V522. Dereferencing of the null pointer might take place.
V522 Dereferencing of the null pointer 'plugin_instance' might take place. Check the logical condition. chrome_frame_npapi chrome_frame_npapi.cc 517
Contact Us
bool ChromeFrameNPAPI::Invoke(....)
{
ChromeFrameNPAPI* plugin_instance =
ChromeFrameInstanceFromNPObject(header);
if (!plugin_instance &&
(plugin_instance->automation_client_.get()))
return false;
...
}
V522 Dereferencing of the null pointer 'DI' might take place. llvm-tblgen dagiselmatchergen.cpp 220
void MatcherGen::EmitLeafMatchCode(const TreePatternNode *N) {
...
if (DI == 0) {
errs() << "Unknown leaf kind: " << *DI << "\n";
abort();
}
...
}
V522 Dereferencing of the null pointer 'ptag' might take place. pcsx2 spr.cpp 376
void _SPR1interleave() {
...
u32 *ptag;
...
if (ptag == NULL) { // <=
SysPrintf("SPR1 Tag BUSERR\n");
spr1->chcr = ( spr1->chcr & 0xFFFF ) |
( (*ptag) & 0xFFFF0000 ); // <=
psHu32(DMAC_STAT)|= 1<<15;
done = 1;
spr1finished = done;
return;
}
...
}
V522 Dereferencing of the null pointer 'pRect' might take place. geOLib geolib.cpp 3282
void WINAPI _GetMonitorRectByIndex( int iMonitor, RECT* pRect )
{
int iMonitorCount = ::GetSystemMetrics( SM_CMONITORS );
if ( iMonitor <= iMonitorCount || pRect != NULL ) // <=
{
if ( iMonitorCount == 1 )
{
pRect->left = 0;
pRect->top = 0;
pRect->right = GetSystemMetrics( SM_CXSCREEN );
pRect->bottom = GetSystemMetrics( SM_CYSCREEN );
}
...
}
else
{
pRect->left = -1; // <=
pRect->top = -1;
pRect->right = -1;
pRect->bottom = -1;
}
}
V522 Dereferencing of the null pointer 'tpart' might take place. bf_render convertblender.c 1788
static int render_new_particle_system(....)
{
ParticleSettings *part, *tpart=0;
...
// tpart don't used
...
psys_particle_on_emitter(psmd,tpart->from,tpa->num,
pa->num_dmcache,tpa->fuv,tpa->foffset,
co,nor,0,0,sd.orco,0);
...
}
V522 Dereferencing of the null pointer 'td' might take place. CommonCxxTests testconditionvariable.cxx 96
VTK_THREAD_RETURN_TYPE vtkTestCondVarThread( void* arg )
{
...
if ( td ) // <=
{
...
}
else
{
cout << "No thread data!\n";
cout << " Thread " << ( threadId + 1 )
<< " of " << threadCount << " exiting.\n";
-- td->NumberOfWorkers; // <=
cout.flush();
}
...
}
V522 Dereferencing of the null pointer 'audio' might take place. tffdshowdecaudioinputpin.cpp 468
STDMETHODIMP_(bool) TffdshowDecAudioInputPin::getsf(
TsampleFormat &outsf)
{
if (!audio) // <=
{
.... // audio don't used
} else if (bitstream_codec(audio->codecId)) { // <=
outsf.sf = TsampleFormat::getSampleFormat(codecId);
outsf.alternateSF = filter->insf.alternateSF;
return true;
}
} else {
.....
}
V522 Dereferencing of the null pointer 'v' might take place. interpret.c 1711
Expression *getVarExp(Loc loc, InterState *istate,
Declaration *d, CtfeGoal goal)
{
....
VarDeclaration *v = d->isVarDeclaration();
if (v)
{
....
}
else if (s)
{
if (s->dsym->toInitializer() == s->sym)
....
else
error(loc,
"cannot interpret symbol %s at compile time",
v->toChars());
}
....
}
V522 Dereferencing of the null pointer 'device' might take place. bus.c 762
static void
acpi_bus_notify (....)
{
struct acpi_device *device = NULL;
....
switch (type) {
....
case ACPI_NOTIFY_EJECT_REQUEST:
DPRINT1("Received EJECT REQUEST "
"notification for device [%s]\n",
device->pnp.bus_id);
/* TBD */
break;
....
}
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'tag' might take place. ir_reader.cpp 904
ir_texture *
ir_reader::read_texture(s_expression *expr)
{
s_symbol *tag = NULL;
....
} else if (MATCH(expr, other_pattern)) {
op = ir_texture::get_opcode(tag->value());
if (op == -1)
return NULL;
}
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'pSensor' might take place. sensorddi.cpp 903
HRESULT CSensorDDI::OnGetDataFields(....)
{
....
if (nullptr != pSensor)
{
....
}
else
{
hr = E_POINTER;
Trace(TRACE_LEVEL_ERROR,
"pSensor == NULL before getting datafield %!GUID!-%i "
"value from %s, hr = %!HRESULT!",
&Key.fmtid, Key.pid, pSensor->m_SensorName, hr);
}
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'subnet' might take place. session.cpp 10823
void ClientSession::findIpAddress(CSCPMessage *request)
{
....
if (subnet != NULL)
{
debugPrintf(5, _T("findIpAddress(%s): found subnet %s"),
ipAddrText,
subnet->Name());
found = subnet->findMacAddress(ipAddr, macAddr);
}
else
{
debugPrintf(5, _T("findIpAddress(%s): subnet not found"),
ipAddrText,
subnet->Name());
}
....
