Examples of errors detected by the V769 diagnostic.


V769. The pointer in the expression equals nullptr. The resulting value is meaningless and should not be used.


Tor

V769 The 'strchr(cp, ':')' pointer in the 'strchr(cp, ':') + 2' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. dns.c 163


static void
evdns_log_cb(int warn, const char *msg)
{
  ....
  const char *err = strchr(cp, ':')+2;
  tor_assert(err);
  ....
}

Aspell

V769 The 'strchr(s, ':')' pointer in the 'strchr(s, ':') + 1' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. posib_err.cpp 52


PosibErrBase & PosibErrBase::set(....)
{
  ....
  s = strchr(s, ':') + 1;
  unsigned int ip = *s - '0' - 1;
  ....
}

Similar errors can be found in some other places:

  • V769 The 'begin_' pointer in the 'begin_ + old_size' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. string.cpp 36
  • V769 The 'w->data' pointer in the 'w->data + cc' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. typo_editdist.cpp 166
  • V769 The '(cur)->str' pointer in the '(cur)->str + pos' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. prezip.c 103
  • And 1 additional diagnostic messages.

EFL Core Libraries

V769 The 'ed->file->sound_dir->samples' pointer in the expression could be nullptr. In such case, resulting value of arithmetic operations on this pointer will be senseless and it should not be used. edje_edit.c 1271


EAPI Eina_Bool
edje_edit_sound_sample_add(Evas_Object *obj, const char *name,
                           const char *snd_src)
{
   ....
   ed->file->sound_dir->samples =
     realloc(ed->file->sound_dir->samples,
             sizeof(Edje_Sound_Sample) *
             ed->file->sound_dir->samples_count);

   sound_sample = ed->file->sound_dir->samples +
     ed->file->sound_dir->samples_count - 1;
   sound_sample->name = (char *)eina_stringshare_add(name);
   ....
}

Similar errors can be found in some other places:

  • V769 The 'new_txt' pointer in the 'new_txt + outlen' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. eina_str.c 539
  • V769 The 'new_txt' pointer in the 'new_txt + outlen' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. eina_str.c 611
  • V769 The 'tmp' pointer in the 'tmp ++' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. evas_object_textblock.c 11131
  • And 7 additional diagnostic messages.

MySQL

V769 The 'new_buffer' pointer in the 'new_buffer + fixed_header_len' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 74, 73. gcs_message_stage_lz4.cc 74


bool
Gcs_message_stage_lz4::apply(Gcs_packet &packet)
{
  ....
  unsigned char *new_buffer =
    (unsigned char*) malloc(new_capacity);
  unsigned char *new_payload_ptr =
    new_buffer + fixed_header_len + hd_len;

  // compress payload
  compressed_len=
    LZ4_compress_default((const char*)packet.get_payload(),
                         (char*)new_payload_ptr,
                         static_cast<int>(old_payload_len),
                         compress_bound);
  ....
}

V8 JavaScript Engine

V769 CWE-119 The 'copy' pointer in the 'copy + prefix_len' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 394, 393. code-assembler.cc 394


void CodeAssembler::Comment(const char* format, ...) {
  ....
  const int prefix_len = 2;
  int length = builder.position() + 1;
  char* copy = reinterpret_cast<char*>(malloc(length +
                                              prefix_len));
  MemCopy(copy + prefix_len, builder.Finalize(), length);
  copy[0] = ';';
  copy[1] = ' ';
  raw_assembler()->Comment(copy);
}

There is no protection if the malloc function returns a null pointer.


Clang

V769 CWE-119 The 'NewTableArray' pointer in the 'NewTableArray + NewSize' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 218, 216. stringmap.cpp 218


unsigned StringMapImpl::RehashTable(unsigned BucketNo) {
  ....
  StringMapEntryBase **NewTableArray =
    (StringMapEntryBase **)calloc(NewSize+1,
      sizeof(StringMapEntryBase *) + sizeof(unsigned));
  unsigned *NewHashArray =
    (unsigned *)(NewTableArray + NewSize + 1);
  NewTableArray[NewSize] = (StringMapEntryBase*)2;
  ....
}

The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NewSize.


Hunspell

V769 CWE-119 The 'candidate' pointer in the 'candidate + 1' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 864, 863. suggestmgr.cxx 864


int SuggestMgr::twowords(....)
{
  ....
  char* candidate = (char*)malloc(wl + 2);
  strcpy(candidate + 1, word);
  ....
}

There is no protection if the malloc function returns a null pointer.



Do you make errors in the code?

Check your code
with PVS-Studio

Static code analysis
for C, C++, and C#

goto PVS-Studio;
We use cookies for the analysis of events to improve our content and make user interaction more convenient. By continuing the view of our web-pages you accept the terms of using these files. You can find out more about cookie-files and privacy policy or close the notification, by clicking on the button. Learn More →
Do not show