Hi, Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan. 12 new defect(s) introduced to LibreOffice found with Coverity Scan. 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 12 of 12 defect(s) ** CID 1462318: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1462318: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/jni_uno/jni_java2uno.cxx: 218 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const() 212 { 213 JLocalAutoRef jo_arg( 214 jni, jni->GetObjectArrayElement( jo_args, nPos ) ); 215 jni.ensure_no_exception(); 216 jvalue java_arg; 217 java_arg.l = jo_arg.get(); >>> CID 1462318: Memory - illegal accesses (USE_AFTER_FREE) >>> Calling "map_to_uno" dereferences freed pointer "type". 218 map_to_uno( 219 jni, uno_args[ nPos ], java_arg, type, nullptr, 220 false /* no assign */, param.bOut, 221 true /* special wrapped integral types */ ); 222 } 223 catch (...) ** CID 1462317: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1462317: Null pointer dereferences (FORWARD_NULL) /sw/source/core/crsr/crsrsh.cxx: 1235 in SwCursorShell::GetPageNumSeqNonEmpty()() 1229 // page number: first visible page or the one at the cursor 1230 const SwContentFrame* pCFrame = GetCurrFrame(/*bCalcFrame*/true); 1231 const SwPageFrame* pPg = nullptr; 1232 1233 if (!pCFrame ) 1234 { >>> CID 1462317: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "pCFrame" to "FindPageFrame", which dereferences it. 1235 pPg = pCFrame->FindPageFrame(); 1236 if( !pPg ) 1237 { 1238 pPg = Imp()->GetFirstVisPage(GetOut()); 1239 while (pPg && pPg->IsEmptyPage()) 1240 pPg = static_cast<const SwPageFrame*>(pPg->GetNext()); ** CID 1462316: (USE_AFTER_FREE) /cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const _typelib_TypeDescription *, void *, void **, _uno_Any **)() ________________________________________________________________________________________________________ *** CID 1462316: (USE_AFTER_FREE) /cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 457 in Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const _typelib_TypeDescription *, void *, void **, _uno_Any **)() 451 } 452 uno_Environment_invoke(m_to.get(), s_type_destructData_v, args[nPos], param.pTypeRef, 0); 453 } 454 } 455 if (ret != pReturn) 456 { >>> CID 1462316: (USE_AFTER_FREE) >>> Calling "uno_type_copyAndConvertData" dereferences freed pointer "pReturnTypeRef". 457 uno_type_copyAndConvertData(pReturn, 458 ret, 459 pReturnTypeRef, 460 m_to_from.get()); 461 462 uno_Environment_invoke(m_to.get(), s_type_destructData_v, ret, pReturnTypeRef, 0); /cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const _typelib_TypeDescription *, void *, void **, _uno_Any **)() 485 486 // FIXME: need to destruct in m_to 487 uno_any_destruct(exc, nullptr); 488 } 489 490 if (m_probeFun) >>> CID 1462316: (USE_AFTER_FREE) >>> Passing freed pointer "pReturnTypeRef" as an argument to "*this->m_probeFun". 491 m_probeFun(false, 492 this, 493 m_pProbeContext, 494 pReturnTypeRef, 495 pParams, 496 nParams, ** CID 1462315: Integer handling issues (DIVIDE_BY_ZERO) /vcl/unx/gtk3/gtk3gtkinst.cxx: 12791 in <unnamed>::GtkInstanceComboBox::get_popup_height()() ________________________________________________________________________________________________________ *** CID 1462315: Integer handling issues (DIVIDE_BY_ZERO) /vcl/unx/gtk3/gtk3gtkinst.cxx: 12791 in <unnamed>::GtkInstanceComboBox::get_popup_height()() 12785 if (m_nNonCustomLineHeight != -1) 12786 { 12787 gint nNormalHeight = get_height_rows(m_nNonCustomLineHeight, nSeparatorHeight, nMaxRows); 12788 if (nHeight > nNormalHeight) 12789 { 12790 gint nRowsOnly = nNormalHeight - get_height_rows(0, nSeparatorHeight, nMaxRows); >>> CID 1462315: Integer handling issues (DIVIDE_BY_ZERO) >>> In expression "(nRowsOnly + (nRowHeight - 1)) / nRowHeight", division by expression "nRowHeight" which may be zero has undefined behavior. 