}
V522 Dereferencing of the null pointer 'pPlayer' might take place. cgame.cpp 1895
void CGame::Packet_PlayerJoinData ( .... )
{
....
// Add the player
CPlayer* pPlayer = m_pPlayerManager->Create (....);
if ( pPlayer )
{
....
}
else
{
// Tell the console
CLogger::LogPrintf(
"CONNECT: %s failed to connect "
"(Player Element Could not be created.)\n",
pPlayer->GetSourceIP() );
}
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'szCmdLine' might take place. Check the logical condition. clientcommands.cpp 396
void COMMAND_MessageTarget ( const char* szCmdLine )
{
if ( !(szCmdLine || szCmdLine[0]) )
return;
....
}
V522 Dereferencing of the null pointer 'pepIndx' might take place. asapcgidisplay2main.cxx 534
void ASAPRatio_getDataStrctRatio(dataStrct *data, ....)
{
....
int *outliers, *pepIndx=NULL;
....
//pepIndx don't used
....
if(data->dataCnts[i] == 1 && pepIndx[i] == 0)
data->dataCnts[i] = 0;
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'file' might take place. util.h 24
static ACE_FILE_IO *audio_to_text (ACE_FILE_Addr &,
ACE_FILE_Addr &dest)
{
ACE_FILE_Connector connector;
ACE_FILE_IO *file = 0;
if (connector.connect (*file, dest) == -1)
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'dataPtr' might take place. scilababstractmemoryallocator.hxx 222
inline static int *alloc(void * pvApiCtx, const int position,
const int rows, const int cols, int * ptr)
{
int * _ptr = 0;
SciErr err = allocMatrixOfInteger32(
pvApiCtx, position, rows, cols, &_ptr);
checkError(err);
return _ptr;
}
inline static void create(void * pvApiCtx, const int position,
const int rows, const int cols, long long * ptr)
{
int * dataPtr = 0;
alloc(pvApiCtx, position, rows, cols, dataPtr);
for (int i = 0; i < rows * cols; i++)
{
dataPtr[i] = static_cast<int>(ptr[i]);
}
}
This is what should have been written here: dataPtr = alloc(pvApiCtx, position, rows, cols, dataPtr);
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'LevelStreamingObject' might take place. unrealengine.cpp 10768
bool UEngine::CommitMapChange( FWorldContext &Context )
{
....
LevelStreamingObject = Context.World()->StreamingLevels[j];
if (LevelStreamingObject != NULL)
{
....
}
else
{
check(LevelStreamingObject);
UE_LOG(LogStreaming, Log,
TEXT("Unable to handle streaming object %s"),
*LevelStreamingObject->GetName());
}
....
}
V522 Dereferencing of the null pointer 'GStreamingPauseBackground' might take place. streamingpauserendering.cpp 197
void FStreamingPause::Init()
{
....
if( GStreamingPauseBackground == NULL && GUseStreamingPause )
{
// @todo UE4 merge andrew
// GStreamingPauseBackground = new FFrontBufferTexture(....);
GStreamingPauseBackground->InitRHI();
}
}
V522 Dereferencing of the null pointer 'dn' might take place. qdocindexfiles.cpp 539
void QDocIndexFiles::readIndexSection(....)
{
....
DocNode* dn = qdb_->findGroup(groupNames[i]);
if (dn) {
dn->addMember(node);
}
else {
....
qDebug() << "DID NOT FIND GROUP:" << dn->name()
<< "for:" << node->name();
}
....
}
V522 Dereferencing of the null pointer 'm' might take place. qquickcontext2d.cpp 3169
QV4::ReturnedValue QQuickJSContext2DPixelData::getIndexed(
QV4::Managed *m, uint index, bool *hasProperty)
{
....
if (!m)
return m->engine()->currentContext()->throwTypeError();
....
}
V522 Dereferencing of the null pointer 'l_image' might take place. j2k.c 5205
bool j2k_write_rgn(....)
{
OPJ_BYTE * l_current_data = 00;
OPJ_UINT32 l_nb_comp;
OPJ_UINT32 l_rgn_size;
opj_image_t *l_image = 00;
opj_cp_t *l_cp = 00;
opj_tcp_t *l_tcp = 00;
opj_tccp_t *l_tccp = 00;
OPJ_UINT32 l_comp_room;
// preconditions
assert(p_j2k != 00);
assert(p_manager != 00);
assert(p_stream != 00);
l_cp = &(p_j2k->m_cp);
l_tcp = &l_cp->tcps[p_tile_no];
l_tccp = &l_tcp->tccps[p_comp_no];
l_nb_comp = l_image->numcomps;
....
}
V522 Dereferencing of the null pointer 'cont' might take place. EmLanProto mlan.cpp 342
void CMLan::OnRecvPacket(u_char* mes, int len, in_addr from)
{
....
TContact* cont = m_pRootContact;
....
if (!cont)
RequestStatus(true, cont->m_addr.S_un.S_addr);
....
}
V522 Dereferencing of the null pointer 'pLabelData' might take place. Check the logical condition. pivotlayouttreelistdata.cxx 157
void ScPivotLayoutTreeListData::PushDataFieldNames(
vector<ScDPName>& rDataFieldNames)
{
....
ScDPLabelData* pLabelData = mpParent->GetLabelData(nColumn);
if (pLabelData == NULL && pLabelData->maName.isEmpty())
continue;
....
