This file contains the errors that Andrey Karpov has found in a Chromium (+libraries) using a PVS-Studio static code analyzer. PVS-Studio is a tool for bug detection in the source code of programs, written in C, C++, and C#. https://www.viva64.com/en/pvs-studio/ ----------------------------------------------------------------- Chromium V512 CWE-682 A call of the 'memset' function will lead to underflow of the buffer 'key_event->text'. event_conversion.cc 435 V512 CWE-682 A call of the 'memset' function will lead to underflow of the buffer 'key_event->unmodified_text'. event_conversion.cc 436 #if defined(WIN32) typedef wchar_t WebUChar; #else typedef unsigned short WebUChar; #endif static const size_t kTextLengthCap = 4; class WebKeyboardEvent : public WebInputEvent { .... WebUChar text[kTextLengthCap]; WebUChar unmodified_text[kTextLengthCap]; .... }; WebKeyboardEvent* BuildCharEvent(const InputEventData& event) { WebKeyboardEvent* key_event = new WebKeyboardEvent(....); .... memset(key_event->text, 0, text_length_cap); memset(key_event->unmodified_text, 0, text_length_cap); .... } #info Confusion between the number of elements in the array and the size of the buffer in bytes. ----------------------------------------------------------------- Chromium V519 CWE-563 The '* a' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 1385, 1387. gles2_cmd_utils.cc 1387 V519 CWE-563 The '* a' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 1387, 1389. gles2_cmd_utils.cc 1389 void GLES2Util::GetColorFormatComponentSizes(...., int* a) { .... // Sized formats. switch (internal_format) { case GL_ALPHA8_EXT: *a = 8; case GL_ALPHA16F_EXT: *a = 16; case GL_ALPHA32F_EXT: *a = 32; case GL_RGB8_OES: case GL_SRGB8: case GL_RGB8_SNORM: case GL_RGB8UI: case GL_RGB8I: *r = 8; *g = 8; *b = 8; break; case GL_RGB565: .... } #info One forgot to write several break operators. ----------------------------------------------------------------- Chromium V522 CWE-476 Dereferencing of the null pointer 'focus_controller_' might take place. display.cc 52 class Display : .... { .... std::unique_ptr focus_controller_; .... } Display::~Display() { .... if (!focus_controller_) { focus_controller_->RemoveObserver(this); focus_controller_.reset(); } .... } #info An incorrectly written condition. Pointer is dereferenced, if it is null. ----------------------------------------------------------------- Chromium V522 CWE-476 Dereferencing of the null pointer 'context' might take place. device_media_async_file_util.cc 322 void DeviceMediaAsyncFileUtil::CreateOrOpen( std::unique_ptr context, ....) { .... CreateSnapshotFile( std::move(context), url, base::Bind( &NativeMediaFileUtil::CreatedSnapshotFileForCreateOrOpen, base::RetainedRef(context->task_runner()), file_flags, callback)); } #info The order of arguments evaluation when calling the CreateSnapshotFile function defines whether a dereference of a null pointer will be or not. In C++ the function argument evaluation order is not defined (unspecified behavior). If in the beginning the argument std::move(context) is evaluated, a dereference of a null pointer will occur. #add V522 CWE-476 Dereferencing of the null pointer 'delegate' might take place. payment_request_web_contents_manager.cc 39 ----------------------------------------------------------------- Chromium V522 CWE-476 Dereferencing of the null pointer 'embedder_extension' might take place. Check the bitwise operation. app_view_guest.cc 186 void AppViewGuest::CreateWebContents(....) { .... if (!guest_extension || !guest_extension->is_platform_app() || !embedder_extension | !embedder_extension->is_platform_app()) { callback.Run(nullptr); return; } .... } #info A typo. Instead of || a developer accidentally wrote |. As a result, a pointer embedder_extension is dereferenced regardless if it’s null or not. ----------------------------------------------------------------- Chromium V522 CWE-476 Dereferencing of the null pointer 'network_list' might take place. networking_private_service_client.cc 351 std::unique_ptr NetworkingPrivateServiceClient::GetEnabledNetworkTypes() { std::unique_ptr network_list; network_list->AppendString(::onc::network_type::kWiFi); return network_list; } #info A smart pointer is null by default. As a smart pointer is not initialized before its usage, a dereference of a null pointer will occur. ----------------------------------------------------------------- Chromium V530 CWE-252 The return value of function 'remove_if' is required to be utilized. pdf_to_emf_converter.cc 44 void OnConvertedClientDisconnected() { // We have no direct way of tracking which // PdfToEmfConverterClientPtr got disconnected as it is a // movable type, short of using a wrapper. // Just traverse the list of clients and remove the ones // that are not bound. std::remove_if( g_converter_clients.Get().begin(), g_converter_clients.Get().end(), [](const mojom::PdfToEmfConverterClientPtr& client) { return !client.is_bound(); }); } #info A function remove_if deletes nothing, but only rearranges the elements in a container. Most likely, the code here was supposed to be as follows: auto trash = std::remove_if(........); g_converter_clients.Get().erase(trash, g_converter_clients.Get().end()); ----------------------------------------------------------------- Chromium V561 CWE-563 It's probably better to assign value to 'signin_scoped_device_id' variable than to declare it anew. Previous declaration: profile_sync_service.cc, line 900. profile_sync_service.cc 906 void ProfileSyncService::OnEngineInitialized(....) { .... std::string signin_scoped_device_id; if (IsLocalSyncEnabled()) { signin_scoped_device_id = "local_device"; } else { SigninClient* signin_client = ....; DCHECK(signin_client); std::string signin_scoped_device_id = // <= signin_client->GetSigninScopedDeviceId(); } .... } #info A new variable signin_scoped_device_id shouldn’t be declared, an existing one should be used. ----------------------------------------------------------------- Chromium V595 CWE-476 The 'reason' pointer was utilized before it was verified against nullptr. Check lines: 167, 174. win_util.cc 167 bool IsKeyboardPresentOnSlate(std::string* reason, HWND hwnd) { bool result = false; if (GetVersion() < VERSION_WIN8) { *reason = "Detection not supported"; return false; } // This function is only supported for Windows 8 and up. if (CommandLine::ForCurrentProcess()->HasSwitch( switches::kDisableUsbKeyboardDetect)) { if (reason) *reason = "Detection disabled"; return false; } .... } #info A check that the reason pointer is not null is not performed in all needed cases. ----------------------------------------------------------------- Chromium V595 CWE-476 The 'val' pointer was utilized before it was verified against nullptr. Check lines: 124, 126. paint_op_reader.cc 124 template void PaintOpReader::ReadFlattenable(sk_sp* val) { // .... // Here the argument val is not used and is not checked. // .... val->reset(static_cast(SkValidatingDeserializeFlattenable( const_cast(memory_), bytes, T::GetFlattenableType()))); if (!val) SetInvalid(); .... } #info The val pointer is dereferenced before the check for null equality. ----------------------------------------------------------------- Chromium V595 CWE-476 The 'factory' pointer was utilized before it was verified against nullptr. Check lines: 122, 124. http_auth_handler_factory.cc 122 void HttpAuthHandlerRegistryFactory::RegisterSchemeFactory( const std::string& scheme, HttpAuthHandlerFactory* factory) { factory->set_http_auth_preferences(http_auth_preferences()); std::string lower_scheme = base::ToLowerASCII(scheme); if (factory) factory_map_[lower_scheme] = base::WrapUnique(factory); else factory_map_.erase(lower_scheme); } #info A factory pointer is dereferenced before checking for nullptr equality. ----------------------------------------------------------------- Chromium V595 CWE-476 The 'inline_style' pointer was utilized before it was verified against nullptr. Check lines: 142, 143. css_agent.cc 142 Response CSSAgent::getMatchedStylesForNode(int node_id, Maybe* inline_style) { UIElement* ui_element = dom_agent_->GetElementFromNodeId(node_id); *inline_style = GetStylesForUIElement(ui_element); if (!inline_style) return NodeNotFoundError(node_id); return Response::OK(); } #info An inline_style pointer gets dereferenced before checking for nullptr equality. I find it rather difficult to say how to fix a bug here, because I’m not familiar with the code. There are two options: 1) A check of the pointer should be placed before its dereferencing: if (!inline_style) return NodeNotFoundError(node_id); *inline_style = GetStylesForUIElement(ui_element); 2) A check is written incorrectly and it should be as follows: *inline_style = GetStylesForUIElement(ui_element); if (!*inline_style) ----------------------------------------------------------------- Chromium V708 CWE-758 Dangerous construction is used: 'm[x] = m.size()', where 'm' is of 'unordered_map' class. This may lead to undefined behavior. trace_log.cc 1343 std::unordered_map thread_colors_; std::string TraceLog::EventToConsoleMessage(....) { .... thread_colors_[thread_name] = (thread_colors_.size() % 6) + 1; .... } #info In case if the set thread_colors_ already contains the item associated with thread_name, there will be no problems. However, in case of its lack the program may act by two different scenarios depending on the version of the compiler, operating system, and so on, because the evaluation order of operator assignment operands is not defined. ----------------------------------------------------------------- Chromium V519 CWE-563 The 'delete_result' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 381, 383. install_util.cc 383 InstallUtil::ConditionalDeleteResult InstallUtil::DeleteRegistryValueIf(....) { .... ConditionalDeleteResult delete_result = NOT_FOUND; .... if (....) { LONG result = key.DeleteValue(value_name); if (result != ERROR_SUCCESS) { .... delete_result = DELETE_FAILED; } delete_result = DELETED; } return delete_result; } #info Most likely the else operator is needed here: if (result != ERROR_SUCCESS) { .... delete_result = DELETE_FAILED; } else { delete_result = DELETED; } ----------------------------------------------------------------- Chromium V519 CWE-563 The 'primary_id' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 106, 109. video_color_space.cc 109 gfx::ColorSpace VideoColorSpace::ToGfxColorSpace() const { .... switch (primaries) { .... case PrimaryID::SMPTEST431_2: primary_id = gfx::ColorSpace::PrimaryID::SMPTEST431_2; break; case PrimaryID::SMPTEST432_1: primary_id = gfx::ColorSpace::PrimaryID::SMPTEST432_1; case PrimaryID::EBU_3213_E: primary_id = gfx::ColorSpace::PrimaryID::INVALID; break; } .... } #info A developer forgot to write the break operator. ----------------------------------------------------------------- Chromium V519 The 'group' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 145, 147. autofill_metrics.cc 147 int GetFieldTypeGroupMetric(....) { .... switch (AutofillType(field_type).group()) { .... case ADDRESS_HOME_LINE3: group = GROUP_ADDRESS_LINE_3; break; case ADDRESS_HOME_STREET_ADDRESS: group = GROUP_STREET_ADDRESS; case ADDRESS_HOME_CITY: group = GROUP_ADDRESS_CITY; break; case ADDRESS_HOME_STATE: group = GROUP_ADDRESS_STATE; break; .... } #info A developer forgot to write the break operator. ----------------------------------------------------------------- Chromium V519 CWE-563 The '* offset' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 3543, 3544. ax_platform_node_win.cc 3544 void AXPlatformNodeWin::HandleSpecialTextOffset(LONG* offset) { if (*offset == IA2_TEXT_OFFSET_LENGTH) { *offset = static_cast(GetText().length()); } else if (*offset == IA2_TEXT_OFFSET_CARET) { int selection_start, selection_end; GetSelectionOffsets(&selection_start, &selection_end); if (selection_end < 0) *offset = 0; *offset = static_cast(selection_end); } } #info Negative values protection is implemented improperly. Here is the correct version of code: if (selection_end < 0) selection_end = 0; *offset = static_cast(selection_end); ----------------------------------------------------------------- V8 V547 CWE-570 Expression 'truncated' is always false. objects.cc 2867 void String::StringShortPrint(StringStream* accumulator, bool show_details) { int len = length(); if (len > kMaxShortPrintLength) { accumulator->Add("", len); return; } if (!LooksValid()) { accumulator->Add(""); return; } StringCharacterStream stream(this); bool truncated = false; if (len > kMaxShortPrintLength) { len = kMaxShortPrintLength; truncated = true; } bool one_byte = true; for (int i = 0; i < len; i++) { uint16_t c = stream.GetNext(); if (c < 32 || c >= 127) { one_byte = false; } } stream.Reset(this); if (one_byte) { if (show_details) accumulator->Add("Put(static_cast(stream.GetNext())); } if (show_details) accumulator->Put('>'); } else { // Backslash indicates that the string contains control // characters and that backslashes are therefore escaped. if (show_details) accumulator->Add("Add("\\n"); } else if (c == '\r') { accumulator->Add("\\r"); } else if (c == '\\') { accumulator->Add("\\\\"); } else if (c < 32 || c > 126) { accumulator->Add("\\x%02x", c); } else { accumulator->Put(static_cast(c)); } } if (truncated) { // <= accumulator->Put('.'); accumulator->Put('.'); accumulator->Put('.'); } if (show_details) accumulator->Put('>'); } return; } #info PVS-Studio analyzer issued A LOT of V547 warnings. I looked through only a 10th part of them just superficially. It's not that I'm lazy, but it is very difficult to understand, if I found a bug or not, being unfamiliar with the code. For example, having studied the function, try to understand, if the analyzer is right, issuing that the if (truncated) condition is always false. Tried? It’s not that easy, isn’t it? Let's cut the function, leaving the main point: void F() { int len = length(); if (len > kMaxShortPrintLength) return; bool truncated = false; if (len > kMaxShortPrintLength) truncated = true; if (truncated) { // <= accumulator->Put('.'); accumulator->Put('.'); accumulator->Put('.'); } } The truncated flag has to be equal to true, if the text is too long, i.e. if the condition if (len > kMaxShortPrintLength) is executed. However, if the text is too long, then a function exit occurs above. This is the reason why truncated is always false and three points will not be added in the end. Here I don’t know the correct solution. Either indeed, you need to immediately leave the functions, then the code which adds the points turns out to be redundant. Or the points are needed and the first check which prematurely terminates the function, should be removed. So, you see that it’s all not easy and is difficult to figure it all out. This is why I couldn’t find enough time to study all the V547 warnings. It is too tiresome. However, I hope the Chromium authors will be able to do that. ----------------------------------------------------------------- Chromium V547 CWE-570 Expression 'current_format_match < best_format_match' is always false. fake_video_capture_device.cc 75 enum class PixelFormatMatchType : int { INCOMPATIBLE = 0, SUPPORTED_THROUGH_CONVERSION = 1, EXACT = 2 }; PixelFormatMatchType DetermineFormatMatchType( VideoPixelFormat supported_format, VideoPixelFormat requested_format) { if (requested_format == PIXEL_FORMAT_I420 && supported_format == PIXEL_FORMAT_MJPEG) { return PixelFormatMatchType::SUPPORTED_THROUGH_CONVERSION; } return (requested_format == supported_format) ? PixelFormatMatchType::EXACT : PixelFormatMatchType::INCOMPATIBLE; } const VideoCaptureFormat& FindClosestSupportedFormat(....) { .... PixelFormatMatchType best_format_match = PixelFormatMatchType::INCOMPATIBLE; .... for (....) { const auto& supported_format = supported_formats[i]; PixelFormatMatchType current_format_match = DetermineFormatMatchType(supported_format.pixel_format, requested_format.pixel_format); if (current_format_match < best_format_match) { // <= continue; } .... } #info Another example of the V547 triggering, when it is difficult to understand, if there is an error or not if you are not familiar with the code. Here is either an extra check or the condition must be different. ----------------------------------------------------------------- Chromium V547 CWE-571 Expression 'bytes_read > 0' is always true. resource_prefetcher.cc 308 void ResourcePrefetcher::OnReadCompleted( net::URLRequest* request, int bytes_read) { DCHECK_NE(net::ERR_IO_PENDING, bytes_read); if (bytes_read <= 0) { FinishRequest(request); return; } if (bytes_read > 0) ReadFullResponse(request); } #info And a lot of reasonable, but pointless V547 warnings which are senseless to write about. Here is an example of such a warning. The analyzer is absolutely right, but I was absolutely not interested to write out such cases. ----------------------------------------------------------------- V8 V547 CWE-570 Expression 'inf == - 1' is always false. string-stream.cc 149 void StringStream::Add(....) { .... case 'f': case 'g': case 'G': case 'e': case 'E': { double value = current.data_.u_double_; int inf = std::isinf(value); if (inf == -1) { Add("-inf"); } else if (inf == 1) { Add("inf"); } else if (std::isnan(value)) { Add("nan"); } else { EmbeddedVector formatted; SNPrintF(formatted, temp.start(), value); Add(formatted.start()); } break; } .... } #info Description of the std::isinf function: http://en.cppreference.com/w/cpp/numeric/math/isinf As you can see, the function std::isinf returns the bool type. Thus, the function is clearly used incorrectly. ----------------------------------------------------------------- Chromium V560 CWE-570 A part of conditional expression is always false: bad_message. declarative_rule.h 472 template std::unique_ptr> DeclarativeRule::Create(....) { .... bool bad_message = false; // <= std::unique_ptr actions = ActionSet::Create( browser_context, extension, rule->actions, error, &bad_message); // <= if (bad_message) { // <= *error = "An action of a rule set had an invalid " "structure that should have been caught " "by the JSON validator."; return std::move(error_result); } if (!error->empty() || bad_message) // <= return std::move(error_result); .... } #info There are as many V560 warnings as the V547 ones, and it is also boring to study them, which takes time. It doesn’t mean that the V560 warnings are bad. But the real serious errors are quite rare. More often these are just redundant checks. Therefore, I considered it inappropriate to view all these warnings by myself. Developers, familiar with code, will do this much better and faster. For example, I cited a case where there is no real error, and simply a redundant check. A condition: if (!error->empty() || bad_message) can be simplified to: if (!error->empty()) Another option is to rewrite the code as follows: if (bad_message) { *error = "An action of a rule set had an invalid " "structure that should have been caught " "by the JSON validator."; } if (!error->empty() || bad_message) return std::move(error_result); ----------------------------------------------------------------- Chromium V649 CWE-561 There are two 'if' statements with identical conditional expressions. The first 'if' statement contains function return. This means that the second 'if' statement is senseless. Check lines: 67, 71. tsf_input_scope.cc 71 STDMETHOD(GetInputScopes)(InputScope** input_scopes, UINT* count) override { if (!count || !input_scopes) return E_INVALIDARG; *input_scopes = static_cast(CoTaskMemAlloc( sizeof(InputScope) * input_scopes_.size())); if (!input_scopes) { *count = 0; return E_OUTOFMEMORY; } .... } #info Most likely, a developer forgot to dereference a pointer and the code should actually look like this: *input_scopes = static_cast(CoTaskMemAlloc( sizeof(InputScope) * input_scopes_.size())); if (!*input_scopes) { *count = 0; return E_OUTOFMEMORY; } ----------------------------------------------------------------- V8 V769 CWE-119 The 'copy' pointer in the 'copy + prefix_len' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 394, 393. code-assembler.cc 394 void CodeAssembler::Comment(const char* format, ...) { .... const int prefix_len = 2; int length = builder.position() + 1; char* copy = reinterpret_cast(malloc(length + prefix_len)); MemCopy(copy + prefix_len, builder.Finalize(), length); copy[0] = ';'; copy[1] = ' '; raw_assembler()->Comment(copy); } #info There is no protection if the malloc function returns a null pointer. ----------------------------------------------------------------- Chromium V794 The copy operator should be protected from the case of 'this == &other'. vector_buffer.h 59 VectorBuffer& operator=(VectorBuffer&& other) { free(buffer_); buffer_ = other.buffer_; capacity_ = other.capacity_; other.buffer_ = nullptr; other.capacity_ = 0; return *this; } #info There is no protection in case the object is moved within itself. #add V794 The copy operator should be protected from the case of 'this == &other'. gurl.cc 138 V794 The copy operator should be protected from the case of 'this == &other'. spdy_protocol.h 890 V794 The copy operator should be protected from the case of 'this == &other'. crypto_handshake_message.cc 41 V794 The copy operator should be protected from the case of 'this == &request'. ui_resource_request.cc 27 V794 The copy operator should be protected from the case of 'this == &other'. transform_operations.cc 36 V794 The copy operator should be protected from the case of 'this == &other'. payment_details_modifier.cc 31 V794 The copy operator should be protected from the case of 'this == &other'. payment_details.cc 35 V794 The copy operator should be protected from the case of 'this == &rhs'. devtools_toggle_action.cc 28 V794 The copy operator should be protected from the case of 'this == &other'. native_web_keyboard_event_aura.cc 150 ----------------------------------------------------------------- Chromium V796 CWE-484 It is possible that 'break' statement is missing in switch statement. command_buffer_metrics.cc 125 void RecordContextLost(ContextType type, CommandBufferContextLostReason reason) { switch (type) { .... case MEDIA_CONTEXT: UMA_HISTOGRAM_ENUMERATION("GPU.ContextLost.Media", reason, CONTEXT_LOST_REASON_MAX_ENUM); break; case MUS_CLIENT_CONTEXT: UMA_HISTOGRAM_ENUMERATION("GPU.ContextLost.MusClient", reason, CONTEXT_LOST_REASON_MAX_ENUM); break; case UI_COMPOSITOR_CONTEXT: UMA_HISTOGRAM_ENUMERATION("GPU.ContextLost.UICompositor", reason, CONTEXT_LOST_REASON_MAX_ENUM); case CONTEXT_TYPE_UNKNOWN: UMA_HISTOGRAM_ENUMERATION("GPU.ContextLost.Unknown", reason, CONTEXT_LOST_REASON_MAX_ENUM); break; } } #info The break operator is omitted. ----------------------------------------------------------------- Chromium