Hi,
Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan.
10 new defect(s) introduced to LibreOffice found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 10 of 10 defect(s)
** CID 1455216: Null pointer dereferences (REVERSE_INULL)
/sw/source/uibase/shells/basesh.cxx: 2367 in SwBaseShell::ExecBckCol(SfxRequest &)()
________________________________________________________________________________________________________
*** CID 1455216: Null pointer dereferences (REVERSE_INULL)
/sw/source/uibase/shells/basesh.cxx: 2367 in SwBaseShell::ExecBckCol(SfxRequest &)()
2361 SvxColorItem aNewColorItem(nSlotId);
2362 aNewColorItem.SetValue(aColor);
2363
2364 GetView().GetViewFrame()->GetBindings().SetState(aNewColorItem);
2365 }
2366 }
>>> CID 1455216: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "pArgs" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
2367 else if(pArgs)
2368 {
2369 const SvxColorItem& rNewColorItem = static_cast<const SvxColorItem&>(pArgs->Get(nSlotId));
2370 const Color& rNewColor = rNewColorItem.GetValue();
2371 aBrushItem->SetColor(rNewColor);
2372 GetView().GetViewFrame()->GetBindings().SetState(rNewColorItem);
** CID 1455215: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1455215: Integer handling issues (NEGATIVE_RETURNS)
/sd/source/filter/eppt/pptx-animations.cxx: 1057 in <unnamed>::PPTXAnimationExport::WriteAnimationNodeCommonPropsStart()()
1051 sal_Int16 nFill = AnimationExporter::GetFillMode(rXNode, AnimationFill::AUTO);
1052 pFill = convertAnimationFill(nFill);
1053 }
1054
1055 bool bAutoReverse = rXNode->getAutoReverse();
1056
>>> CID 1455215: Integer handling issues (NEGATIVE_RETURNS)
>>> "nPresetSubType" is passed to a parameter that cannot be negative.
1057 mpFS->startElementNS(
1058 XML_p, XML_cTn, XML_id, OString::number(GetNextAnimationNodeId(rXNode)), XML_dur,
1059 fDuration != 0 ? OString::number(static_cast<sal_Int32>(fDuration * 1000.0)).getStr()
1060 : pDuration,
1061 XML_autoRev, bAutoReverse ? "1" : nullptr, XML_restart, pRestart, XML_nodeType, pNodeType,
1062 XML_fill, pFill, XML_presetClass, pPresetClass, XML_presetID,
** CID 1455214: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 1455214: Uninitialized variables (UNINIT)
/sc/source/filter/rtf/eeimpars.cxx: 336 in ScEEImport::WriteToDocument(bool, double, SvNumberFormatter *, bool)()
330 aParam.mbDetectNumberFormat = true;
331 aParam.meSetTextNumFormat = ScSetStringParam::SpecialNumberOnly;
332 aParam.mbHandleApostrophe = false;
333 aParam.mbCheckLinkFormula = true;
334
335 if (!aValStr.isEmpty())
>>> CID 1455214: Uninitialized variables (UNINIT)
>>> Using uninitialized value "fVal" when calling "SetValue".
336 mpDoc->SetValue( nCol, nRow, nTab, fVal );
337 else if ( !pE->aSel.HasRange() )
338 {
339 // maybe ALT text of IMG or similar
340 mpDoc->SetString( nCol, nRow, nTab, pE->aAltText, &aParam );
341 // If SelRange is completely empty, the succeeding text can be in the same paragraph!
** CID 1455213: (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1455213: (FORWARD_NULL)
/sc/source/core/tool/address.cxx: 1283 in lcl_ScAddress_Parse_OOo(const char16_t *, const ScDocument *, ScAddress &, ScRefFlags &, ScAddress::ExternalInfo *, ScRange *, int *, const rtl::OUString *)()
1277 }
1278 else
1279 {
1280 if (rtl::isAsciiAlpha( *p ))
1281 {
1282 nCol = sal::static_int_cast<SCCOL>( rtl::toAsciiUpperCase( *p++ ) - 'A' );
>>> CID 1455213: (FORWARD_NULL)
>>> Passing null pointer "pDoc" to "MaxCol", which dereferences it.
1283 while (nCol < pDoc->MaxCol() && rtl::isAsciiAlpha(*p))
1284 nCol = sal::static_int_cast<SCCOL>( ((nCol + 1) * 26) + rtl::toAsciiUpperCase( *p++ ) - 'A' );
1285 }
1286 else
1287 nBits = ScRefFlags::ZERO;
1288
/sc/source/core/tool/address.cxx: 1289 in lcl_ScAddress_Parse_OOo(const char16_t *, const ScDocument *, ScAddress &, ScRefFlags &, ScAddress::ExternalInfo *, ScRange *, int *, const rtl::OUString *)()
1283 while (nCol < pDoc->MaxCol() && rtl::isAsciiAlpha(*p))
1284 nCol = sal::static_int_cast<SCCOL>( ((nCol + 1) * 26) + rtl::toAsciiUpperCase( *p++ ) - 'A' );
1285 }
1286 else
1287 nBits = ScRefFlags::ZERO;
1288
>>> CID 1455213: (FORWARD_NULL)
>>> Passing null pointer "pDoc" to "MaxCol", which dereferences it.
