h <= 0), NULL);

  t = calloc(1, sizeof(Eina_Tiler));
  t->last.add.w = -1;
  t->last.add.h = -1;
  t->last.del.w = -1;
  t->last.del.h = -1;
  t->area.w = w;
  t->area.h = h;
  t->tile.w = 32;
  t->tile.h = 32;
  t->rounding = EINA_TRUE;
  EINA_MAGIC_SET(t, EINA_MAGIC_TILER);
  _splitter_new(t);
  return t;
}

EFL Core Libraries

V522 There might be dereferencing of a potential null pointer 'e'. evas_cserve2_fonts.c 66


static void *
_font_slave_error_send(Error_Type error)
{
  Error_Type *e = calloc(1, sizeof(*e));
  *e = error;
  return e;
}

Similar errors can be found in some other places:

  • V522 There might be dereferencing of a potential null pointer 'tmpstr'. eo_generator.c 158
  • V522 There might be dereferencing of a potential null pointer 'ctx'. eo_lexer.c 1220
  • V522 Dereferencing of the null pointer 'v' might take place. The potential null pointer is passed into 'evas_triangle3_set' function. Inspect the first argument. Check lines: 'evas_3d_utils.h:2449'. evas_3d_utils.h 651
  • And 390 additional diagnostic messages.

Enlightenment

V522 There might be dereferencing of a potential null pointer 'task'. e_fm_ipc.c 489


static void
_e_fm_ipc_mkdir(int id, const char *src, const char *rel,
                int rel_to EINA_UNUSED, int x, int y)
{
  E_Fm_Task *task;

  task = malloc(sizeof(E_Fm_Task));

  task->id = id;
  task->type = E_FM_OP_MKDIR;
  task->slave = NULL;
  ....
}

Similar errors can be found in some other places:

  • V522 There might be dereferencing of a potential null pointer 'm'. e_fm_ipc.c 1046
  • V522 There might be dereferencing of a potential null pointer 't'. e_fm_op.c 444
  • V522 There might be dereferencing of a potential null pointer 'ntask'. e_fm_op.c 896
  • And 599 additional diagnostic messages.

ClickHouse

V522 Dereferencing of the null pointer 'cond_col' might take place. FunctionsConditional.h 765


bool executeForNullThenElse(....)
{
  ....
  const ColumnUInt8 * cond_col =
    typeid_cast<const ColumnUInt8 *>(arg_cond.column.get());
  ....
  if (cond_col)
  {
    ....
  }
  else if (cond_const_col)
  {
    ....
  }
  else
    throw Exception(
      "Illegal column " + cond_col->getName() +            // <=
      " of first argument of function " + getName() +
      ". Must be ColumnUInt8 or ColumnConstUInt8.",
      ErrorCodes::ILLEGAL_COLUMN);
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'cond_col' might take place. FunctionsConditional.h 1061

MuseScore

V522 Dereferencing of the null pointer 'customDrumset' might take place. instrument.cpp 328


bool Instrument::readProperties(XmlReader& e, Part* part,
  bool* customDrumset)
{
  ....
  else if (tag == "Drum") {
    // if we see on of this tags, a custom drumset will
    // be created
    if (!_drumset)
      _drumset = new Drumset(*smDrumset);
    if (!customDrumset) {                        // <=
      const_cast<Drumset*>(_drumset)->clear();
      *customDrumset = true;                     // <=
    }
    const_cast<Drumset*>(_drumset)->load(e);
  }
  ....
}

MuseScore

V522 Dereferencing of the null pointer 'segment' might take place. measure.cpp 2220


void Measure::read(XmlReader& e, int staffIdx)
{
  Segment* segment = 0;
  ....
  while (e.readNextStartElement()) {
    const QStringRef& tag(e.name());

    if (tag == "move")
      e.initTick(e.readFraction().ticks() + tick());
    ....
    else if (tag == "sysInitBarLineType") {
      const QString& val(e.readElementText());
      BarLine* barLine = new BarLine(score());
      barLine->setTrack(e.track());
      barLine->setBarLineType(val);
      segment = getSegmentR(SegmentType::BeginBarLine, 0); //!!!
      segment->add(barLine);                           // <= OK
    }
    ....
    else if (tag == "Segment")
      segment->read(e);                                // <= ERR
    ....
  }
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'segment' might take place. read114.cpp 1551
  • V522 Dereferencing of the null pointer 'segment' might take place. read206.cpp 1879

Audacity

V522 Dereferencing of the null pointer 'mInputStream' might take place. FileIO.cpp 65


std::unique_ptr<wxInputStream> mInputStream;
std::unique_ptr<wxOutputStream> mOutputStream;

wxInputStream & FileIO::Read(void *buf, size_t size)
{
   if (mInputStream == NULL) {
      return *mInputStream;
   }

   return mInputStream->Read(buf, size);
}

wxOutputStream & FileIO::Write(const void *buf, size_t size)
{
   if (mOutputStream == NULL) {
      return *mOutputStream;
   }

   return mOutputStream->Write(buf, size);
}

Sphinx (search engine)

V522 Dereferencing of the null pointer 'pConsts' might take place. The null pointer is passed into 'Expr_StrIn_c' function. Inspect the third argument. Check lines: 5407, 5946. sphinxexpr.cpp 5407


Expr_StrIn_c ( const CSphAttrLocator & tLoc, int iLocator,
               ConstList_c * pConsts, UservarIntSet_c * pUservar,
               ESphCollation eCollation )
  : Expr_ArgVsConstSet_c<int64_t> ( NULL, pConsts )
  , ExprLocatorTraits_t ( tLoc, iLocator )
  , m_pStrings ( NULL )
  , m_pUservar ( pUservar )
{
  assert ( tLoc.m_iBitOffset>=0 && tLoc.m_iBitCount>0 );
  assert ( !pConsts || !pUservar );

  m_fnStrCmp = GetCollationFn ( eCollation );

  const char * sExpr = pConsts->m_sExpr.cstr();      // <=
  ....
}

ISphExpr * ExprParser_t::CreateInNode ( int iNode )
{
  ....
  case TOK_ATTR_STRING:
    return new Expr_StrIn_c ( tLeft.m_tLocator,
                              tLeft.m_iLocator,
                              NULL,                   // <=
                              pUservar,
                              m_eCollation );
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'pConsts' might take place. The null pointer is passed into 'Expr_JsonFieldIn_c' function. Inspect the first argument. Check lines: 5238, 5948. sphinxexpr.cpp 5238

Sphinx (search engine)