V796 CWE-484 It is possible that 'break' statement is missing in switch statement. system_input_injector_mus.cc 78 void SystemInputInjectorMus::InjectMouseButton( ui::EventFlags button, bool down) { .... int modifier = ui::MODIFIER_NONE; switch (button) { case ui::EF_LEFT_MOUSE_BUTTON: modifier = ui::MODIFIER_LEFT_MOUSE_BUTTON; break; case ui::EF_RIGHT_MOUSE_BUTTON: modifier = ui::MODIFIER_RIGHT_MOUSE_BUTTON; break; case ui::EF_MIDDLE_MOUSE_BUTTON: modifier = ui::MODIFIER_MIDDLE_MOUSE_BUTTON; default: LOG(WARNING) << "Invalid flag: " << button << " for the button parameter"; return; } .... } #info The break operator is omitted. ----------------------------------------------------------------- Chromium V691 Empirical analysis. It is possible that a typo is present inside the string literal: "LocalizedName". The 'Localized' word is suspicious. onc_constants.cc 162 namespace cellular_apn { const char kAccessPointName[] = "AccessPointName"; const char kName[] = "Name"; const char kUsername[] = "Username"; const char kPassword[] = "Password"; const char kLocalizedName[] = "LocalizedName"; const char kLanguage[] = "LocalizedName"; } #info Perhaps there is no error, but the fragment should be reviewed by developers. I suspect that this should be written here: const char kLanguage[] = "Language"; ----------------------------------------------------------------- Chromium V763 Parameter 'index' is always rewritten in function body before being used. tab_strip_model_experimental.cc 314 void TabStripModelExperimental::InsertWebContentsAt( int index, content::WebContents* contents, int add_types) { .... // the index argument is not used index = tab_view_count_ - 1; .... } #info The value passed in the index argument is not used. ----------------------------------------------------------------- Chromium V773 CWE-401 The function was exited without releasing the 'n' pointer. A memory leak is possible. android_rsa.cc 248 uint32_t* BnNew() { uint32_t* result = new uint32_t[kBigIntSize]; memset(result, 0, kBigIntSize * sizeof(uint32_t)); return result; } std::string AndroidRSAPublicKey(crypto::RSAPrivateKey* key) { .... uint32_t* n = BnNew(); .... RSAPublicKey pkey; pkey.len = kRSANumWords; pkey.exponent = 65537; // Fixed public exponent pkey.n0inv = 0 - ModInverse(n0, 0x100000000LL); if (pkey.n0inv == 0) return kDummyRSAPublicKey; .... } #info If pkey.n0inv == 0, a memory leak will occur. ----------------------------------------------------------------- Chromium V522 CWE-690 There might be dereferencing of a potential null pointer 'device_interface_detail_data'. Check lines: 103, 102. hid_service_win.cc 103 void HidServiceWin::EnumerateBlocking(....) { .... std::unique_ptr device_interface_detail_data( static_cast( malloc(required_size))); device_interface_detail_data->cbSize = sizeof(SP_DEVICE_INTERFACE_DETAIL_DATA); .... } #info There is no protection if the malloc function returns a null pointer. ----------------------------------------------------------------- Chromium V522 CWE-690 There might be dereferencing of a potential null pointer 'file_'. Check lines: 716, 715. visitedlink_master.cc 716 void VisitedLinkMaster::OnTableLoadComplete(....) { .... file_ = static_cast(malloc(sizeof(*file_))); *file_ = load_from_file_result->file.release(); .... } #info There is no protection if the malloc function returns a null pointer. ----------------------------------------------------------------- Chromium V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. dns_config_service_win.cc 134 std::unique_ptr ReadIpHelper(ULONG flags) { .... std::unique_ptr out; .... out.reset(static_cast(malloc(len))); memset(out.get(), 0, len); .... } #info There is no protection if the malloc function returns a null pointer. #add V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 129, 127. nacl_validation_query.cc 129 ----------------------------------------------------------------- Chromium V668 CWE-570 There is no sense in testing the 'buffer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. harfbuzz_font_skia.cc 229 hb_blob_t* GetFontTable(hb_face_t* face, hb_tag_t tag, void* user_data) { .... std::unique_ptr buffer(new char[table_size]); if (!buffer) return 0; .... } #info A pointless check. The new operator will generate an exception std::bad_alloc, if memory is not be allocated. ----------------------------------------------------------------- Chromium V668 CWE-570 There is no sense in testing the 'zlib_stream_' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. gzip_source_stream.cc 60 bool GzipSourceStream::Init() { zlib_stream_.reset(new z_stream); if (!zlib_stream_) return false; memset(zlib_stream_.get(), 0, sizeof(z_stream)); .... } #info A pointless check. The new operator will generate an exception std::bad_alloc, if memory is not be allocated. ----------------------------------------------------------------- Chromium Well, that's an obviously redundant check. V668 CWE-570 There is no sense in testing the 'blocks_' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. quic_stream_sequencer_buffer.cc 279 bool QuicStreamSequencerBuffer::CopyStreamData(....) { .... if (blocks_ == nullptr) { blocks_.reset(new BufferBlock*[blocks_count_]()); // <= for (size_t i = 0; i < blocks_count_; ++i) { blocks_[i] = nullptr; // <= } } if (write_block_num >= blocks_count_) { *error_details = QuicStrCat( "QuicStreamSequencerBuffer error: OnStreamData() " "exceed array bounds." "write offset = ", offset, " write_block_num = ", write_block_num, " blocks_count_ = ", blocks_count_); return false; } if (blocks_ == nullptr) { // <= *error_details = "QuicStreamSequencerBuffer error: " "OnStreamData() blocks_ is null"; return false; } .... } #info A pointless check. The new operator will generate an exception std::bad_alloc, if memory is not be allocated. This check looks even more inappropriate when you consider that before it a pointer is already dereferenced: blocks_[i] = nullptr; #add V668 CWE-570 There is no sense in testing the 'translate_thread_' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. pnacl_coordinator.cc 207 V668 CWE-570 There is no sense in testing the 'image_shms' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. pepper_compositor_host.cc 367 ----------------------------------------------------------------- V8 V501 There are identical sub-expressions 'StandardFrameConstants::kCallerPCOffset' to the left and to the right of the '-' operator. linkage.h 66 static LinkageLocation ForSavedCallerReturnAddress() { return ForCalleeFrameSlot( (StandardFrameConstants::kCallerPCOffset - StandardFrameConstants::kCallerPCOffset) / kPointerSize, MachineType::Pointer()); } #info Apparently, here's a typo. It makes no sense to subtract a constant from itself, and divide something on the resulting 0. ----------------------------------------------------------------- V8 V522 CWE-628 Dereferencing of the null pointer 'object' might take place. The null pointer is passed into 'IsHandler' function. Inspect the first argument. Check lines: 'ic-inl.h:44', 'stub-cache.cc:19'. ic-inl.h 44 V713 CWE-476 The pointer object was utilized in the logical expression before it was verified against nullptr in the same logical expression. ic-inl.h 44 bool Object::IsSmi() const { return HAS_SMI_TAG(this); } bool IC::IsHandler(Object* object) { return (object->IsSmi() && (object != nullptr)) || object->IsDataHandler() || object->IsWeakCell() || object->IsCode(); } #info The object pointer is dereferenced first and then checked for NULL. Indeed, the expression looks quite