}
V522 Dereferencing of the null pointer 'pWindow' might take place. Check the logical condition. querycontroller.cxx 293
void grabFocusFromLimitBox( OQueryController& _rController )
{
....
vcl::Window* pWindow = VCLUnoHelper::GetWindow( xWindow );
if( pWindow || pWindow->HasChildPathFocus() )
{
pWindow->GrabFocusToDocument();
}
....
}
V522 Dereferencing of the null pointer 'piTmpConnection' might take place. adodatalinks.cxx 84
BSTR PromptNew(long hWnd)
{
....
ADOConnection* piTmpConnection = NULL;
::CoInitialize( NULL );
hr = CoCreateInstance(
CLSID_DataLinks,
NULL,
CLSCTX_INPROC_SERVER,
IID_IDataSourceLocator,
(void**)&dlPrompt
);
if( FAILED( hr ) )
{
piTmpConnection->Release();
dlPrompt->Release( );
return connstr;
}
....
}
V522 Dereferencing of the null pointer 'hp' might take place. cee_wks gc.cpp 4488
heap_segment* gc_heap::get_segment_for_loh (size_t size
#ifdef MULTIPLE_HEAPS
, gc_heap* hp
#endif //MULTIPLE_HEAPS
)
{
#ifndef MULTIPLE_HEAPS
gc_heap* hp = 0;
#endif //MULTIPLE_HEAPS
heap_segment* res = hp->get_segment (size, TRUE);
....
}
When 'MULTIPLE_HEAPS' is not defined, it's no good because the pointer will equal zero.
V522 Dereferencing of the null pointer 'create_trimesh_collision_node()' might take place. mesh_instance.cpp 177
Node* MeshInstance::create_trimesh_collision_node()
{
if (mesh.is_null())
return NULL;
Ref<Shape> shape = mesh->create_trimesh_shape();
if (shape.is_null())
return NULL;
StaticBody * static_body = memnew( StaticBody );
static_body->add_shape( shape );
return static_body;
return NULL;
}
void MeshInstance::create_trimesh_collision()
{
StaticBody* static_body =
create_trimesh_collision_node()->cast_to<StaticBody>();
ERR_FAIL_COND(!static_body);
static_body->set_name( String(get_name()) + "_col" );
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'GEngine' might take place. Check the logical condition. gameplaystatics.cpp 988\
void UGameplayStatics::DeactivateReverbEffect(....)
{
if (GEngine || !GEngine->UseSound()) // <=
{
return;
}
UWorld* ThisWorld = GEngine->GetWorldFromContextObject(....);
....
}
V522 Dereferencing of the null pointer 'aStyleValues' might take place. sdnaccessible.cpp 252
STDMETHODIMP sdnAccessible::get_computedStyle(
BSTR __RPC_FAR* aStyleProperties,
BSTR __RPC_FAR* aStyleValues,
unsigned short __RPC_FAR* aNumStyleProperties)
{
if (!aStyleProperties || aStyleValues || !aNumStyleProperties)
return E_INVALIDARG;
....
aStyleValues[realIndex] = ::SysAllocString(value.get());
....
}
V522 Dereferencing of the null pointer 'tempNumberTracker' might take place. backwardpass.cpp 578
void
BackwardPass::MergeSuccBlocksInfo(BasicBlock * block)
{
TempNumberTracker * tempNumberTracker = nullptr; // <= line 346
....
if (!block->isDead)
{
....
if(!IsCollectionPass())
{
....
if (this->DoMarkTempNumbers())
{
tempNumberTracker = JitAnew(....); // <= line 413
}
....
....
if (blockSucc->tempNumberTracker != nullptr)
{
....
tempNumberTracker->MergeData(....); // <= line 578
if (deleteData)
{
blockSucc->tempNumberTracker = nullptr;
}
}
....
}
V522 Dereferencing of the null pointer 'sc' might take place. mrsas.c 4027
void
mrsas_aen_handler(struct mrsas_softc *sc)
{
....
if (!sc) {
device_printf(sc->mrsas_dev, "invalid instance!\n");
return;
}
if (sc->evt_detail_mem) {
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'region' might take place. Check the logical condition. palettecmd.cpp 102
bool isStyleUsed(const TVectorImageP vi, int styleId)
{
....
TRegion *region = vi->getRegion(i);
if (region || region->getStyle() != styleId)
return true;
....
}
V522 Dereferencing of the null pointer 'data' might take place. util.c 2424
static jint JNICALL
cbObjectTagInstance(....)
{
ClassInstancesData *data;
/* Check data structure */
data = (ClassInstancesData*)user_data;
if (data == NULL) {
data->error = AGENT_ERROR_ILLEGAL_ARGUMENT;
return JVMTI_VISIT_ABORT;
}
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 've' might take place. functions1d.cpp 107
int QuantitativeInvisibilityF1D::operator()(....)
{
ViewEdge *ve = dynamic_cast<ViewEdge*>(&inter;);
if (ve) {
result = ve->qi();
return 0;
}
FEdge *fe = dynamic_cast<FEdge*>(&inter;);
if (fe) {
result = ve->qi(); //<=
return 0;
}
....
}
V522 Dereferencing of the null pointer 'ibuf' might take place. tracking_util.c 765
static ImBuf *accessor_get_ibuf(....)
{
ImBuf *ibuf, *orig_ibuf, *final_ibuf;
....