V522 Dereferencing of the null pointer 'pBuf' might take place. The null pointer is passed into 'Ok' function. Inspect the third argument. Check lines: 2567, 12267, 12424, 14979. searchd.cpp 2567


void ISphOutputBuffer::SendBytes ( const void * pBuf, int iLen )
{
  int iOff = m_dBuf.GetLength();
  m_dBuf.Resize ( iOff + iLen );
  memcpy ( m_dBuf.Begin() + iOff, pBuf, iLen );           // <=
}

void SendMysqlOkPacket ( ISphOutputBuffer & tOut, BYTE uPacketID,
                         int iAffectedRows=0, int iWarns=0,
                         const char * sMessage=NULL,
                         bool bMoreResults=false )
{
  DWORD iInsert_id = 0;
  char sVarLen[20] = {0};
  void * pBuf = sVarLen;
  pBuf = MysqlPack ( pBuf, iAffectedRows );
  pBuf = MysqlPack ( pBuf, iInsert_id );
  int iLen = (char *) pBuf - sVarLen;

  int iMsgLen = 0;
  if ( sMessage )
    iMsgLen = strlen(sMessage) + 1;

  tOut.SendLSBDword ( (uPacketID<<24) + iLen + iMsgLen + 5);
  tOut.SendByte ( 0 );
  tOut.SendBytes ( sVarLen, iLen );
  if ( iWarns<0 ) iWarns = 0;
  if ( iWarns>65535 ) iWarns = 65535;
  DWORD uWarnStatus = iWarns<<16;
  if ( bMoreResults )
    uWarnStatus |= ( SPH_MYSQL_FLAG_MORE_RESULTS );
  tOut.SendLSBDword ( uWarnStatus );
  tOut.SendBytes ( sMessage, iMsgLen );                   // <=
}

inline void Ok( int iAffectedRows=0, int iWarns=0,
                const char * sMessage=NULL,
                bool bMoreResults=false )
{
  SendMysqlOkPacket ( m_tOut, m_uPacketID, iAffectedRows, // <=
                      iWarns, sMessage, bMoreResults );
  if ( bMoreResults )
    m_uPacketID++;
}

void HandleMysqlMultiStmt (....)
{
  ....
  dRows.Ok ( 0, 0, NULL, bMoreResultsFollow );
  ....
}

Chromium

V522 CWE-476 Dereferencing of the null pointer 'focus_controller_' might take place. display.cc 52


class Display : ....
{
  ....
  std::unique_ptr<FocusController> focus_controller_;
  ....
}

Display::~Display() {
  ....
  if (!focus_controller_) {
    focus_controller_->RemoveObserver(this);
    focus_controller_.reset();
  }
  ....
}

An incorrectly written condition. Pointer is dereferenced, if it is null.


Chromium

V522 CWE-476 Dereferencing of the null pointer 'context' might take place. device_media_async_file_util.cc 322


void DeviceMediaAsyncFileUtil::CreateOrOpen(
    std::unique_ptr<FileSystemOperationContext> context, ....) {
  ....
  CreateSnapshotFile(
      std::move(context), url,
      base::Bind(
        &NativeMediaFileUtil::CreatedSnapshotFileForCreateOrOpen,
        base::RetainedRef(context->task_runner()),
        file_flags, callback));
}

The order of arguments evaluation when calling the CreateSnapshotFile function defines whether a dereference of a null pointer will be or not. In C++ the function argument evaluation order is not defined (unspecified behavior). If in the beginning the argument std::move(context) is evaluated, a dereference of a null pointer will occur.

Similar errors can be found in some other places:

  • V522 CWE-476 Dereferencing of the null pointer 'delegate' might take place. payment_request_web_contents_manager.cc 39

Chromium

V522 CWE-476 Dereferencing of the null pointer 'embedder_extension' might take place. Check the bitwise operation. app_view_guest.cc 186


void AppViewGuest::CreateWebContents(....) {
  ....
  if (!guest_extension ||
      !guest_extension->is_platform_app() ||
      !embedder_extension |
      !embedder_extension->is_platform_app()) {
    callback.Run(nullptr);
    return;
  }
  ....
}

A typo. Instead of || a developer accidentally wrote |. As a result, a pointer embedder_extension is dereferenced regardless if it's null or not.


Chromium

V522 CWE-476 Dereferencing of the null pointer 'network_list' might take place. networking_private_service_client.cc 351


std::unique_ptr<base::ListValue>
NetworkingPrivateServiceClient::GetEnabledNetworkTypes() {
  std::unique_ptr<base::ListValue> network_list;
  network_list->AppendString(::onc::network_type::kWiFi);
  return network_list;
}

A smart pointer is null by default. As a smart pointer is not initialized before its usage, a dereference of a null pointer will occur.


Chromium

V522 CWE-690 There might be dereferencing of a potential null pointer 'device_interface_detail_data'. Check lines: 103, 102. hid_service_win.cc 103


void HidServiceWin::EnumerateBlocking(....)
{
  ....
  std::unique_ptr<SP_DEVICE_INTERFACE_DETAIL_DATA,
                  base::FreeDeleter>
    device_interface_detail_data(
      static_cast<SP_DEVICE_INTERFACE_DETAIL_DATA*>(
        malloc(required_size)));

  device_interface_detail_data->cbSize =
    sizeof(SP_DEVICE_INTERFACE_DETAIL_DATA);
  ....
}

There is no protection if the malloc function returns a null pointer.


Chromium

V522 CWE-690 There might be dereferencing of a potential null pointer 'file_'. Check lines: 716, 715. visitedlink_master.cc 716


void VisitedLinkMaster::OnTableLoadComplete(....)
{
  ....
  file_ = static_cast<FILE**>(malloc(sizeof(*file_)));
  *file_ = load_from_file_result->file.release();
  ....
}

There is no protection if the malloc function returns a null pointer.


V8 JavaScript Engine

V522 CWE-628 Dereferencing of the null pointer 'object' might take place. The null pointer is passed into 'IsHandler' function. Inspect the first argument. Check lines: 'ic-inl.h:44', 'stub-cache.cc:19'. ic-inl.h 44


bool Object::IsSmi() const { return HAS_SMI_TAG(this); }

bool IC::IsHandler(Object* object) {
  return (object->IsSmi() && (object != nullptr)) ||
         object->IsDataHandler() ||
         object->IsWeakCell() ||
         object->IsCode();
}

The object pointer is dereferenced first and then checked for NULL. Indeed, the expression looks quite suspicious.


LLVM/Clang

V522 CWE-690 There might be dereferencing of a potential null pointer 'TheTable'. Check lines: 65, 59. stringmap.cpp 65


void StringMapImpl::init(unsigned InitSize) {
  assert((InitSize & (InitSize-1)) == 0 &&
         "Init Size must be a power of 2 or zero!");
  NumBuckets = InitSize ? InitSize : 16;
  NumItems = 0;
  NumTombstones = 0;

  TheTable = (StringMapEntryBase **)
             calloc(NumBuckets+1,
                    sizeof(StringMapEntryBase **) +
                    sizeof(unsigned));

  // Allocate one extra bucket, set it to look filled
  // so the iterators stop at end.
  TheTable[NumBuckets] = (StringMapEntryBase*)2;
}

The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NumBuckets. And this can be a great value.