suspicious. ----------------------------------------------------------------- V8 V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 327 V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 328 V575 CWE-628 The 'memset' function processes value '195936478'. Inspect the second argument. api.cc 329 void i::V8::FatalProcessOutOfMemory(const char* location, bool is_heap_oom) { .... memset(last_few_messages, 0x0BADC0DE, Heap::kTraceRingBufferSize + 1); memset(js_stacktrace, 0x0BADC0DE, Heap::kStacktraceBufferSize + 1); memset(&heap_stats, 0xBADC0DE, sizeof(heap_stats)); .... } #info Memory will not be filled with 0xBADC0DE constant but with the value 0xDE. ----------------------------------------------------------------- V8 V583 CWE-783 The '?:' operator, regardless of its conditional expression, always returns one and the same value: "". objects.cc 2993 void JSObject::JSObjectShortPrint(StringStream* accumulator) { .... accumulator->Add(global_object ? "" : ""); .... } #info Most likely, there's some sort of a typo. ----------------------------------------------------------------- PDFium V501 CWE-570 There are identical sub-expressions 'that.BeginPos > EndPos' to the left and to the right of the '||' operator. cpvt_wordrange.h 46 V501 CWE-570 There are identical sub-expressions 'that.EndPos < BeginPos' to the left and to the right of the '||' operator. cpvt_wordrange.h 46 CPVT_WordRange Intersect(const CPVT_WordRange& that) const { if (that.EndPos < BeginPos || that.BeginPos > EndPos || EndPos < that.BeginPos || BeginPos > that.EndPos) { return CPVT_WordRange(); } return CPVT_WordRange(std::max(BeginPos, that.BeginPos), std::min(EndPos, that.EndPos)); } #info The condition is spelled wrong. Let’s reduce the condition so that it was easier to notice an error: if (E2 < B1 || B2 > E1 || E1 < B2 || B1 > E2) Note, that (E2 < B1) and (B1 > E2) are the same things. Similarly, (B2 > E1) is the same thing as (E1 < B2). ----------------------------------------------------------------- PDFium V501 CWE-571 There are identical sub-expressions 'FXSYS_iswalpha(* iter)' to the left and to the right of the '&&' operator. cpdf_textpage.cpp 1218 inline bool FXSYS_iswalpha(wchar_t wch) { return FXSYS_isupper(wch) || FXSYS_islower(wch); } bool CPDF_TextPage::IsHyphen(wchar_t curChar) const { WideStringView curText = m_TempTextBuf.AsStringView(); .... auto iter = curText.rbegin(); .... if ((iter + 1) != curText.rend()) { iter++; if (FXSYS_iswalpha(*iter) && FXSYS_iswalpha(*iter)) // <= return true; } .... } #info There is an error in a condition, as it’s pointless to check one and the same character twice. ----------------------------------------------------------------- protocol-buffers V501 CWE-570 There are identical sub-expressions to the left and to the right of the '||' operator. utility.cc 351 bool IsMap(const google::protobuf::Field& field, const google::protobuf::Type& type) { return field.cardinality() == google::protobuf::Field_Cardinality_CARDINALITY_REPEATED && (GetBoolOptionOrDefault(type.options(), "map_entry", false) || GetBoolOptionOrDefault(type.options(), "google.protobuf.MessageOptions.map_entry", false) || // <= GetBoolOptionOrDefault(type.options(), "google.protobuf.MessageOptions.map_entry", false)); // <= } #info Sub-expressions are repeated. Most likely, there's some sort of a typo. #add V501 CWE-570 There are identical sub-expressions to the left and to the right of the '||' operator. utility.cc 360 ----------------------------------------------------------------- SwiftShader V501 CWE-570 There are identical sub-expressions '!negY->hasDirtyContents()' to the left and to the right of the '||' operator. texture.cpp 1268 void TextureCubeMap::updateBorders(int level) { egl::Image *posX = image[CubeFaceIndex(..._POSITIVE_X)][level]; egl::Image *negX = image[CubeFaceIndex(..._NEGATIVE_X)][level]; egl::Image *posY = image[CubeFaceIndex(..._POSITIVE_Y)][level]; egl::Image *negY = image[CubeFaceIndex(..._NEGATIVE_Y)][level]; egl::Image *posZ = image[CubeFaceIndex(..._POSITIVE_Z)][level]; egl::Image *negZ = image[CubeFaceIndex(..._NEGATIVE_Z)][level]; .... if(!posX->hasDirtyContents() || !posY->hasDirtyContents() || !posZ->hasDirtyContents() || !negX->hasDirtyContents() || !negY->hasDirtyContents() || // <= !negY->hasDirtyContents()) // <= { return; } .... } #info At the very end of the condition, a pointer negZ should have been used instead of a pointer negY. ----------------------------------------------------------------- WebKit V501 CWE-571 There are identical sub-expressions 'inherited_rotation.IsNone()' to the left and to the right of the '==' operator. cssrotateinterpolationtype.cpp 166 bool IsValid(....) const final { OptionalRotation inherited_rotation = GetRotation(*state.ParentStyle()); if (inherited_rotation_.IsNone() || inherited_rotation.IsNone()) return inherited_rotation.IsNone() == inherited_rotation.IsNone(); .... } #info A typo. One underscore _ was missed. It should be as follows: return inherited_rotation_.IsNone() == inherited_rotation.IsNone(); ----------------------------------------------------------------- libusb V510 CWE-686 The '_snprintf' function is not expected to receive class-type variable as fourth actual argument. format.h 97 void usbi_log(struct libusb_context *ctx, enum libusb_log_level level, const char *function, const char *format, ...); #define _usbi_log(ctx, level, ...) \ usbi_log(ctx, level, __FUNCTION__, __VA_ARGS__) #define usbi_err(ctx, ...) \ _usbi_log(ctx, LIBUSB_LOG_LEVEL_ERROR, __VA_ARGS__) struct pollfd { int fd; /* file descriptor */ short events; /* requested events */ short revents; /* returned events */ }; static int windows_handle_events(...., struct pollfd *fds, ....) { .... usbi_err(ctx, "could not find a matching transfer for fd %x", fds[i]); .... } #info A %X specifier in the format string shows the intention to print an integer value. However, the entire structure is passed to the function. Most likely, the code here is supposed to be as follows: usbi_err(ctx, "...... transfer for fd %x", fds[i].fd); ----------------------------------------------------------------- protocol-buffers V519 CWE-563 The variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 149, 150. java_primitive_field_lite.cc 150 void SetPrimitiveVariables(....., std::map* variables) { .... (*variables)["set_has_field_bit_message"] = ""; (*variables)["set_has_field_bit_message"] = ""; (*variables)["clear_has_field_bit_message"] = ""; .... } #info The same key is used twice. Most likely, there's some sort of a typo and the key with a different name must be used. ----------------------------------------------------------------- WebRTC V519 CWE-563 The 'state[state_length - x_length + i]' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 83, 84. filter_ar.c 84 size_t WebRtcSpl_FilterAR(....) { .... for (i = 0; i < state_length - x_length; i++) { state[i] = state[i + x_length]; state_low[i] = state_low[i + x_length]; } for (i = 0; i < x_length; i++) { state[state_length - x_length + i] = filtered[i]; state[state_length - x_length + i] = filtered_low[i]; // <= } .... } #info Copy-Paste consequences. A string was copied: state[state_length - x_length + i] = filtered[i]; filtered was changed with filtered_low. But developers forgot to change state with state_low. As a result, some part of the elements of the array state_low remain uninitialized. ----------------------------------------------------------------- WTF (WebKit) V523 CWE-691 The 'then' statement is equivalent to the 'else' statement. wtfstring.cpp 227 void String::insert(const StringView& string, unsigned