/* First try to get fully processed image from the cache. */
ibuf = accesscache_get(accessor,
clip_index,
frame,
input_mode,
downscale,
transform_key);
if (ibuf != NULL) {
return ibuf;
}
/* And now we do postprocessing of the original frame. */
orig_ibuf = accessor_get_preprocessed_ibuf(accessor,
clip_index,
frame);
if (orig_ibuf == NULL) {
return NULL;
}
....
if (downscale > 0) {
if (final_ibuf == orig_ibuf) {
final_ibuf = IMB_dupImBuf(orig_ibuf);
}
IMB_scaleImBuf(final_ibuf,
ibuf->x / (1 << downscale), //<=
ibuf->y / (1 << downscale)); //<=
}
....
if (input_mode == LIBMV_IMAGE_MODE_RGBA) {
BLI_assert(ibuf->channels == 3 || //<=
ibuf->channels == 4); //<=
}
....
return final_ibuf;
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'item' might take place. action_wait.cc 41
// Returns the item associated with the component |id| or nullptr
// in case of errors.
CrxUpdateItem* FindUpdateItemById(const std::string& id) const;
void ActionWait::Run(UpdateContext* update_context,
Callback callback)
{
....
while (!update_context->queue.empty())
{
auto* item =
FindUpdateItemById(update_context->queue.front());
if (!item) { // <=
item->error_category = // <=
static_cast<int>(ErrorCategory::kServiceError);
item->error_code = // <=
static_cast<int>(ServiceError::ERROR_WAIT);
ChangeItemState(item, CrxUpdateItem::State::kNoUpdate);
} else {
NOTREACHED();
}
update_context->queue.pop();
}
....
}
V522 Dereferencing of the null pointer 'PdbFileBuffer' might take place. PDBFileBuilder.cpp 106
Expected<std::unique_ptr<PDBFile>>
PDBFileBuilder::build(
std::unique_ptr<msf::WritableStream> PdbFileBuffer)
{
....
auto File = llvm::make_unique<PDBFile>(
std::move(PdbFileBuffer), Allocator);
File->ContainerLayout = *ExpectedLayout;
if (Info) {
auto ExpectedInfo = Info->build(*File, *PdbFileBuffer);
....
}
The code is not clear to me, as I have not studied what llvm::make_unique is, and how it works in general. Nevertheless, both myself and the analyzer are confused by the fact that at first glance the possession of an object from a smart pointer PdbFileBuffer goes to File. After that we have dereferencing of a null pointer PdbFileBuffer that already contains nullptr
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'ccb' might take place. The null pointer is passed into 'iscsi_outstanding_add' function. Inspect the third argument. Check lines: 'iscsi.c:2157'. iscsi.c 2091
static struct iscsi_outstanding *
iscsi_outstanding_add(struct iscsi_session *is,
struct icl_pdu *request,
union ccb *ccb,
uint32_t *initiator_task_tagp)
{
struct iscsi_outstanding *io;
int error;
ISCSI_SESSION_LOCK_ASSERT(is);
io = uma_zalloc(iscsi_outstanding_zone, M_NOWAIT | M_ZERO);
if (io == NULL) {
ISCSI_SESSION_WARN(is, "failed to allocate %zd bytes",
sizeof(*io));
return (NULL);
}
error = icl_conn_task_setup(is->is_conn, request, &ccb->csio,
initiator_task_tagp, &io->io_icl_prv);
....
}
static void
iscsi_action_abort(struct iscsi_session *is, union ccb *ccb)
{
....
io = iscsi_outstanding_add(is, request, NULL,
&initiator_task_tag);
....
}
V522 Dereferencing of the null pointer 'pCEntity' might take place. BreakableManager.cpp 2396
int CBreakableManager::HandlePhysics_UpdateMeshEvent(....)
{
CEntity* pCEntity = 0;
....
if (pmu && pSrcStatObj && GetSurfaceType(pSrcStatObj))
{
....
if (pEffect)
{
....
if (normal.len2() > 0)
pEffect->Spawn(true, pCEntity->GetSlotWorldTM(...); // <=
}
}
....
if (iForeignData == PHYS_FOREIGN_ID_ENTITY)
{
pCEntity = (CEntity*)pForeignData;
if (!pCEntity || !pCEntity->GetPhysicalProxy())
return 1;
}
....
}
V522 Dereferencing of the null pointer 'dataz' might take place. polylinedata_wrap.c 373
BOOL translatePolyline(int uid, double x, double y, double z,
int flagX, int flagY, int flagZ)
{
double *datax = NULL;
double *datay = NULL;
double *dataz = NULL; // <=
int i = 0;
if (x != 0.0)
{
datax = getDataX(uid);
if (datax == NULL) return FALSE;
....
if (z != 0 && isZCoordSet(uid))
{
if (flagZ) {
for (i = 0; i < getDataSize_(uid); ++i)
{
dataz[i] = pow(10.,log10(dataz[i]) + z); // <=
}
} else {
for (i = 0; i < getDataSize_(uid); ++i)
{
dataz[i] += z; // <=
}
}
}
return TRUE;
}
V522 Dereferencing of the null pointer 'stylep' might take place. Check the logical condition. delv.c 500
static isc_result_t
setup_style(dns_master_style_t **stylep) {
isc_result_t result;
dns_master_style_t *style = NULL;
REQUIRE(stylep != NULL || *stylep == NULL);
....
}
V522 There might be dereferencing of a potential null pointer 'first'. objstack.cpp 21
ObjStack::ObjStack(size_t chunk_s, size_t align)
: chunk_size(chunk_s), min_align(align), temp_end(0)
{
first_free = first = (Node *)malloc(chunk_size);
first->next = 0;
reserve = 0;
setup_chunk();
}
Similar errors can be found in some other places:
V522 There might be dereferencing of a potential null pointer 'list'. storage-plugin-sample.c 564
storage_error_code_t sample_get_list(....)
