Re: [PATCH 3/3] Fix "NULL_RETURNS" caught by coverity

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Aug 06, 2014 at 12:08:52PM +0200, Fabiano Fidêncio wrote:
> On Mon, Aug 4, 2014 at 3:39 PM, Christophe Fergeau <cfergeau@xxxxxxxxxx>
> wrote:
> 
> > On Mon, Jul 14, 2014 at 01:44:45PM +0200, Fabiano Fidêncio wrote:
> > > On Mon, Jul 14, 2014 at 1:30 PM, Marc-André Lureau <mlureau@xxxxxxxxxx>
> > > wrote:
> > > > Could malloc & free do not have annotations like the glib ones.
> > > >
> > > > What happens for example if you replace malloc() by g_malloc(), and
> > free()
> > > > by g_free() in the function below?
> > > >
> > >
> > > I don't think that would help as one of the Coverity's complaints came
> > > from: "data = g_malloc(d->area.width * d->area.height * 3);"
> >
> > Did it complain about an unchecked return value?
> 
> 
> This is the message:
> Error: NULL_RETURNS (CWE-476): [#def51]
> spice-gtk-0.25.28-591b-dirty/spice-gtk-0.25.28/gtk/spice-widget.c:2564:
> returned_null: Function "g_malloc0(gsize)" returns null.
> spice-gtk-0.25.28-591b-dirty/spice-gtk-0.25.28/gtk/spice-widget.c:2564:
> var_assigned: Assigning: "data" = null return value from "g_malloc0(gsize)".
> spice-gtk-0.25.28-591b-dirty/spice-gtk-0.25.28/gtk/spice-widget.c:2566:
> alias: Assigning: "dest" = "data".  Both pointers are now null.
> spice-gtk-0.25.28-591b-dirty/spice-gtk-0.25.28/gtk/spice-widget.c:2571:
> dereference: Dereferencing a null pointer "dest".
> 
> 
> It could be complaining about a potential integer overflow when computing
> > how much to alloc.
> >
> 
> Yeah, actually it does make sense, but still weird. I don't remember a
> place where we could set, for instance, width or height with a really big
> value.

This seems to come more or less directly from the remote side, though
maybe there is a place where we validate these values are small enough.

> Anyway, what is your suggestion? Check if d->area.width * d->area.height *
> 3 > 0 before alloc?

You can add a g_return_if_fail(d->area.width != 0); and
g_return_if_fail(d->area.height != 0); as this is unexpected and
wouldn't work right now anyway.


Christophe

Attachment: pgpFxOKupicW2.pgp
Description: PGP signature

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]