position) { .... if (position >= length()) { if (string.Is8Bit()) append(string); else append(string); return; } .... } #info Regardless of a condition, one and the same action is executed. Most likely, there's some sort of a typo. ----------------------------------------------------------------- PDFium V523 CWE-691 The 'then' statement is equivalent to the 'else' statement. cpwl_edit_impl.cpp 1580 bool CPWL_EditImpl::Backspace(bool bAddUndo, bool bPaint) { .... if (m_wpCaret.nSecIndex != m_wpOldCaret.nSecIndex) { AddEditUndoItem(pdfium::MakeUnique( this, m_wpOldCaret, m_wpCaret, word.Word, word.nCharset)); } else { AddEditUndoItem(pdfium::MakeUnique( this, m_wpOldCaret, m_wpCaret, word.Word, word.nCharset)); } .... } #info Regardless of a condition, one and the same action is executed. Most likely, there's some sort of a typo. #add V523 CWE-691 The 'then' statement is equivalent to the 'else' statement. cpwl_edit_impl.cpp 1616 V523 CWE-691 The 'then' statement is equivalent to the 'else' statement. cpdf_formfield.cpp 172 V523 CWE-691 The 'then' statement is equivalent to the 'else' statement. cjs_field.cpp 2323 ----------------------------------------------------------------- protocol-buffers V547 CWE-571 Expression is always true. time.cc 83 V547 CWE-571 Expression 'time.month <= kDaysInMonth[time.month]' is always true. time.cc 85 static const int kDaysInMonth[13] = { 0, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }; bool ValidateDateTime(const DateTime& time) { if (time.year < 1 || time.year > 9999 || time.month < 1 || time.month > 12 || time.day < 1 || time.day > 31 || time.hour < 0 || time.hour > 23 || time.minute < 0 || time.minute > 59 || time.second < 0 || time.second > 59) { return false; } if (time.month == 2 && IsLeapYear(time.year)) { return time.month <= kDaysInMonth[time.month] + 1; } else { return time.month <= kDaysInMonth[time.month]; } } #info A nice typo due to which such dates as 31st of February and 31st of November will be considered as correct. An array kDaysInMonth contains a number of days in months. If it’s a leap year and February is being checked, then 1 is added to the number of days in a month. The error here is that a month is compared with the maximum number of days in the month, but not the day. Sure, the number of any month is always less than the number of days a month. Thus, the correctness of the day is not checked. Well, there is a check that number of days is in the range [1 .. 31], but it is not checked, whether this particular day exists in the month or not. Correct code: if (time.month == 2 && IsLeapYear(time.year)) { return time.day <= kDaysInMonth[time.month] + 1; } else { return time.day <= kDaysInMonth[time.month]; } ----------------------------------------------------------------- Skia V549 CWE-688 The first argument of 'memcmp' function is equal to the second argument. skpdfcanon.h 67 inline bool operator==(const SkPDFCanon::BitmapGlyphKey& u, const SkPDFCanon::BitmapGlyphKey& v) { return memcmp(&u, &u, sizeof(SkPDFCanon::BitmapGlyphKey)) == 0; } #info A typo due to which a u object is compared with itself. ----------------------------------------------------------------- Skia V554 CWE-762 Incorrect use of unique_ptr. The memory allocated with 'new []' will be cleaned using 'delete'. grglprogrambuilder.cpp 272 GrGLProgram* GrGLProgramBuilder::finalize() { .... std::unique_ptr binary(new char[length]); .... } #info Memory is allocated using the new [] operator, and is freed using the delete operator. ----------------------------------------------------------------- Skia V554 CWE-762 Incorrect use of unique_ptr. The memory allocated with 'malloc' will be cleaned using 'delete'. grglprogrambuilder.cpp 275 GrGLProgram* GrGLProgramBuilder::finalize() { .... std::unique_ptr data((uint8_t*) malloc(dataLength)); .... } #info Memory is allocated using the malloc function, and is freed using the delete operator. ----------------------------------------------------------------- Angle V595 CWE-476 The 'program' pointer was utilized before it was verified against nullptr. Check lines: 272, 276. vertexarray11.cpp 272 gl::Error VertexArray11::updateDirtyAndDynamicAttribs(....) { .... const gl::Program *program = glState.getProgram(); const auto &activeLocations = program->getActiveAttribLocationsMask(); // <= .... mAppliedNumViewsToDivisor = (program != nullptr && program->usesMultiview()) ? // <= program->getNumViews() : 1; .... } #info A program pointer can be equal to nullptr, as evidenced by the check program != nullptr. Besides, earlier the pointer is dereferenced before the preliminary check. ----------------------------------------------------------------- ICU V595 CWE-476 The 'fData' pointer was utilized before it was verified against nullptr. Check lines: 967, 976. rbbi.cpp 967 int32_t RuleBasedBreakIterator::handlePrevious( int32_t fromPosition) { .... const RBBIStateTable *stateTable = fData->fSafeRevTable; .... if (fText == NULL || fData == NULL || UTEXT_GETNATIVEINDEX(fText)==0) { return BreakIterator::DONE; } .... } #info A fData pointer can be equal to nullptr, as evidenced by the check program != nullptr. Besides, earlier the pointer is dereferenced before the preliminary check. ----------------------------------------------------------------- libwebp V595 CWE-476 The 'curr_canvas' pointer was utilized before it was verified against nullptr. Check lines: 599, 603. anim_encode.c 599 int WebPAnimEncoderRefineRect( ...., const WebPPicture* const curr_canvas, ....) { FrameRectangle rect; const int right = clip(*x_offset + *width, 0, curr_canvas->width); const int left = clip(*x_offset, 0, curr_canvas->width - 1); const int bottom = clip(*y_offset + *height, 0, curr_canvas->height); const int top = clip(*y_offset, 0, curr_canvas->height - 1); if (prev_canvas == NULL || curr_canvas == NULL || prev_canvas->width != curr_canvas->width || prev_canvas->height != curr_canvas->height || !prev_canvas->use_argb || !curr_canvas->use_argb) { return 0; } .... } #info A curr_canvas pointer can be equal to nullptr as evidenced by the check program != nullptr. Besides, earlier the pointer is dereferenced before the preliminary check. ----------------------------------------------------------------- WebRTC V597 CWE-14 The compiler could delete the 'memset' function call, which is used to flush 'sensitive' object. The RtlSecureZeroMemory() function should be used to erase the private data. socketadapters.cc 677 void AsyncSocksProxySocket::SendAuth() { .... char * sensitive = new char[len]; pass_.CopyTo(sensitive, true); request.WriteString(sensitive); // Password memset(sensitive, 0, len); delete [] sensitive; DirectSend(request.Data(), request.Length()); state_ = SS_AUTH; } #info The compiler may delete a call of memset function and password can still remain in memory. ----------------------------------------------------------------- WebRTC V597 CWE-14 The compiler could delete the 'memset' function call, which is used to flush 'sensitive' object. The RtlSecureZeroMemory() function should be used to erase the private data. httpcommon.cc 721 HttpAuthResult HttpAuthenticate(....) { .... char * sensitive = new char[len]; .... if (_stricmp(auth_method.c_str(), "basic") == 0) { .... memset(sensitive, 0, len); delete [] sensitive; return HAR_RESPONSE; } .... } #info The compiler may remove the call of memset function and some data can still remain in memory. #add V597 CWE-14 The compiler could delete the 'memset' function call, which is used to flush 'sensitive' object. The RtlSecureZeroMemory() function should be used to erase