{
....
storage_adaptor_file_info_h *list = NULL;
int len = g_list_length(_file_list);
if (0 < len) {
list = (storage_adaptor_file_info_h *) // <=
calloc(len, sizeof(storage_adaptor_file_info_h));
for (int i = 0; i < len; i++)
list[i] = (storage_adaptor_file_info_h) // <=
g_list_nth_data(_file_list, i);
}
....
}
V522 There might be dereferencing of a potential null pointer 'plugin_task'. storage-plugin-sample.c 1016
static async_job_t *create_job_s(int fd)
{
async_job_t *job =
(async_job_t *) calloc(1, sizeof(async_job_t)); // <=
if (job) {
job->local_path = NULL;
job->cloud_path = NULL;
job->fd = fd;
}
return job; // <=
}
storage_error_code_t sample_upload_async(....)
{
....
async_job_t *plugin_task = create_job_s(src_file_descriptor);
char *path = NULL;
path = g_strconcat(VIRTUAL_ROOT_PATH(context),
dir_path ? dir_path : "", "/", file_name, NULL);
plugin_task->cloud_path = path; // <=
....
}
V522 There might be dereferencing of a potential null pointer 'cb_data'. util.c 37
void back_button_cb_push(....)
{
back_button_cb_data *cb_data = malloc(sizeof(*cb_data));
cb_data->cb = cb;
....
}
V522 There might be dereferencing of a potential null pointer 'info'. navigator.c 2819
static void on_gesture_detected(void *data,
const Eldbus_Message *msg)
{
....
Gesture_Info *info = calloc(sizeof(Gesture_Info), 1); // <=
int g_type;
if (!msg) {
DEBUG("Incoming message is empty");
free(info);
return;
}
if (!eldbus_message_arguments_get(....)) {
DEBUG("Getting message arguments failed");
free(info);
return;
}
info->type = (Gesture)g_type; // <=
....
}
V522 There might be dereferencing of a potential null pointer 'item_type'. list_util.c 72
HAPI void quickpanel_list_util_set_item_type(....)
{
....
if (item_type == NULL) {
item_type = (int*)malloc(sizeof(int));
*item_type = type;
evas_object_data_set(item, E_DATA_ITEM_LABEL_H,
(void*)item_type);
}
}
V522 There might be dereferencing of a potential null pointer 'popup_data'. popup.c 1167
void
popup_cb(void *data, Evas_Object *obj, void *event_info)
{
....
win_data *popup_data = (win_data*)malloc(sizeof(win_data));
elm_theme_extension_add(NULL, ELM_DEMO_EDJ);
/* We convince the top widget is a window */
win = ad->win;
list = elm_list_add(ad->nf);
elm_list_mode_set(list, ELM_LIST_COMPRESS);
popup_data->list = list;
popup_data->win = win;
....
}
V522 There might be dereferencing of a potential null pointer 'inputHandle'. cpp_audio_io.cpp 928
int cpp_audio_in_peek(audio_in_h input, const void **buffer,
unsigned int *length) {
....
CAudioInput* inputHandle =
dynamic_cast<CAudioInput*>(handle->audioIoHandle);
assert(inputHandle);
inputHandle->peek(buffer, &_length);
....
}
V522 There might be dereferencing of a potential null pointer 'preedit_attr'. ise.cpp 392
void ise_update_preedit_string(....)
{
....
ime_preedit_attribute *preedit_attr;
....
preedit_attr = (ime_preedit_attribute *)
calloc(1, sizeof(ime_preedit_attribute));
preedit_attr->start = 0;
....
}
V522 There might be dereferencing of a potential null pointer 'msg'. QuickAccess.cpp 743
void QuickAccess::setButtonColor(Evas_Object* button,
int r, int g, int b, int a)
{
Edje_Message_Int_Set* msg =
(Edje_Message_Int_Set *)malloc(sizeof(*msg) + 3 * sizeof(int));
msg->count = 4;
msg->val[0] = r;
msg->val[1] = g;
msg->val[2] = b;
msg->val[3] = a;
edje_object_message_send(elm_layout_edje_get(button),
EDJE_MESSAGE_INT_SET, 0, msg);
free(msg);
}
V522 There might be dereferencing of a potential null pointer 'selected_device'. setting_item_device_list.c 121
static void device_list_select_cb(void *data, Evas_Object *obj,
void *event_info)
{
do_haptic(50);
device_info_s *info = (device_info_s *) data;
selected_device = (device_info_s *)
calloc(sizeof(device_info_s), 1);
selected_device->index = info->index;
....
}
V522 There might be dereferencing of a potential null pointer 'sql_callback'. download-db-service.cpp 75
void initialize_datacontrol_provider()
{
DM_LOGI("initialize_datacontrol_provider");
int result;
sql_callback = (data_control_provider_sql_cb *)
malloc(sizeof(data_control_provider_sql_cb));
sql_callback->select_cb = select_request_cb;
....