LLVM/Clang

V522 CWE-690 There might be dereferencing of a potential null pointer 'Buckets'. Check lines: 219, 217. foldingset.cpp 219


static void **AllocateBuckets(unsigned NumBuckets) {
  void **Buckets = static_cast<void**>(calloc(NumBuckets+1,
                                              sizeof(void*)));
  // Set the very last bucket to be a non-null "pointer".
  Buckets[NumBuckets] = reinterpret_cast<void*>(-1);
  return Buckets;
}

The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NumBuckets. And this can be a great value.


Yasm

V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 52, 51. substr.h 52


static SubStr *
SubStr_new_u(unsigned char *s, unsigned int l)
{
    SubStr *r = malloc(sizeof(SubStr));
    r->str = (char*)s;
    r->len = l;
    return r;
}

There is no protection if the malloc function returns a null pointer.

Similar errors can be found in some other places:

  • V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 68, 67. substr.h 68
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 84, 83. substr.h 84
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'inc'. Check lines: 80, 79. genmodule.c 80
  • And 29 additional diagnostic messages.

WebRTC

V522 CWE-690 There might be dereferencing of a potential null pointer 'self'. Check lines: 22, 21. noise_suppression.c 22


NsHandle* WebRtcNs_Create() {
  NoiseSuppressionC* self = malloc(sizeof(NoiseSuppressionC));
  self->initFlag = 0;
  return (NsHandle*)self;
}

There is no protection if the malloc function returns a null pointer.


WebRTC

V522 CWE-690 There might be dereferencing of a potential null pointer 'left'. Check lines: 412, 403. resampler.cc 412


int Resampler::Push(....)
{
  ....
  int16_t* left =
   static_cast<int16_t*>(malloc(lengthIn * sizeof(int16_t) / 2));
  int16_t* right =
   static_cast<int16_t*>(malloc(lengthIn * sizeof(int16_t) / 2));
  ....
  for (size_t i = 0; i < lengthIn; i += 2) {
    left[i >> 1] = samplesIn[i];
    right[i >> 1] = samplesIn[i + 1];
  }
  ....
}

There is no protection if the malloc function returns a null pointer.

Similar errors can be found in some other places:

  • V522 CWE-690 There might be dereferencing of a potential null pointer 'right'. Check lines: 413, 405. resampler.cc 413
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'aecm'. Check lines: 88, 84. echo_control_mobile.cc 88
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'aecm'. Check lines: 218, 216. aecm_core.cc 218
  • And 2 additional diagnostic messages.

XNU kernel

V522 CWE-628 Dereferencing of the null pointer 'session' might take place. The null pointer is passed into 'netagent_send_error_response' function. Inspect the first argument. Check lines: 427, 972. network_agent.c 427


static int
netagent_send_error_response(
  struct netagent_session *session, u_int8_t message_type,
               u_int32_t message_id, u_int32_t error_code)
{
  int error = 0;
  u_int8_t *response = NULL;
  size_t response_size = sizeof(struct netagent_message_header);
  MALLOC(response, u_int8_t *, response_size,
         M_NETAGENT, M_WAITOK);
  if (response == NULL) {
    return (ENOMEM);
  }
  (void)netagent_buffer_write_message_header(.....);

  if ((error = netagent_send_ctl_data(session->control_unit,
      (u_int8_t *)response, response_size))) {
    NETAGENTLOG0(LOG_ERR, "Failed to send response");
  }

  FREE(response, M_NETAGENT);
  return (error);
}

static void
netagent_handle_unregister_message(
  struct netagent_session *session, ....)
#pragma unused(payload_length, packet, offset)
  u_int32_t response_error = NETAGENT_MESSAGE_ERROR_INTERNAL;

  if (session == NULL) {
    NETAGENTLOG0(LOG_ERR, "Failed to find session");
    response_error = NETAGENT_MESSAGE_ERROR_INTERNAL;
    goto fail;
  }

  netagent_unregister_session_wrapper(session);

  netagent_send_success_response(session, .....);
  return;
fail:
  netagent_send_error_response(
    session, NETAGENT_MESSAGE_TYPE_UNREGISTER, message_id,
    response_error);
}

If in the function netagent_handle_unregister_message a transition to the fail label occurs, then the null pointer dereferencing will occur in the function netagent_send_error_response.


XNU kernel

V522 CWE-628 Dereferencing of the null pointer 'pbuf' might take place. The null pointer is passed into 'pf_lazy_makewritable' function. Inspect the second argument. Check lines: 349, 7460. pf.c 349


void *
pf_lazy_makewritable(struct pf_pdesc *pd, pbuf_t *pbuf, int len)
{
  void *p;

  if (pd->lmw < 0)
    return (NULL);

  VERIFY(pbuf == pd->mp);

  p = pbuf->pb_data;
  if (len > pd->lmw) {
  ....
}

static int
pf_test_state_icmp(....)
{
  ....
  if (pf_lazy_makewritable(pd, NULL,
      off + sizeof (struct icmp6_hdr)) ==
      NULL)
    return (PF_DROP);
  ....
}

Incorrect call of the pf_lazy_makewritable function. Null pointer dereference might occur.


XNU kernel

V522 CWE-690 There might be dereferencing of a potential null pointer 'dp'. vfs_cache.c 1449


typedef struct vnode * vnode_t;

int
cache_lookup_path(...., vnode_t dp, ....)
{
  ....
  if (dp && (dp->v_flag & VISHARDLINK)) {
    break;
  }
  if ((dp->v_flag & VROOT)  ||
      dp == ndp->ni_rootdir ||
      dp->v_parent == NULLVP)
    break;
  ....
}

The pointer dp can be null. However, further the pointer is dereferenced before the preliminary check.