12791 gint nCustomRows = (nRowsOnly + (nRowHeight - 1)) / nRowHeight; 12792 nHeight = get_height_rows(nRowHeight, nSeparatorHeight, nCustomRows); 12793 } 12794 } 12795 12796 return nHeight; ** CID 1462314: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1462314: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/cpp_uno/gcc3_linux_x86-64/cpp2uno.cxx: 78 in cpp2uno_call(bridges::cpp_uno::shared::CppInterfaceProxy *, const _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, _typelib_MethodParameter *, void **, void **, void **, unsigned long *)() 72 73 void * pUnoReturn = nullptr; 74 void * pCppReturn = nullptr; // complex return ptr: if != 0 && != pUnoReturn, reconversion need 75 76 if ( pReturnTypeDescr ) 77 { >>> CID 1462314: Memory - illegal accesses (USE_AFTER_FREE) >>> Calling "return_in_hidden_param" dereferences freed pointer "pReturnTypeRef". 78 if ( x86_64::return_in_hidden_param( pReturnTypeRef ) ) 79 { 80 pCppReturn = *gpreg++; 81 nr_gpr++; 82 83 pUnoReturn = ( bridges::cpp_uno::shared::relatesToInterfaceType( pReturnTypeDescr ) ** CID 1462313: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const() ________________________________________________________________________________________________________ *** CID 1462313: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const() 1041 case typelib_TypeClass_INTERFACE: 1042 { 1043 TypeDescr element_td( element_type ); 1044 seq = seq_allocate( nElements, element_td.get()->nSize ); 1045 1046 JNI_type_info const * element_info; >>> CID 1462313: Memory - illegal accesses (USE_AFTER_FREE) >>> Dereferencing freed pointer "element_type". 1047 if (element_type->eTypeClass == typelib_TypeClass_STRUCT || 1048 element_type->eTypeClass == typelib_TypeClass_EXCEPTION || 1049 element_type->eTypeClass == typelib_TypeClass_INTERFACE) 1050 { 1051 element_info = 1052 getJniInfo()->get_type_info( jni, element_td.get() ); ** CID 1462312: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const jni_uno::JNI_context &, jvalue *, const void *, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const() ________________________________________________________________________________________________________ *** CID 1462312: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const jni_uno::JNI_context &, jvalue *, const void *, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const() 2382 } 2383 } 2384 break; 2385 } 2386 default: 2387 { >>> CID 1462312: Memory - illegal accesses (USE_AFTER_FREE) >>> Dereferencing freed pointer "type". 2388 throw BridgeRuntimeError( 2389 "[map_to_java():" + OUString::unacquired( &type->pTypeName ) 2390 + "] unsupported element type: " 2391 + OUString::unacquired( &element_type->pTypeName ) 2392 + jni.get_stack_trace() ); 2393 } ** CID 1462311: Memory - illegal accesses (USE_AFTER_FREE) /cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One() ________________________________________________________________________________________________________ *** CID 1462311: Memory - illegal accesses (USE_AFTER_FREE) /cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One() 799 &pNew, pSequence->elements, 800 reinterpret_cast<typelib_IndirectTypeDescription *>(pTypeDescr)->pType, 801 pSequence->nElements, acquire, 802 pSequence->nElements ); // alloc nElements 803 if (ret) 804 { >>> CID 1462311: Memory - illegal accesses (USE_AFTER_FREE) >>> Passing freed pointer "pType" as an argument to "idestructSequence". 