}
V522 There might be dereferencing of a potential null pointer 'msg'. util.c 113
void util_bg_color_rgba_set(Evas_Object *layout,
char r, char g, char b, char a)
{
Edje_Message_Int_Set *msg;
ret_if(!layout);
msg = malloc(sizeof(*msg) + 3 * sizeof(int));
msg->count = 4;
msg->val[0] = r;
msg->val[1] = g;
msg->val[2] = b;
msg->val[3] = a;
edje_object_message_send(elm_layout_edje_get(layout),
EDJE_MESSAGE_INT_SET, 1, msg);
free(msg);
}
Similar errors can be found in some other places:
V522 There might be dereferencing of a potential null pointer 't'. eina_tiler.c 1146
EAPI Eina_Tiler *eina_tiler_new(int w, int h)
{
Eina_Tiler *t;
EINA_SAFETY_ON_TRUE_RETURN_VAL((w <= 0) || (h <= 0), NULL);
t = calloc(1, sizeof(Eina_Tiler));
t->last.add.w = -1;
t->last.add.h = -1;
t->last.del.w = -1;
t->last.del.h = -1;
t->area.w = w;
t->area.h = h;
t->tile.w = 32;
t->tile.h = 32;
t->rounding = EINA_TRUE;
EINA_MAGIC_SET(t, EINA_MAGIC_TILER);
_splitter_new(t);
return t;
}
V522 There might be dereferencing of a potential null pointer 'e'. evas_cserve2_fonts.c 66
static void *
_font_slave_error_send(Error_Type error)
{
Error_Type *e = calloc(1, sizeof(*e));
*e = error;
return e;
}
Similar errors can be found in some other places:
V522 There might be dereferencing of a potential null pointer 'task'. e_fm_ipc.c 489
static void
_e_fm_ipc_mkdir(int id, const char *src, const char *rel,
int rel_to EINA_UNUSED, int x, int y)
{
E_Fm_Task *task;
task = malloc(sizeof(E_Fm_Task));
task->id = id;
task->type = E_FM_OP_MKDIR;
task->slave = NULL;
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'cond_col' might take place. FunctionsConditional.h 765
bool executeForNullThenElse(....)
{
....
const ColumnUInt8 * cond_col =
typeid_cast<const ColumnUInt8 *>(arg_cond.column.get());
....
if (cond_col)
{
....
}
else if (cond_const_col)
{
....
}
else
throw Exception(
"Illegal column " + cond_col->getName() + // <=
" of first argument of function " + getName() +
". Must be ColumnUInt8 or ColumnConstUInt8.",
ErrorCodes::ILLEGAL_COLUMN);
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'customDrumset' might take place. instrument.cpp 328
bool Instrument::readProperties(XmlReader& e, Part* part,
bool* customDrumset)
{
....
else if (tag == "Drum") {
// if we see on of this tags, a custom drumset will
// be created
if (!_drumset)
_drumset = new Drumset(*smDrumset);
if (!customDrumset) { // <=
const_cast<Drumset*>(_drumset)->clear();
*customDrumset = true; // <=
}
const_cast<Drumset*>(_drumset)->load(e);
}
....
}
V522 Dereferencing of the null pointer 'segment' might take place. measure.cpp 2220
void Measure::read(XmlReader& e, int staffIdx)
{
Segment* segment = 0;
....
while (e.readNextStartElement()) {
const QStringRef& tag(e.name());
if (tag == "move")
e.initTick(e.readFraction().ticks() + tick());
....
else if (tag == "sysInitBarLineType") {
const QString& val(e.readElementText());
BarLine* barLine = new BarLine(score());
barLine->setTrack(e.track());
barLine->setBarLineType(val);
segment = getSegmentR(SegmentType::BeginBarLine, 0); //!!!
segment->add(barLine); // <= OK
}
....
else if (tag == "Segment")
segment->read(e); // <= ERR
....
}
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'mInputStream' might take place. FileIO.cpp 65
std::unique_ptr<wxInputStream> mInputStream;
std::unique_ptr<wxOutputStream> mOutputStream;
wxInputStream & FileIO::Read(void *buf, size_t size)
{
if (mInputStream == NULL) {
return *mInputStream;
}
return mInputStream->Read(buf, size);
}
wxOutputStream & FileIO::Write(const void *buf, size_t size)
{
if (mOutputStream == NULL) {
return *mOutputStream;
}
return mOutputStream->Write(buf, size);
}
V522 Dereferencing of the null pointer 'pConsts' might take place. The null pointer is passed into 'Expr_StrIn_c' function. Inspect the third argument. Check lines: 5407, 5946. sphinxexpr.cpp 5407
Expr_StrIn_c ( const CSphAttrLocator & tLoc, int iLocator,
ConstList_c * pConsts, UservarIntSet_c * pUservar,
ESphCollation eCollation )
: Expr_ArgVsConstSet_c<int64_t> ( NULL, pConsts )
, ExprLocatorTraits_t ( tLoc, iLocator )
, m_pStrings ( NULL )
, m_pUservar ( pUservar )
{
assert ( tLoc.m_iBitOffset>=0 && tLoc.m_iBitCount>0 );
assert ( !pConsts || !pUservar );
m_fnStrCmp = GetCollationFn ( eCollation );
const char * sExpr = pConsts->m_sExpr.cstr(); // <=
....
}
ISphExpr * ExprParser_t::CreateInNode ( int iNode )
{
....
case TOK_ATTR_STRING:
return new Expr_StrIn_c ( tLeft.m_tLocator,
tLeft.m_iLocator,
NULL, // <=
pUservar,
m_eCollation );
....