Krita

V522 Dereferencing of the null pointer 'slot' might take place. kis_spriter_export.cpp 568


KisImportExportFilter::ConversionStatus
KisSpriterExport::convert(
  KisDocument *document,
  QIODevice *io,
  KisPropertiesConfigurationSP /*configuration*/)
{
  ....
  SpriterSlot *slot = 0;

  if (file.layerName.contains("slot(")) {
    int start = file.layerName.indexOf("slot(") + 5;
    int end = file.layerName.indexOf(')', start);
    slot->name = file.layerName.mid(start, end - start); // <=
    slot->defaultAttachmentFlag = ....                   // <=
  }
  ....
}

Android

V522 CWE-476 Dereferencing of the null pointer 'xmlProxyLib' might take place. EffectsConfig.cpp 205


bool parseEffect(....) {
  ....
  if (xmlProxyLib == nullptr) {
    ALOGE("effectProxy must contain a <%s>: %s",
          tag, dump(*xmlProxyLib));
    return false;
  }
  ....
}

Android

V522 CWE-476 Dereferencing of the null pointer 'needed' might take place. linker.cpp 1847


static void soinfo_unload_impl(soinfo* root) {
  ....
  soinfo* needed = find_library(si->get_primary_namespace(),
                library_name, RTLD_NOLOAD, nullptr, nullptr);

  if (needed != nullptr) {
    PRINT("warning: couldn't find %s needed by %s on unload.",
      library_name, si->get_realpath());
    return;
  } else if (local_unload_list.contains(needed)) {
    return;
  } else if (needed->is_linked() &&                       // <=
             needed->get_local_group_root() != root) {
    external_unload_list.push_back(needed);
  } else {
    unload_list.push_front(needed);
  }
  ....
}

Android

V522 CWE-690 There might be dereferencing of a potential null pointer 'param'. Check lines: 245, 244. BufferProviders.cpp 245


DownmixerBufferProvider::DownmixerBufferProvider(....)
{
  ....
  effect_param_t * const param = (effect_param_t *)
                                 malloc(downmixParamSize);
  param->psize = sizeof(downmix_params_t);
  ....
}

Similar errors can be found in some other places:

  • V522 CWE-690 There might be dereferencing of a potential null pointer 'newStr'. Check lines: 169, 163. DexDump.cpp 169
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'image->rows'. Check lines: 682, 680. Images.cpp 682
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'image->colors'. Check lines: 758, 715. Images.cpp 758
  • And 101 additional diagnostic messages.

Android

V522 CWE-690 There might be dereferencing of a potential null pointer 'newStr'. Check lines: 203, 202. DexDump.cpp 203


static char* descriptorClassToDot(const char* str)
{
  ....
  newStr = strdup(lastSlash);
  newStr[strlen(lastSlash)-1] = '\0';
  ....
}

Similar errors can be found in some other places:

  • V522 CWE-690 There might be dereferencing of a potential null pointer 'cp'. Check lines: 1554, 1543. DexDump.cpp 1554
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'cp'. Check lines: 1385, 1374. dexlayout.cc 1385
  • V522 CWE-628 Dereferencing of the null pointer 'n' might take place. The potential null pointer is passed into 'remove_trailing_slashes' function. Inspect the first argument. Check lines: 461, 540, 537. fs_mgr.cpp 461
  • And 4 additional diagnostic messages.

Vangers: One For The Road

V522 CWE-690 There might be dereferencing of a potential null pointer 'fileName'. Check lines: 72, 70. zip_resource.cpp 72


void XZIP_FileHeader::SetName(char *p)
{
  int i, sz = strlen(p);
  fileName = strdup(p);
  for (i = 0; i < sz; i ++)
    if (fileName[i] == '/') fileName[i] = '\\';
}

Similar errors can be found in some other places:

  • V522 CWE-690 There might be dereferencing of a potential null pointer 'item'. ascr_fnc.cpp 5356
  • V522 CWE-690 There might be dereferencing of a potential null pointer. A constructor of the string class expects a valid pointer. ivmap.cpp 309
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'idxName'. Check lines: 94, 92. zip_resource.cpp 94

Perl 5

V522 Dereferencing of the null pointer 'sv' might take place. pp_ctl.c 577


OP * Perl_pp_formline(void)
{
  ....
  SV *sv = ((void *)0);
  ....
  switch (*fpc++) {
  ....
  case 4:
    arg = *fpc++;
    f += arg;
    fieldsize = arg;
    if (mark < sp)
      sv = *++mark;
    else {
      sv = &(PL_sv_immortals[2]);
      Perl_ck_warner( (28 ), "....");
    }
    ....
    break;
  case 5:
  {
    const char *s = item = ((((sv)->sv_flags & (....)) == 0x00000400) ? ....
    ....
  }
  ....
}

Qt

V522 CWE-690 There might be dereferencing of a potential null pointer 'nodes'. Check lines: 138, 136. makefiledeps.cpp 138


SourceFiles::SourceFiles()
{
  nodes = (SourceFileNode**)malloc(sizeof(SourceFileNode*)*(num_nodes=3037));
  for(int n = 0; n < num_nodes; n++)
    nodes[n] = nullptr;
}

Similar errors can be found in some other places:

  • V522 CWE-690 There might be dereferencing of a potential null pointer 'rdb'. Check lines: 299, 296. qfilesystemengine_win.cpp 299
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'h'. Check lines: 73, 72. qjson.cpp 73
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'h'. Check lines: 310, 306. qjsonparser.cpp 310
  • And 19 additional diagnostic messages.

Godot Engine

V522 CWE-476 Dereferencing of the null pointer 'E' might take place. shader_gles2.cpp 102


void ShaderGLES2::bind_uniforms() {
  ....
  const Map<uint32_t, Variant>::Element *E = uniform_defaults.front();

  while (E) {
    int idx = E->key();
    int location = version->uniform_location[idx];

    if (location < 0) {
      E = E->next();
      continue;
    }

    Variant v;
    v = E->value();
    _set_uniform_variant(location, v);
    E = E->next();
  }

  const Map<uint32_t, CameraMatrix>::Element *C = uniform_cameras.front();

  while (C) {
    int idx = E->key();                                  // <=
    int location = version->uniform_location[idx];

    if (location < 0) {
      C = C->next();
      continue;
    }

    glUniformMatrix4fv(location, 1, GL_FALSE, &(C->get().matrix[0][0]));
    C = C->next();
  }

  uniforms_dirty = false;
}

LibrePCB

V522 CWE-690 There might be dereferencing of a potential null pointer 'e'. graphicsview.cpp 206


bool GraphicsView::eventFilter(QObject* obj, QEvent* event) {
  ....
  QGraphicsSceneMouseEvent* e =
    dynamic_cast<QGraphicsSceneMouseEvent*>(event);
  Q_ASSERT(e);
  if (e->button() == Qt::MiddleButton)
  ....
}

Similar errors can be found in some other places:

  • V522 CWE-690 There might be dereferencing of a potential null pointer 'e'. graphicsview.cpp 218
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'e'. graphicsview.cpp 229
  • V522 CWE-690 There might be dereferencing of a potential null pointer 'unitComboBox'. attributelisteditorwidget.cpp 143
  • And 79 additional diagnostic messages.