805 idestructSequence( *ppSequence, pType, pTypeDescr, release ); 806 *ppSequence = pNew; 807 } 808 809 TYPELIB_DANGER_RELEASE( pTypeDescr ); 810 } ** CID 1462310: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const() ________________________________________________________________________________________________________ *** CID 1462310: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const() 1088 } 1089 } 1090 break; 1091 } 1092 default: 1093 { >>> CID 1462310: Memory - illegal accesses (USE_AFTER_FREE) >>> Dereferencing freed pointer "type". 1094 throw BridgeRuntimeError( 1095 "[map_to_uno():" + OUString::unacquired( &type->pTypeName ) 1096 + "] unsupported sequence element type: " 1097 + OUString::unacquired( &element_type->pTypeName ) 1098 + jni.get_stack_trace() ); 1099 } ** CID 1462309: Memory - illegal accesses (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 1462309: Memory - illegal accesses (USE_AFTER_FREE) /cppu/source/uno/destr.hxx: 139 in cppu::_destructAny(_uno_Any *, void (*)(void *))() 133 break; 134 } 135 #if OSL_DEBUG_LEVEL > 0 136 pAny->pData = reinterpret_cast<void *>(uintptr_t(0xdeadbeef)); 137 #endif 138 >>> CID 1462309: Memory - illegal accesses (USE_AFTER_FREE) >>> Calling "typelib_typedescriptionreference_release" dereferences freed pointer "pType". 139 ::typelib_typedescriptionreference_release( pType ); 140 } 141 142 inline sal_Int32 idestructElements( 143 void * pElements, typelib_TypeDescriptionReference * pElementType, 144 sal_Int32 nStartIndex, sal_Int32 nStopIndex, ** CID 1462308: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const() ________________________________________________________________________________________________________ *** CID 1462308: Memory - illegal accesses (USE_AFTER_FREE) /bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const() 280 type->eTypeClass != typelib_TypeClass_ENUM) // opt 281 { 282 uno_type_destructData( uno_args[ nPos ], type, nullptr ); 283 } 284 } 285 >>> CID 1462308: Memory - illegal accesses (USE_AFTER_FREE) >>> Dereferencing freed pointer "return_type". 286 if (return_type->eTypeClass != typelib_TypeClass_VOID) 287 { 288 // convert uno return value 289 jvalue java_ret; 290 try 291 { ** CID 1401307: Error handling issues (UNCAUGHT_EXCEPT) /usr/include/c++/8/bits/unique_ptr.h: 270 in std::unique_ptr<ImpSwapFile, std::default_delete<ImpSwapFile>>::~unique_ptr()() ________________________________________________________________________________________________________ *** CID 1401307: Error handling issues (UNCAUGHT_EXCEPT) /usr/include/c++/8/bits/unique_ptr.h: 270 in std::unique_ptr<ImpSwapFile, std::default_delete<ImpSwapFile>>::~unique_ptr()() 264 is_convertible<_Up*, _Tp*>, is_same<_Dp, default_delete<_Tp>>>> 265 unique_ptr(auto_ptr<_Up>&& __u) noexcept; 266 #pragma GCC diagnostic pop 267 #endif 268 269 /// Destructor, invokes the deleter if the stored pointer is not null. >>> CID 1401307: Error handling issues (UNCAUGHT_EXCEPT) >>> An exception of type "com::sun::star::uno::DeploymentException" is thrown but the throw list "noexcept" doesn't allow it to be thrown. This will cause a call to unexpected() which usually calls terminate(). 270 ~unique_ptr() noexcept 271 { 272 auto& __ptr = _M_t._M_ptr(); 273 if (__ptr != nullptr) 274 get_deleter()(__ptr); 275 __ptr = pointer(); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklAc1eEA-2F1zfUjH6teExViPHTTReBArhCRZ3BE4kCjKjDqn2Dq3ZyEbAvAs31gRpU3vMPHDnoSx68vDAWjNU-3Dq6Zf_OTq2XUZbbipYjyLSo6GRo-2FpVxQ9OzkDINu9UTS-2FQhSdO0F0jQniitrGlNxDIzPJiWxs1vCErrIoYNhvdSMCQZgtcTF1D1LHrM3BsCXfAnGLgzcESsBiDVBNAzScIJMBKxkjb-2FR4nA3EkYvrk3n8Jn3JSKruVetBKAm4VVL7T9gKyxdchpudUX5yfzsH9q8XL9yh0-2Fozoj-2Fj46ltBXuk8AF60n-2FfLRJ15DL4KQnpvIQnifjmsyCotlUhezAX6JNBi _______________________________________________ LibreOffice mailing list LibreOffice@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/libreoffice