1289 if (nCol > pDoc->MaxCol() || (*p && *p != '$' && !rtl::isAsciiDigit( *p ) &&
1290 (!pErrRef || !lcl_isString( p, *pErrRef))))
1291 nBits = ScRefFlags::ZERO;
1292 if( nBits == ScRefFlags::ZERO )
1293 p = q;
1294 }
/sc/source/core/tool/address.cxx: 1333 in lcl_ScAddress_Parse_OOo(const char16_t *, const ScDocument *, ScAddress &, ScRefFlags &, ScAddress::ExternalInfo *, ScRange *, int *, const rtl::OUString *)()
1327 }
1328 else
1329 {
1330 long n = rtl_ustr_toInt32( p, 10 ) - 1;
1331 while (rtl::isAsciiDigit( *p ))
1332 p++;
>>> CID 1455213: (FORWARD_NULL)
>>> Passing null pointer "pDoc" to "MaxRow", which dereferences it.
1333 if( n < 0 || n > pDoc->MaxRow() )
1334 nBits = ScRefFlags::ZERO;
1335 nRow = static_cast<SCROW>(n);
1336 }
1337 if( nBits == ScRefFlags::ZERO )
1338 p = q;
** CID 1455212: Error handling issues (UNCAUGHT_EXCEPT)
/usr/include/c++/8/bits/shared_ptr_base.h: 550 in std::_Sp_counted_ptr_inplace<SfxRequest, std::allocator<SfxRequest>, (__gnu_cxx::_Lock_policy)2>::_M_dispose()()
________________________________________________________________________________________________________
*** CID 1455212: Error handling issues (UNCAUGHT_EXCEPT)
/usr/include/c++/8/bits/shared_ptr_base.h: 550 in std::_Sp_counted_ptr_inplace<SfxRequest, std::allocator<SfxRequest>, (__gnu_cxx::_Lock_policy)2>::_M_dispose()()
544 std::forward<_Args>(__args)...); // might throw
545 }
546
547 ~_Sp_counted_ptr_inplace() noexcept { }
548
549 virtual void
>>> CID 1455212: Error handling issues (UNCAUGHT_EXCEPT)
>>> An exception of type "com::sun::star::uno::DeploymentException" is thrown but the throw list "noexcept" doesn't allow it to be thrown. This will cause a call to unexpected() which usually calls terminate().
550 _M_dispose() noexcept
551 {
552 allocator_traits<_Alloc>::destroy(_M_impl._M_alloc(), _M_ptr());
553 }
554
555 // Override because the allocator needs to know the dynamic type
** CID 1455211: (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1455211: (FORWARD_NULL)
/sw/source/uibase/shells/textsh1.cxx: 1187 in SwTextShell::Execute(SfxRequest &)()
1181
1182 if(pItem)
1183 {
1184 aSet = static_cast<const SvxColorItem*>(pItem)->GetValue();
1185 bHasItem = true;
1186 }
>>> CID 1455211: (FORWARD_NULL)
>>> Passing null pointer "pArgs" to "GetItemState", which dereferences it.
1187 else if(SfxItemState::SET == pArgs->GetItemState(SID_ATTR_COLOR_STR, false, &pColorStringItem))
1188 {
1189 sColor = static_cast<const SfxStringItem*>(pColorStringItem)->GetValue();
1190 aSet = Color(sColor.toInt32(16));
1191 bHasItem = true;
1192 }
/sw/source/uibase/shells/textsh1.cxx: 1219 in SwTextShell::Execute(SfxRequest &)()
1213 case SID_ATTR_CHAR_COLOR_EXT:
1214 {
1215 Color aSet;
1216 OUString sColor;
1217 const SfxPoolItem* pColorStringItem = nullptr;
1218
>>> CID 1455211: (FORWARD_NULL)
>>> Passing null pointer "pArgs" to "GetItemState", which dereferences it.