LibrePCB

V522 CWE-628 Dereferencing of the null pointer 'event' might take place. The potential null pointer is passed into 'handleMouseWheelEvent' function. Inspect the first argument. Check lines: 143, 252. graphicsview.cpp 143


void GraphicsView::handleMouseWheelEvent(
  QGraphicsSceneWheelEvent* event) noexcept
{
  if (event->modifiers().testFlag(Qt::ShiftModifier))
  ....
}

bool GraphicsView::eventFilter(QObject* obj, QEvent* event) {
  ....
  handleMouseWheelEvent(dynamic_cast<QGraphicsSceneWheelEvent*>(event));
  ....
}

LLVM/Clang

V522 [CWE-476] Dereferencing of the null pointer 'LHS' might take place. TGParser.cpp 2152


Init *TGParser::ParseValue(Record *CurRec, RecTy *ItemType, IDParseMode Mode) {
  ....
  TypedInit *LHS = dyn_cast<TypedInit>(Result);
  ....
  LHS = dyn_cast<TypedInit>(
    UnOpInit::get(UnOpInit::CAST, LHS, StringRecTy::get())
      ->Fold(CurRec));
  if (!LHS) {
    Error(PasteLoc, Twine("can't cast '") + LHS->getAsString() +
                    "' to string");
    return nullptr;
  }
  ....
}

Similar errors can be found in some other places:

  • V522 [CWE-476] Dereferencing of the null pointer 'RHS' might take place. TGParser.cpp 2186

LLVM/Clang

V522 [CWE-476] Dereferencing of the null pointer 'ProgClone' might take place. Miscompilation.cpp 601


ExtractBlocks(....)
{
  ....
  std::unique_ptr<Module> ProgClone = CloneModule(BD.getProgram(), VMap);
  ....
  BD.setNewProgram(std::move(ProgClone));                                // <=
  MiscompiledFunctions.clear();

  for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
    Function *NewF = ProgClone->getFunction(MisCompFunctions[i].first);  // <=
    assert(NewF && "Function not found??");
    MiscompiledFunctions.push_back(NewF);
  }
  ....
}

LLVM/Clang

V522 [CWE-476] Dereferencing of the null pointer 'Test' might take place. Miscompilation.cpp 709


static Expected<bool> TestOptimizer(BugDriver &BD, std::unique_ptr<Module> Test,
                                    std::unique_ptr<Module> Safe) {
  outs() << "  Optimizing functions being tested: ";
  std::unique_ptr<Module> Optimized =
      BD.runPassesOn(Test.get(), BD.getPassesToRun());
  if (!Optimized) {
    errs() << " Error running this sequence of passes"
           << " on the input program!\n";
    BD.setNewProgram(std::move(Test));                       // <=
    BD.EmitProgressBitcode(*Test, "pass-error", false);      // <=
    if (Error E = BD.debugOptimizerCrash())
      return std::move(E);
    return false;
  }
  ....
}

LLVM/Clang

V522 [CWE-476] Dereferencing of the null pointer 'Type' might take place. PrettyFunctionDumper.cpp 233


void FunctionDumper::dump(const PDBSymbolTypeFunctionArg &Symbol) {
  uint32_t TypeId = Symbol.getTypeId();
  auto Type = Symbol.getSession().getSymbolById(TypeId);
  if (Type)
    Printer << "<unknown-type>";
  else
    Type->dump(*this);
}

LLVM/Clang

V522 [CWE-476] Dereferencing of the null pointer 'Ty' might take place. SearchableTableEmitter.cpp 614


void SearchableTableEmitter::collectTableEntries(
    GenericTable &Table, const std::vector<Record *> &Items) {
  ....
  RecTy *Ty = resolveTypes(Field.RecType, TI->getType());
  if (!Ty)
    PrintFatalError(Twine("Field '") + Field.Name + "' of table '" +
                    Table.Name + "' has incompatible type: " +
                    Ty->getAsString() + " vs. " +                       // <=
                    TI->getType()->getAsString());
   ....
}

Haiku Operation System

V522 Dereferencing of the null pointer 'currentInterface' might take place. Device.cpp 258


Device::Device(....) : ....
{
  ....
  usb_interface_info* currentInterface = NULL;                     // <=
  uint32 descriptorStart = sizeof(usb_configuration_descriptor);
  while (descriptorStart < actualLength) {
    switch (configData[descriptorStart + 1]) {
    ....
    case USB_DESCRIPTOR_ENDPOINT:
    {
      ....
      if (currentInterface == NULL)                                // <=
        break;
      currentInterface->endpoint_count++;
      ....
    }
    ....
    case USB_DESCRIPTOR_ENDPOINT_COMPANION: {
      usb_endpoint_descriptor* desc = currentInterface             // <=
        ->endpoint[currentInterface->endpoint_count - 1].descr;
      ....
    }
  ....
}

Haiku Operation System

V522 Dereferencing of the null pointer 'directory' might take place. PathMonitor.cpp 1465


bool
PathHandler::_EntryCreated(....)
{
  ....
  Directory* directory = directoryNode->ToDirectory();
  if (directory == NULL) {
    // We're out of sync with reality.
    if (!dryRun) {
      if (Entry* nodeEntry = directory->FirstNodeEntry()) {
        ....
      }
    }
    return false;
  }
  ....
}

Haiku Operation System

V522 Dereferencing of the null pointer 'input' might take place. MediaRecorder.cpp 343


void GetInput(media_input* input);

const media_input&
BMediaRecorder::MediaInput() const
{
  CALLED();

  media_input* input = NULL;
  fNode->GetInput(input);
  return *input;
}

Haiku Operation System

V522 Dereferencing of the null pointer 'mustFree' might take place. RequestUnflattener.cpp 35


status_t
Reader::Read(int32 size, void** buffer, bool* mustFree)
{
  if (size < 0 || !buffer || mustFree)
    return B_BAD_VALUE;

  if (size == 0) {
    *buffer = NULL;
    *mustFree = false;                  // <=
    return B_OK;
  }
  ....
}

Haiku Operation System

V522 Dereferencing of the null pointer 'data' might take place. The null pointer is passed into 'malo_hal_send_helper' function. Inspect the third argument. Check lines: 350, 394. if_malohal.c 350


static int
malo_hal_fwload_helper(struct malo_hal *mh, char *helper)
{
  ....
  /* tell the card we're done and... */
  error = malo_hal_send_helper(mh, 0, NULL, 0, MALO_NOWAIT); // <= NULL
  ....
}

static int
malo_hal_send_helper(struct malo_hal *mh, int bsize,
    const void *data, size_t dsize, int waitfor)
{
  mh->mh_cmdbuf[0] = htole16(MALO_HOSTCMD_CODE_DNLD);
  mh->mh_cmdbuf[1] = htole16(bsize);
  memcpy(&mh->mh_cmdbuf[4], data , dsize);                   // <= data
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'data' might take place. The null pointer is passed into 'malo_hal_send_main' function. Inspect the second argument. Check lines: 413, 472. if_malohal.c 413

Mozilla Thunderbird

V522 Dereferencing of the null pointer 'row' might take place. morkRowCellCursor.cpp 175