}
Similar errors can be found in some other places:
V522 Dereferencing of the null pointer 'pBuf' might take place. The null pointer is passed into 'Ok' function. Inspect the third argument. Check lines: 2567, 12267, 12424, 14979. searchd.cpp 2567
void ISphOutputBuffer::SendBytes ( const void * pBuf, int iLen )
{
int iOff = m_dBuf.GetLength();
m_dBuf.Resize ( iOff + iLen );
memcpy ( m_dBuf.Begin() + iOff, pBuf, iLen ); // <=
}
void SendMysqlOkPacket ( ISphOutputBuffer & tOut, BYTE uPacketID,
int iAffectedRows=0, int iWarns=0,
const char * sMessage=NULL,
bool bMoreResults=false )
{
DWORD iInsert_id = 0;
char sVarLen[20] = {0};
void * pBuf = sVarLen;
pBuf = MysqlPack ( pBuf, iAffectedRows );
pBuf = MysqlPack ( pBuf, iInsert_id );
int iLen = (char *) pBuf - sVarLen;
int iMsgLen = 0;
if ( sMessage )
iMsgLen = strlen(sMessage) + 1;
tOut.SendLSBDword ( (uPacketID<<24) + iLen + iMsgLen + 5);
tOut.SendByte ( 0 );
tOut.SendBytes ( sVarLen, iLen );
if ( iWarns<0 ) iWarns = 0;
if ( iWarns>65535 ) iWarns = 65535;
DWORD uWarnStatus = iWarns<<16;
if ( bMoreResults )
uWarnStatus |= ( SPH_MYSQL_FLAG_MORE_RESULTS );
tOut.SendLSBDword ( uWarnStatus );
tOut.SendBytes ( sMessage, iMsgLen ); // <=
}
inline void Ok( int iAffectedRows=0, int iWarns=0,
const char * sMessage=NULL,
bool bMoreResults=false )
{
SendMysqlOkPacket ( m_tOut, m_uPacketID, iAffectedRows, // <=
iWarns, sMessage, bMoreResults );
if ( bMoreResults )
m_uPacketID++;
}
void HandleMysqlMultiStmt (....)
{
....
dRows.Ok ( 0, 0, NULL, bMoreResultsFollow );
....
}
V522 CWE-476 Dereferencing of the null pointer 'focus_controller_' might take place. display.cc 52
class Display : ....
{
....
std::unique_ptr<FocusController> focus_controller_;
....
}
Display::~Display() {
....
if (!focus_controller_) {
focus_controller_->RemoveObserver(this);
focus_controller_.reset();
}
....
}
An incorrectly written condition. Pointer is dereferenced, if it is null.
V522 CWE-476 Dereferencing of the null pointer 'context' might take place. device_media_async_file_util.cc 322
void DeviceMediaAsyncFileUtil::CreateOrOpen(
std::unique_ptr<FileSystemOperationContext> context, ....) {
....
CreateSnapshotFile(
std::move(context), url,
base::Bind(
&NativeMediaFileUtil::CreatedSnapshotFileForCreateOrOpen,
base::RetainedRef(context->task_runner()),
file_flags, callback));
}
The order of arguments evaluation when calling the CreateSnapshotFile function defines whether a dereference of a null pointer will be or not. In C++ the function argument evaluation order is not defined (unspecified behavior). If in the beginning the argument std::move(context) is evaluated, a dereference of a null pointer will occur.
Similar errors can be found in some other places:
V522 CWE-476 Dereferencing of the null pointer 'embedder_extension' might take place. Check the bitwise operation. app_view_guest.cc 186
void AppViewGuest::CreateWebContents(....) {
....
if (!guest_extension ||
!guest_extension->is_platform_app() ||
!embedder_extension |
!embedder_extension->is_platform_app()) {
callback.Run(nullptr);
return;
}
....
}
A typo. Instead of || a developer accidentally wrote |. As a result, a pointer embedder_extension is dereferenced regardless if it's null or not.
V522 CWE-476 Dereferencing of the null pointer 'network_list' might take place. networking_private_service_client.cc 351
std::unique_ptr<base::ListValue>
NetworkingPrivateServiceClient::GetEnabledNetworkTypes() {
std::unique_ptr<base::ListValue> network_list;
network_list->AppendString(::onc::network_type::kWiFi);
return network_list;
}
A smart pointer is null by default. As a smart pointer is not initialized before its usage, a dereference of a null pointer will occur.
V522 CWE-690 There might be dereferencing of a potential null pointer 'device_interface_detail_data'. Check lines: 103, 102. hid_service_win.cc 103
void HidServiceWin::EnumerateBlocking(....)
{
....
std::unique_ptr<SP_DEVICE_INTERFACE_DETAIL_DATA,
base::FreeDeleter>
device_interface_detail_data(
static_cast<SP_DEVICE_INTERFACE_DETAIL_DATA*>(
malloc(required_size)));
device_interface_detail_data->cbSize =
sizeof(SP_DEVICE_INTERFACE_DETAIL_DATA);
....
}
There is no protection if the malloc function returns a null pointer.
V522 CWE-690 There might be dereferencing of a potential null pointer 'file_'. Check lines: 716, 715. visitedlink_master.cc 716
void VisitedLinkMaster::OnTableLoadComplete(....)
{
....
file_ = static_cast<FILE**>(malloc(sizeof(*file_)));
*file_ = load_from_file_result->file.release();
....
}
There is no protection if the malloc function returns a null pointer.
V522 CWE-628 Dereferencing of the null pointer 'object' might take place. The null pointer is passed into 'IsHandler' function. Inspect the first argument. Check lines: 'ic-inl.h:44', 'stub-cache.cc:19'. ic-inl.h 44
bool Object::IsSmi() const { return HAS_SMI_TAG(this); }
bool IC::IsHandler(Object* object) {
return (object->IsSmi() && (object != nullptr)) ||
object->IsDataHandler() ||
object->IsWeakCell() ||
object->IsCode();
}
The object pointer is dereferenced first and then checked for NULL. Indeed, the expression looks quite suspicious.