the private data. httpcommon.cc 766 V597 CWE-14 The compiler could delete the 'memset' function call, which is used to flush 'sensitive' object. The RtlSecureZeroMemory() function should be used to erase the private data. httpcommon.cc 917 ----------------------------------------------------------------- webkit V603 CWE-665 The object was created but it is not being used. If you wish to call constructor, 'this->ScrollAnchorData::ScrollAnchorData(....)' should be used. webscrollanchordata.h 49 struct ScrollAnchorData { WebString selector_; WebFloatPoint offset_; uint64_t simhash_; ScrollAnchorData(const WebString& selector, const WebFloatPoint& offset, uint64_t simhash) : selector_(selector), offset_(offset), simhash_(simhash) {} ScrollAnchorData() { ScrollAnchorData(WebString(), WebFloatPoint(0, 0), 0); } }; #info This is not a call of one constructor from another one. An unnamed object is created and is immediately removed. ----------------------------------------------------------------- ICU V694 CWE-571 The condition (action + 1) is only false if there is pointer overflow which is undefined behavior anyway. ubiditransform.cpp 502 U_DRAFT uint32_t U_EXPORT2 ubiditransform_transform(....) { .... const UBiDiAction *action = NULL; .... if (action + 1) { updateSrc(....); } .... } #info The condition is always true. Theoretically, it can become false if an overflow occurs, but this leads to undefined behavior. ----------------------------------------------------------------- Skia V767 Suspicious access to element of 'fRects' array by a constant index inside a loop. grnonaafillrectop.cpp 276 SkString dumpInfo() const override { SkString str; str.appendf("# combined: %d\n", fRects.count()); for (int i = 0; i < fRects.count(); ++i) { const RectInfo& geo = fRects[0]; str.appendf("%d: Color: 0x%08x, " "Rect [L: %.2f, T: %.2f, R: %.2f, B: %.2f]\n", i, geo.fColor, geo.fRect.fLeft, geo.fRect.fTop, geo.fRect.fRight, geo.fRect.fBottom); } str += fHelper.dumpInfo(); str += INHERITED::dumpInfo(); return str; } #info The information is issued about one and the same element of the array. Most likely, fRects[i] should be written instead of fRects[0]. ----------------------------------------------------------------- swiftshader V768 CWE-571 The enumeration constant 'Lshr' is used as a variable of a Boolean-type. subzeroreactor.cpp 712 V768 CWE-571 The enumeration constant 'Ashr' is used as a variable of a Boolean-type. subzeroreactor.cpp 712 static Value *createArithmetic(Ice::InstArithmetic::OpKind op, Value *lhs, Value *rhs) { assert(lhs->getType() == rhs->getType() || (llvm::isa(rhs) && (op == Ice::InstArithmetic::Shl || Ice::InstArithmetic::Lshr || Ice::InstArithmetic::Ashr))); .... } #info Here is the correct version of code: assert(lhs->getType() == rhs->getType() || (llvm::isa(rhs) && (op == Ice::InstArithmetic::Shl || op == Ice::InstArithmetic::Lshr || op == Ice::InstArithmetic::Ashr))); ----------------------------------------------------------------- ICU V773 CWE-401 The function was exited without releasing the 'rules' pointer. A memory leak is possible. rbtz.cpp 668 UVector* RuleBasedTimeZone::copyRules(UVector* source) { if (source == NULL) { return NULL; } UErrorCode ec = U_ZERO_ERROR; int32_t size = source->size(); UVector *rules = new UVector(size, ec); if (U_FAILURE(ec)) { return NULL; } .... } #info In case of erroneous situation the delete operator isn't called. ----------------------------------------------------------------- ICU V773 CWE-401 The function was exited without releasing the 'tmpSet' pointer. A memory leak is possible. uspoof_impl.cpp 184 void SpoofImpl::setAllowedLocales(const char *localesList, UErrorCode &status) { .... fAllowedLocales = uprv_strdup(""); tmpSet = new UnicodeSet(0, 0x10ffff); if (fAllowedLocales == NULL || tmpSet == NULL) { status = U_MEMORY_ALLOCATION_ERROR; return; } .... } #info In case of object copying the delete operator is not called. ----------------------------------------------------------------- ICU V773 CWE-401 The function was exited without releasing the 'result' pointer. A memory leak is possible. stsearch.cpp 301 SearchIterator * StringSearch::safeClone(void) const { UErrorCode status = U_ZERO_ERROR; StringSearch *result = new StringSearch(m_pattern_, m_text_, getCollator(), m_breakiterator_, status); .... result->setOffset(getOffset(), status); .... if (U_FAILURE(status)) { return NULL; } return result; } #info In case of erroneous situation the delete operator is not called. #add V773 CWE-401 The function was exited without releasing the 'values' pointer. A memory leak is possible. tznames_impl.cpp 154 V773 CWE-401 The function was exited without releasing the 'filter' pointer. A memory leak is possible. tridpars.cpp 298 V773 CWE-401 The function was exited without releasing the 'targets' pointer. A memory leak is possible. transreg.cpp 984 V773 CWE-401 The function was exited without releasing the 'instance' pointer. A memory leak is possible. tzgnames.cpp 1216 V773 CWE-401 The function was exited without releasing the 'uset' pointer. A memory leak is possible. rbbiscan.cpp 1276 ----------------------------------------------------------------- libwebm V773 CWE-401 The function was exited without releasing the 'new_frame' pointer. A memory leak is possible. mkvmuxer.cc 3513 bool Segment::AddGenericFrame(const Frame* frame) { .... Frame* const new_frame = new (std::nothrow) Frame(); if (!new_frame || !new_frame->CopyFrom(*frame)) return false; .... } #info In case of erroneous situation the delete operator is not called. #add V773 CWE-401 The function was exited without releasing the 'new_frame' pointer. A memory leak is possible. mkvmuxer.cc 3539 ----------------------------------------------------------------- swiftshader V773 CWE-401 The function was exited without releasing the 'node' pointer. A memory leak is possible. intermediate.cpp 405 TIntermTyped* TIntermediate::addBinaryMath(TOperator op, TIntermTyped* left, TIntermTyped* right, const TSourceLoc &line) { .... TIntermBinary* node = new TIntermBinary(op); node->setLine(line); node->setLeft(left); node->setRight(right); if (!node->promote(infoSink)) return 0; .... } #info In case of erroneous situation the delete operator is not called. #add V773 CWE-401 The function was exited without releasing the 'node' pointer. A memory leak is possible. intermediate.cpp 443 V773 CWE-401 The function was exited without releasing the 'node' pointer. A memory leak is possible. intermediate.cpp 514 V773 CWE-401 The function was exited without releasing the 'rightUnionArray' pointer. A memory leak is possible. intermediate.cpp 1457 V773 CWE-401 The function was exited without releasing the 'unionArray' pointer. A memory leak is possible. intermediate.cpp 1457 V773 CWE-401 The function was exited without releasing the 'aggregateArguments' pointer. A memory leak is possible. parsehelper.cpp 2109 ----------------------------------------------------------------- PDFium V773 CWE-401 The function was exited without releasing the 'pContext' pointer. A memory leak is possible. fx_codec_jpeg.cpp 421 std::unique_ptr CCodec_JpegModule::Start() { auto* pContext = new CJpegContext(); if (setjmp(pContext->m_JumpMark) == -1) return nullptr; .... } #info In case of erroneous situation the delete operator is not called. ----------------------------------------------------------------- WebKit V773 CWE-401 The function was exited without releasing the 'transform_css_value' pointer. A memory leak is possible. csstransformvalue.cpp 73 static CSSValueList* CreateSpaceSeparated() { return