NS_IMETHODIMP
morkRowCellCursor::MakeCell(  // get cell at current pos in the row
    nsIMdbEnv* mev,           // context
    mdb_column* outColumn,    // column for this particular cell
    mdb_pos* outPos,          // position of cell in row sequence
    nsIMdbCell** acqCell) {
  nsresult outErr = NS_OK;
  nsIMdbCell* outCell = 0;
  mdb_pos pos = 0;
  mdb_column col = 0;
  morkRow* row = 0;
  morkEnv* ev = morkEnv::FromMdbEnv(mev);
  if (ev) {
    pos = mCursor_Pos;
    morkCell* cell = row->CellAt(ev, pos);
    if (cell) {
      col = cell->GetColumn();
      outCell = row->AcquireCellHandle(ev, cell, col, pos);
    }
    outErr = ev->AsErr();
  }
  if (acqCell) *acqCell = outCell;
  if (outPos) *outPos = pos;
  if (outColumn) *outColumn = col;

  return outErr;
}

Kodi

V522 There might be dereferencing of a potential null pointer 'entry'. Check lines: 985, 981. emu_msvcrt.cpp:985


struct dirent *dll_readdir(DIR *dirp)
{
  ....
  struct dirent *entry = NULL;
  entry = (dirent*) malloc(sizeof(*entry));
  if (dirData->curr_index < dirData->items.Size() + 2)
  {
    if (dirData->curr_index == 0)
      strncpy(entry->d_name, ".\0", 2);
  ....
}

ROOT

V522 Dereferencing of the null pointer 'pre' might take place. TSynapse.cxx 61


void TSynapse::SetPre(TNeuron * pre)
{
  if (pre) {
    Error("SetPre","this synapse is already assigned to a pre-neuron.");
    return;
  }
  fpre = pre;
  pre->AddPost(this);
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'post' might take place. TSynapse.cxx 74

Amazon FreeRTOS

V522 [CWE-690] There might be dereferencing of a potential null pointer 'pCurrentHttpsResponse'. iot_https_client.c 1184


int PKI_mbedTLSSignatureToPkcs11Signature
    (uint8_t * pxSignaturePKCS, uint8_t * pxMbedSignature )
{
  int xReturn = 0;
  uint8_t * pxNextLength;

  /* The 4th byte contains the length of the R component */
  uint8_t ucSigComponentLength = pxMbedSignature[ 3 ];      // <=

  if(  ( pxSignaturePKCS == NULL )
    || ( pxMbedSignature == NULL ) )
  {
      xReturn = FAILURE;
  }

  ....
}

SDCC

V522 [CWE-476] Dereferencing of the null pointer 'sfr' might take place. timer2.cc 403


class cl_timer2: public cl_timer0
{
protected:
  class cl_address_space *sfr;
  ....
}

void
cl_timer2::print_info(class cl_console_base *con)
{
  ....
  con->dd_printf(" %s", sfr?"?":((sfr->get(IE)&bmET2)?"en":"dis"));
  ....
}

Similar errors can be found in some other places:

  • V522 [CWE-476] Dereferencing of the null pointer 'sfr' might take place. timer1.cc 86
  • V522 [CWE-476] Dereferencing of the null pointer 'sfr' might take place. timer0.cc 426

SDCC

V522 [CWE-476] Dereferencing of the null pointer 'uc' might take place. flash.cc 345


void
cl_flash::flash_write(t_addr a, t_mem val)
{
  uc->sim->app->debug("FLASH wr(%06lx,%02x)\n",a,val);
  if (!uc)
    {
      uc->sim->app->debug("  no uc\n");
      return;
    }
  ....
}

Newton Game Dynamics

V522 There might be dereferencing of a potential null pointer 'face'. dgContactSolver.cpp 351


DG_INLINE dgMinkFace* dgContactSolver::AddFace(dgInt32 v0,dgInt32 v1,
                                               dgInt32 v2)
{
  dgMinkFace* const face = NewFace();
  face->m_mark = 0;
  ....
}

DG_INLINE dgMinkFace* dgContactSolver::NewFace()
{
  dgMinkFace* face = (dgMinkFace*)m_freeFace;
  if (m_freeFace)
  {
    m_freeFace = m_freeFace->m_next;
  } else
  {
    face = &m_facePool[m_faceIndex];
    m_faceIndex++;
    if (m_faceIndex >= DG_CONVEX_MINK_MAX_FACES)
    {
      return NULL;
    }
  }
#ifdef _DEBUG
    memset(face, 0, sizeof (dgMinkFace));
#endif
  return face;
}

Newton Game Dynamics

V522 There might be dereferencing of a potential null pointer 'perimeter'. dgPolyhedra.cpp 2541


bool dgPolyhedra::PolygonizeFace(....)
{
  ....
  dgEdge* const perimeter = flatFace.AddHalfEdge
                           (edge1->m_next->m_incidentVertex,
                            edge1->m_incidentVertex);
  perimeter->m_twin = edge1;
  ....
}

dgEdge* dgPolyhedra::AddHalfEdge (dgInt32 v0, dgInt32 v1)
{
  if (v0 != v1)
  {
    dgPairKey pairKey (v0, v1);
    dgEdge tmpEdge (v0, -1);
    dgTreeNode* node = Insert (tmpEdge, pairKey.GetVal());
    return node ? &node->GetInfo() : NULL;
  } else
  {
    return NULL;
  }
}

Command & Conquer

V522 Dereferencing of the null pointer 'list' might take place. DISPLAY.CPP 1062


void DisplayClass::Get_Occupy_Dimensions(int & w, int & h, short const *list)
{
  ....
  if (!list) {
    /*
    ** Loop through all cell offsets, accumulating max & min x- & y-coords
    */
    while (*list != REFRESH_EOL) {
      ....
    }
    ....
  }
  ....
}

Similar errors can be found in some other places:

  • V522 Dereferencing of the null pointer 'list' might take place. DISPLAY.CPP 951
  • V522 Dereferencing of the null pointer 'unitsptr' might take place. QUEUE.CPP 2362
  • V522 Dereferencing of the null pointer 'unitsptr' might take place. QUEUE.CPP 2699

PMDK

V522 [CWE-690] There might be dereferencing of a potential null pointer 'workers'. Check lines: 126, 124. pi.c 126


static void
calc_pi_mt(void)
{
  ....
  HANDLE *workers = (HANDLE *) malloc(sizeof(HANDLE) * pending);
  for (i = 0; i < pending; ++i) {
    workers[i] = CreateThread(NULL, 0, calc_pi,
      &tasks[i], 0, NULL);
    if (workers[i] == NULL)
      break;
  }
  ....
}

Similar errors can be found in some other places:

  • V522 [CWE-690] There might be dereferencing of a potential null pointer 'buf'. Check lines: 357, 346. obj_pmemblk.c 357
  • V522 [CWE-690] There might be dereferencing of a potential null pointer 'clovec'. Check lines: 22, 18. clo_vec.cpp 22
  • V522 [CWE-690] There might be dereferencing of a potential null pointer 'args'. Check lines: 36, 32. clo_vec.cpp 36
  • And 27 additional diagnostic messages.