1219 if (SfxItemState::SET == pArgs->GetItemState(SID_ATTR_COLOR_STR, false, &pColorStringItem))
1220 {
1221 sColor = static_cast<const SfxStringItem*>(pColorStringItem)->GetValue();
1222 if (sColor == "transparent")
1223 aSet = COL_TRANSPARENT;
1224 else
** CID 1455210: Null pointer dereferences (REVERSE_INULL)
/sd/source/ui/slidesorter/controller/SlsSlotManager.cxx: 889 in sd::slidesorter::controller::SlotManager::RenameSlide(const SfxRequest &)()
________________________________________________________________________________________________________
*** CID 1455210: Null pointer dereferences (REVERSE_INULL)
/sd/source/ui/slidesorter/controller/SlsSlotManager.cxx: 889 in sd::slidesorter::controller::SlotManager::RenameSlide(const SfxRequest &)()
883
884 // tdf#107183 Set different dialog titles when renaming
885 // master slides or normal ones
886 OUString aTitle;
887 if( rRequest.GetSlot() == SID_RENAME_MASTER_PAGE )
888 aTitle = SdResId( STR_TITLE_RENAMEMASTER );
>>> CID 1455210: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "pDrView" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
889 else if (pDrView && pDrView->GetDoc().GetDocumentType() == DocumentType::Draw)
890 aTitle = SdResId( STR_TITLE_RENAMEPAGE );
891 else
892 aTitle = SdResId( STR_TITLE_RENAMESLIDE );
893
894 OUString aDescr( SdResId( STR_DESC_RENAMESLIDE ) );
** CID 1455209: Memory - illegal accesses (WRAPPER_ESCAPE)
/hwpfilter/source/hwpread.cxx: 493 in Picture::Read(HWPFile &)()
________________________________________________________________________________________________________
*** CID 1455209: Memory - illegal accesses (WRAPPER_ESCAPE)
/hwpfilter/source/hwpread.cxx: 493 in Picture::Read(HWPFile &)()
487 }
488 follow_block_size = follow.size();
489
490 if (pictype == PICTYPE_DRAW)
491 {
492 auto xNewMem(std::make_unique<HMemIODev>(reinterpret_cast<char*>(follow.data()), follow_block_size));
>>> CID 1455209: Memory - illegal accesses (WRAPPER_ESCAPE)
>>> The internal representation of local "xNewMem" escapes, but is destroyed when it exits scope.
493 auto xGuard(std::make_unique<ChangeMemGuard>(xNewMem.get()));
494 LoadDrawingObjectBlock(this);
495 style.cell = picinfo.picdraw.hdo;
496 xGuard.reset();
497 xNewMem.reset();
498 }
** CID 1455208: Uninitialized members (UNINIT_CTOR)
/sc/source/ui/navipi/navipi.cxx: 75 in ColumnEdit::ColumnEdit(vcl::Window *, long)()
________________________________________________________________________________________________________
*** CID 1455208: Uninitialized members (UNINIT_CTOR)
/sc/source/ui/navipi/navipi.cxx: 75 in ColumnEdit::ColumnEdit(vcl::Window *, long)()
69
70 ColumnEdit::ColumnEdit(Window* pParent, WinBits nWinBits)
71 : SpinField(pParent, nWinBits),
72 nCol(0)
73 {
74 SetMaxTextLen(SCNAV_COLDIGITS); // 1...256...18278 or A...IV...ZZZ
>>> CID 1455208: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "mpDoc" is not initialized in this constructor nor in any functions that it calls.
75 }
76
77 ColumnEdit::~ColumnEdit()
78 {
79 disposeOnce();
80 }
** CID 1426874: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1426874: Null pointer dereferences (FORWARD_NULL)
/sw/source/uibase/shells/basesh.cxx: 2348 in SwBaseShell::ExecBckCol(SfxRequest &)()
2342 const SfxPoolItem* pColorStringItem = nullptr;
2343 bool bIsTransparent = false;
2344
2345 aBrushItem->SetGraphicPos(GPOS_NONE);
2346
2347 sal_uInt16 nSlotId = SID_BACKGROUND_COLOR ? SID_BACKGROUND_COLOR : SID_TABLE_CELL_BACKGROUND_COLOR;
>>> CID 1426874: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "pArgs" to "GetItemState", which dereferences it.
2348 if (SfxItemState::SET == pArgs->GetItemState(SID_ATTR_COLOR_STR, false, &pColorStringItem))
2349 {
2350 OUString sColor = static_cast<const SfxStringItem*>(pColorStringItem)->GetValue();
2351 if (sColor == "transparent")
2352 {
2353 bIsTransparent = true;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRZBnDJeNb0HijxaS4JNJPxk3kpyAm2AYqo71yXmnOxB73RtgzoPcQtNNP5dkHLuV1E-3D_g-2BrHdvqzaBa155F-2F8AmPhpJzY63UzWDisJV95WUBpGhqFw1ICExHG8aMaV2EoFpyuSlpLVEctZaZUNqwi-2FZU5qWRu-2F25OG2PjazBVyc9v42T7lJdf45wzh5QTyhT0NzsR8gln5XrVIKret-2Bxf9Kqm56n-2BXwtMdK8hcI-2BsoUaRXUdch8yT-2Fa2hcqdUFFVX9BbdZCjJnWpJhwVil9w4BRBvngl0SZMI9U06OkX77qW1Co-3D
_______________________________________________
LibreOffice mailing list
LibreOffice@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/libreoffice
New Defects reported by Coverity Scan for LibreOffice
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: New Defects reported by Coverity Scan for LibreOffice
- From: scan-admin@xxxxxxxxxxxx
- Date: Sat, 02 Nov 2019 08:35:18 +0000 (UTC)
- Prev by Date: Re: VCL drawPolygon() off-by-one without line color
- Next by Date: Crash test update
- Previous by thread: New Defects reported by Coverity Scan for LibreOffice
- Next by thread: New Defects reported by Coverity Scan for LibreOffice
- Index(es):
 |