V522 CWE-690 There might be dereferencing of a potential null pointer 'TheTable'. Check lines: 65, 59. stringmap.cpp 65
void StringMapImpl::init(unsigned InitSize) {
assert((InitSize & (InitSize-1)) == 0 &&
"Init Size must be a power of 2 or zero!");
NumBuckets = InitSize ? InitSize : 16;
NumItems = 0;
NumTombstones = 0;
TheTable = (StringMapEntryBase **)
calloc(NumBuckets+1,
sizeof(StringMapEntryBase **) +
sizeof(unsigned));
// Allocate one extra bucket, set it to look filled
// so the iterators stop at end.
TheTable[NumBuckets] = (StringMapEntryBase*)2;
}
The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NumBuckets. And this can be a great value.
V522 CWE-690 There might be dereferencing of a potential null pointer 'Buckets'. Check lines: 219, 217. foldingset.cpp 219
static void **AllocateBuckets(unsigned NumBuckets) {
void **Buckets = static_cast<void**>(calloc(NumBuckets+1,
sizeof(void*)));
// Set the very last bucket to be a non-null "pointer".
Buckets[NumBuckets] = reinterpret_cast<void*>(-1);
return Buckets;
}
The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NumBuckets. And this can be a great value.
V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 52, 51. substr.h 52
static SubStr *
SubStr_new_u(unsigned char *s, unsigned int l)
{
SubStr *r = malloc(sizeof(SubStr));
r->str = (char*)s;
r->len = l;
return r;
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
V522 CWE-690 There might be dereferencing of a potential null pointer 'self'. Check lines: 22, 21. noise_suppression.c 22
NsHandle* WebRtcNs_Create() {
NoiseSuppressionC* self = malloc(sizeof(NoiseSuppressionC));
self->initFlag = 0;
return (NsHandle*)self;
}
There is no protection if the malloc function returns a null pointer.
V522 CWE-690 There might be dereferencing of a potential null pointer 'left'. Check lines: 412, 403. resampler.cc 412
V522 CWE-690 There might be dereferencing of a potential null pointer 'right'. Check lines: 413, 405. resampler.cc 413
int Resampler::Push(....)
{
....
int16_t* left =
static_cast<int16_t*>(malloc(lengthIn * sizeof(int16_t) / 2));
int16_t* right =
static_cast<int16_t*>(malloc(lengthIn * sizeof(int16_t) / 2));
....
for (size_t i = 0; i < lengthIn; i += 2) {
left[i >> 1] = samplesIn[i];
right[i >> 1] = samplesIn[i + 1];
}
....
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
V522 CWE-628 Dereferencing of the null pointer 'session' might take place. The null pointer is passed into 'netagent_send_error_response' function. Inspect the first argument. Check lines: 427, 972. network_agent.c 427
static int
netagent_send_error_response(
struct netagent_session *session, u_int8_t message_type,
u_int32_t message_id, u_int32_t error_code)
{
int error = 0;
u_int8_t *response = NULL;
size_t response_size = sizeof(struct netagent_message_header);
MALLOC(response, u_int8_t *, response_size,
M_NETAGENT, M_WAITOK);
if (response == NULL) {
return (ENOMEM);
}
(void)netagent_buffer_write_message_header(.....);
if ((error = netagent_send_ctl_data(session->control_unit,
(u_int8_t *)response, response_size))) {
NETAGENTLOG0(LOG_ERR, "Failed to send response");
}
FREE(response, M_NETAGENT);
return (error);
}
static void
netagent_handle_unregister_message(
struct netagent_session *session, ....)
#pragma unused(payload_length, packet, offset)
u_int32_t response_error = NETAGENT_MESSAGE_ERROR_INTERNAL;
if (session == NULL) {
NETAGENTLOG0(LOG_ERR, "Failed to find session");
response_error = NETAGENT_MESSAGE_ERROR_INTERNAL;
goto fail;
}
netagent_unregister_session_wrapper(session);
netagent_send_success_response(session, .....);
return;
fail:
netagent_send_error_response(
session, NETAGENT_MESSAGE_TYPE_UNREGISTER, message_id,
response_error);
}
If in the function netagent_handle_unregister_message a transition to the fail label occurs, then the null pointer dereferencing will occur in the function netagent_send_error_response.
V522 CWE-628 Dereferencing of the null pointer 'pbuf' might take place. The null pointer is passed into 'pf_lazy_makewritable' function. Inspect the second argument. Check lines: 349, 7460. pf.c 349
void *
pf_lazy_makewritable(struct pf_pdesc *pd, pbuf_t *pbuf, int len)
{
void *p;
if (pd->lmw < 0)
return (NULL);
VERIFY(pbuf == pd->mp);
p = pbuf->pb_data;
if (len > pd->lmw) {
....
}
static int
pf_test_state_icmp(....)
{
....
if (pf_lazy_makewritable(pd, NULL,
off + sizeof (struct icmp6_hdr)) ==
NULL)
return (PF_DROP);
....
}
Incorrect call of the pf_lazy_makewritable function. Null pointer dereference might occur.
V522 CWE-690 There might be dereferencing of a potential null pointer 'dp'. vfs_cache.c 1449
typedef struct vnode * vnode_t;
int
cache_lookup_path(...., vnode_t dp, ....)
{
....
if (dp && (dp->v_flag & VISHARDLINK)) {
break;
}
if ((dp->v_flag & VROOT) ||
dp == ndp->ni_rootdir ||
dp->v_parent == NULLVP)
break;
....
}
The pointer dp can be null. However, further the pointer is dereferenced before the preliminary check.