FakeIt

V522 There might be dereferencing of a potential null pointer 'matcher'. fakeit.hpp 6720


template<typename ... arglist>
struct ArgumentsMatcherInvocationMatcher :
         public ActualInvocation<arglist...>::Matcher {
  ....
  template<typename A>
  void operator()(int index, A &actualArg) {
      TypedMatcher<typename naked_type<A>::type> *matcher =
        dynamic_cast<TypedMatcher<typename naked_type<A>::type> *>(
          _matchers[index]);
      if (_matching)
        _matching = matcher->matches(actualArg);
  }
  ....
  const std::vector<Destructible *> _matchers;
};

Espressif IoT Development Framework

V522 There might be dereferencing of a potential null pointer 'exp'. Check lines: 3470, 3469. argtable3.c 3470


TRex *trex_compile(const TRexChar *pattern,const TRexChar **error,int flags)
{
  TRex *exp = (TRex *)malloc(sizeof(TRex));
  exp->_eol = exp->_bol = NULL;
  exp->_p = pattern;
  ....
}

Similar errors can be found in some other places:

  • V522 There might be dereferencing of a potential null pointer 's_ledc_fade_rec[speed_mode][channel]'. Check lines: 668, 667. ledc.c 668
  • V522 There might be dereferencing of a potential null pointer 'environ'. Check lines: 108, 107. syscall_table.c 108
  • V522 There might be dereferencing of a potential null pointer 'it'. Check lines: 150, 149. partition.c 150
  • And 3 additional diagnostic messages.

SystemC

V522 There might be dereferencing of a potential null pointer 'free_list'. Check lines: 560, 556. sc_event.cpp 560


void*
sc_event_timed::allocate()
{
  const int ALLOC_SIZE = 64;

  if( free_list == 0 ) {
    free_list = (sc_event_timed_u*) malloc( ALLOC_SIZE *
                                            sizeof( sc_event_timed_u ) );
    int i = 0;
    for( ; i < ALLOC_SIZE - 1; ++ i ) {
      free_list[i].next = &free_list[i + 1];
    }
    free_list[i].next = 0;
  }
  ....
}

Similar errors can be found in some other places:

  • V522 There might be dereferencing of a potential null pointer 'new_block'. Check lines: 136, 135. sc_mempool.cpp 136

MuseScore

V522 Dereferencing of the null pointer 'family' might take place. instrtemplate.cpp 356


void InstrumentTemplate::write(XmlWriter& xml) const
{
  ....
  if (!family) {
    xml.tag("family", family->id);
  }
  xml.etag();
}

MuseScore

V522 Dereferencing of the null pointer 'destinationMeasure' might take place. score.cpp 4279


ChordRest* Score::cmdNextPrevSystem(ChordRest* cr, bool next)
{
  ....
  auto destinationMeasure = currentSystem->firstMeasure();
  ....
  if (!(destinationMeasure = destinationMeasure->prevMeasure())) {
    if (!(destinationMeasure = destinationMeasure->prevMeasureMM())) {
        return cr;
    }
  }
  ....
}

Blender

V522 There might be dereferencing of a potential null pointer 'context->read_icons'. Check lines: 255, 252. datatoc_icon.c


static void icon_merge_context_register_icon(struct IconMergeContext *context,
                                             const char *file_name,
                                             struct IconHead *icon_head)
{
  context->read_icons = realloc(context->read_icons,
      sizeof(struct IconInfo) * (context->num_read_icons + 1));
  struct IconInfo *icon_info = &context->read_icons[context->num_read_icons];
  icon_info->head = *icon_head;
  icon_info->file_name = strdup(path_basename(file_name));
  context->num_read_icons++;
}

Blender

V522 There might be dereferencing of a potential null pointer 'mesh'. geometry_component_mesh.cc 537


ReadAttributePtr try_get_for_read(const GeometryComponent &component,
                                  const StringRef attribute_name) const final
{
  ....
  const Mesh *mesh = mesh_component.get_for_read();
  ....
  if (mesh == nullptr || mesh->dvert == nullptr) {
    static const float default_value = 0.0f;
    return std::make_unique<ConstantReadAttribute>(
        ATTR_DOMAIN_POINT, mesh->totvert,
        CPPType::get<float>(), &default_value);
  }
  ....
}

Storm Engine

V522 There might be dereferencing of a potential null pointer 'pTable'. Check lines: 36, 35. s_postevents.h 36


void Add(....)
{
  ....
  pTable = (S_EVENTMSG **)realloc(
                         pTable, nClassesNum * sizeof(S_EVENTMSG *));
  pTable[n] = pClass;
  ....
};

Similar errors can be found in some other places:

  • V522 There might be dereferencing of a potential null pointer 'label'. Check lines: 116, 113. geom_static.cpp 116

LFortran

V522 [CWE-690] There might be dereferencing of a potential null pointer 'parent'. CLI11.hpp 3915


template <typename T = App> Option *ignore_underscore(bool value = true) {
  if(!ignore_underscore_ && value) {
    ignore_underscore_ = value;
     auto *parent = dynamic_cast<T *>(parent_);
     for(const Option_p &opt : parent->options_) {             // <=
       ....
     }
  }
  ....
}

Similar errors can be found in some other places:

  • V522 [CWE-690] There might be dereferencing of a potential null pointer 'parent'. CLI11.hpp 3890

LFortran

V522 [CWE-690] There might be dereferencing of a potential null pointer 'dynamic_cast< T * > (parent_)'. CLI11.hpp 3810


template <typename T = App> Option *needs(std::string opt_name) {
  auto opt = dynamic_cast<T *>(parent_)->get_option_no_throw(opt_name);
  if(opt == nullptr) {
    throw IncorrectConstruction::MissingOption(opt_name);
  }
  return needs(opt);
}

Similar errors can be found in some other places:

  • V522 [CWE-690] There might be dereferencing of a potential null pointer 'dynamic_cast< T * > (parent_)'. CLI11.hpp 3852

CARLA

V522 Dereferencing of the null pointer 'CarlaActor' might take place. CarlaServer.cpp 1652


void FCarlaServer::FPimpl::BindActions()
{
  ....
  FCarlaActor* CarlaActor = Episode->FindCarlaActor(ActorId);
  if (CarlaActor)
  {
    return RespondError("get_light_boxes",
                        ECarlaServerResponse::ActorNotFound,
                        " Actor Id: " + FString::FromInt(ActorId));
  }
  if (CarlaActor->IsDormant())
  {
    return RespondError("get_light_boxes",
                        ECarlaServerResponse::FunctionNotAvailiableWhenDormant,
                        " Actor Id: " + FString::FromInt(ActorId));
  }
  else { .... }
  ....
}

CARLA

V522 Dereferencing of the null pointer 'HISMCompPtr' might take place. ProceduralBuilding.cpp 32


UHierarchicalInstancedStaticMeshComponent* AProceduralBuilding::GetHISMComp(
    const UStaticMesh* SM)
{
  ....
  UHierarchicalInstancedStaticMeshComponent** HISMCompPtr =
    HISMComps.Find(SMName);

  if (HISMCompPtr) return *HISMCompPtr;

  UHierarchicalInstancedStaticMeshComponent* HISMComp = *HISMCompPtr;

  // If it doesn't exist, create the component
  HISMComp = NewObject<UHierarchicalInstancedStaticMeshComponent>(this,
    FName(*FString::Printf(TEXT("HISMComp_%d"), HISMComps.Num())));
  HISMComp->SetupAttachment(RootComponent);
  HISMComp->RegisterComponent();
  ....
}

Chromium

V522 Instantiation of WasmFullDecoder < Decoder::kFullValidation, WasmGraphBuildingInterface >: Dereferencing of the null pointer 'result' might take place. The null pointer is passed into 'UnOp' function. Inspect the fourth argument. Check lines: 'graph-builder-interface.cc:349', 'function-body-decoder-impl.h:5372'. graph-builder-interface.cc 349


// File: src\v8\src\wasm\graph-builder-interface.cc
void UnOp(FullDecoder* decoder, WasmOpcode opcode,
          const Value& value, Value* result)
{
  result->node = builder_->Unop(opcode, value.node, decoder->position());
}
// File: src\v8\src\wasm\function-body-decoder-impl.h
int BuildSimpleOperator(WasmOpcode opcode, ValueType return_type,
                        ValueType arg_type)
{
  Value val = Peek(0, 0, arg_type);
  if (return_type == kWasmVoid)
  {
    CALL_INTERFACE_IF_OK_AND_REACHABLE(UnOp, opcode, val, nullptr);  // <=
    Drop(val);
  }
  ....
}

Intermodular analysis


Chromium

V522 Dereferencing of the null pointer might take place. The null pointer is passed into 'NaClTlsSetCurrentThread' function. Inspect the first argument. Check lines: 'nacl_tls_64.c:285', 'nacl_app_thread.c:161'. nacl_tls_64.c 285


// File: src\native_client\src\trusted\service_runtime\arch\x86_64\nacl_tls_64.c
void NaClTlsSetCurrentThread(struct NaClAppThread *natp) {
  nacl_current_thread = &natp->user;
}
// File: src\native_client\src\trusted\service_runtime\nacl_app_thread.c
void NaClAppThreadTeardown(struct NaClAppThread *natp)
{
  ....
  /*
  * Unset the TLS variable so that if a crash occurs during thread
  * teardown, the signal handler does not dereference a dangling
  * NaClAppThread pointer.
  */
  NaClTlsSetCurrentThread(NULL);
  ....
}

Intermodular analysis


MuditaOS

V522 [CERT-EXP34-C] Dereferencing of the null pointer 'document' might take place. TextBlockCursor.cpp 332


auto BlockCursor::begin() -> std::list<TextBlock>::iterator
{
  return document == nullptr
            ? document->blocks.end() : document->blocks.begin();
}

VCMI

V522 There might be dereferencing of a potential null pointer. CCallback.cpp 255


void CCallback::trade(....)
{
  ....
  pack.marketId = dynamic_cast<const CGObjectInstance *>(market)->id;
  ....
}

Similar errors can be found in some other places:

  • V522 There might be dereferencing of a potential null pointer 'boat'. MapRendererContext.cpp 47
  • V522 There might be dereferencing of a potential null pointer 'hero'. MapRendererContext.cpp 134
  • V522 There might be dereferencing of a potential null pointer 'hero'. MapViewController.cpp 291
  • And 7 additional diagnostic messages.

GCC

V522 There might be dereferencing of a potential null pointer 'obj_info'. Check lines: 290, 287. libgcov-util.c 290. libgcov-util.c 287


static struct gcov_info *
read_gcda_file (const char *filename)
{
  ....
  curr_gcov_info = obj_info =
    (struct gcov_info *) xcalloc (sizeof (struct gcov_info) +
          sizeof (struct gcov_ctr_info) * GCOV_COUNTERS, 1);

  obj_info->version = version;
  obj_info->filename = filename;
  ....
}

FreeCAD

V522 [CWE-476, CERT-EXP34-C] Dereferencing of the null pointer 'vpp' might take place. QGIView.cpp 592


QGVPage* QGIView::getQGVPage(TechDraw::DrawView* dView)
{
  ViewProviderPage* vpp = getViewProviderPage(dView);
  if (!vpp) {
    return vpp->getQGVPage();
  }
  return nullptr;
}

FreeCAD

V522 [CWE-690, CERT-MEM52-CPP] There might be dereferencing of a potential null pointer 'detail'. QGIViewPart.cpp 842


void QGIViewPart::highlightMoved(QGIHighlight* highlight, QPointF newPos)
{
  std::string highlightName = highlight->getFeatureName();
  App::Document* doc = getViewObject()->getDocument();
  App::DocumentObject* docObj = doc->getObject(highlightName.c_str());
  auto detail = dynamic_cast<DrawViewDetail*>(docObj);
  auto oldAnchor = detail->AnchorPoint.getValue();
  if (detail) {
    Base::Vector3d delta = Rez::appX(DrawUtil::toVector3d(newPos)) /
                           getViewObject()->getScale();
    delta = DrawUtil::invertY(delta);
    detail->AnchorPoint.setValue(oldAnchor + delta);
  }
}

GZDoom

V522 There might be dereferencing of a potential null pointer 'mem'. Check lines: 100, 95. fs_stringpool.cpp 100


StringPool::Block *StringPool::AddBlock(size_t size)
{
  ....
  auto mem = (Block *)malloc(size);
  if (mem == nullptr)
  {

  }
  mem->Limit = (uint8_t *)mem + size;
  mem->Avail = &mem[1];
  mem->NextBlock = TopBlock;
  TopBlock = mem;
  return mem;
}

Dagor Engine

V522 Dereferencing of the null pointer 'leaf_linear[i]' might take place. DagorEngine/prog/dagorInclude/generic/dag_hierGrid.h 71


void copy(const Node &n, int sz)
{
  ....
  for (int i = 0; i < 4; ++i)
    if (n.leaf_linear[i])
    {
      if (leaf_linear[i])
        leaf_linear[i] = new Leaf(*n.leaf_linear[i]);
      else
        *leaf_linear[i] = *n.leaf_linear[i];
    }
    else
    ....
   ....
}