new CSSValueList(kSpaceSeparator); } const CSSValue* CSSTransformValue::ToCSSValue(....) const { CSSValueList* transform_css_value = CSSValueList::CreateSpaceSeparated(); for (size_t i = 0; i < transform_components_.size(); i++) { const CSSValue* component = transform_components_[i]->ToCSSValue(secure_context_mode); if (!component) return nullptr; // <= transform_css_value->Append(*component); } return transform_css_value; } #info In case of erroneous situation the delete operator is not called. #add V773 CWE-401 The function was exited without releasing the 'image_set' pointer. A memory leak is possible. csspropertyparserhelpers.cpp 1507 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. csspropertyparserhelpers.cpp 1619 V773 CWE-401 The function was exited without releasing the 'shape' pointer. A memory leak is possible. cssparsingutils.cpp 248 V773 CWE-401 The function was exited without releasing the 'shape' pointer. A memory leak is possible. cssparsingutils.cpp 272 V773 CWE-401 The function was exited without releasing the 'shape' pointer. A memory leak is possible. cssparsingutils.cpp 289 V773 CWE-401 The function was exited without releasing the 'shape' pointer. A memory leak is possible. cssparsingutils.cpp 315 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. cssparsingutils.cpp 1359 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. cssparsingutils.cpp 1406 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. cssparsingutils.cpp 1359 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. cssparsingutils.cpp 1406 V773 CWE-401 The function was exited without releasing the 'values' pointer. A memory leak is possible. cssparsingutils.cpp 1985 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. cssparsingutils.cpp 2474 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. cssparsingutils.cpp 2494 V773 CWE-401 The function was exited without releasing the 'values' pointer. A memory leak is possible. atruledescriptorparser.cpp 30 V773 CWE-401 The function was exited without releasing the 'values' pointer. A memory leak is possible. atruledescriptorparser.cpp 57 V773 CWE-401 The function was exited without releasing the 'values' pointer. A memory leak is possible. atruledescriptorparser.cpp 128 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. csssyntaxdescriptor.cpp 193 ----------------------------------------------------------------- WebKit V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. computedstylecssvaluemapping.cpp 1232 static CSSValueList* CreateSpaceSeparated() { return new CSSValueList(kSpaceSeparator); } static CSSValue* RenderTextDecorationFlagsToCSSValue( TextDecoration text_decoration) { CSSValueList* list = CSSValueList::CreateSpaceSeparated(); .... if (!list->length()) return CSSIdentifierValue::Create(CSSValueNone); return list; } #info In case of erroneous situation the delete operator is not called. #add V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. computedstylecssvaluemapping.cpp 1678 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. computedstylecssvaluemapping.cpp 1727 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. computedstylecssvaluemapping.cpp 2036 V773 CWE-401 The function was exited without releasing the 'size_and_line_height' pointer. A memory leak is possible. computedstylecssvaluemapping.cpp 2070 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. computedstylecssvaluemapping.cpp 2070 V773 CWE-401 The function was exited without releasing the 'file_list' pointer. A memory leak is possible. v8scriptvaluedeserializer.cpp 249 V773 CWE-401 The function was exited without releasing the 'file_list' pointer. A memory leak is possible. v8scriptvaluedeserializer.cpp 264 V773 CWE-401 The function was exited without releasing the 'computed_style_info' pointer. A memory leak is possible. inspectordomsnapshotagent.cpp 367 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. cursor.cpp 42 V773 CWE-401 The function was exited without releasing the 'values' pointer. A memory leak is possible. content.cpp 103 V773 CWE-401 The function was exited without releasing the 'variation_settings' pointer. A memory leak is possible. fontvariationsettings.cpp 56 V773 CWE-401 Visibility scope of the 'font_variation_value' pointer was exited without releasing the memory. A memory leak is possible. fontvariationsettings.cpp 58 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. rotate.cpp 32 V773 CWE-401 The function was exited without releasing the 'values' pointer. A memory leak is possible. quotes.cpp 25 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. textindent.cpp 52 V773 CWE-401 The function was exited without releasing the 'list' pointer. A memory leak is possible. shapeoutside.cpp 35 (at least, I looked through it inattentively and gave up doing that, as it was boring, uniformly and uninteresting) ----------------------------------------------------------------- WebKit V773 CWE-401 The function was exited without releasing the 'port_array' pointer. A memory leak is possible. v8messageeventcustom.cpp 127 void V8MessageEvent::initMessageEventMethodCustom(....) { .... MessagePortArray* port_array = nullptr; .... port_array = new MessagePortArray; *port_array = NativeValueTraits>::NativeValue( info.GetIsolate(), info[kPortArrayIndex], exception_state); if (exception_state.HadException()) return; .... } #info In case of erroneous situation the delete operator is not called. ----------------------------------------------------------------- WebKit V773 CWE-401 The function was exited without releasing the 'temporary_body' pointer. A memory leak is possible. request.cpp 381 Request* Request::CreateRequestWithRequestOrString(....) { .... BodyStreamBuffer* temporary_body = ....; .... temporary_body = new BodyStreamBuffer(script_state, std::move(init.GetBody())); .... if (exception_state.HadException()) return nullptr; .... } #info In case of erroneous situation the delete operator is not called. ----------------------------------------------------------------- WebRTC V789 CWE-672 Iterators for the 'formats' container, used in the range-based for loop, become invalid upon the call of the 'push_back' function. stereocodecfactory.cc 89 std::vector StereoDecoderFactory::GetSupportedFormats() const { std::vector formats = ....; for (const auto& format : formats) { // <= if (cricket::CodecNamesEq(....)) { .... formats.push_back(stereo_format); // <= } } return formats; } ----------------------------------------------------------------- Angle V519 CWE-563 The '* params' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 2044, 2046. state.cpp 2046 void State::getIntegerv(const Context *context, GLenum pname, GLint *params) { .... switch (pname) { .... case GL_DEBUG_GROUP_STACK_DEPTH: *params = static_cast(mDebug.getGroupStackDepth()); break; case GL_MULTISAMPLE_EXT: *params = static_cast(mMultiSampling); break; case GL_SAMPLE_ALPHA_TO_ONE_EXT: *params = static_cast(mSampleAlphaToOne); //<= case GL_COVERAGE_MODULATION_CHROMIUM: *params = static_cast(mCoverageModulation); break; case GL_ATOMIC_COUNTER_BUFFER_BINDING: .... } #info A developer forgot to write the break operator. ----------------------------------------------------------------- SwiftShader V519 CWE-563 The 'framebuffer' variable is assigned values twice successively. Perhaps this is a mistake. Check lines: 3879, 3881. libglesv3.cpp 3881 GL_APICALL void GL_APIENTRY glInvalidateSubFramebuffer(....) { .... switch(target) { case GL_DRAW_FRAMEBUFFER: case GL_FRAMEBUFFER: framebuffer = context->getDrawFramebuffer(); case GL_READ_FRAMEBUFFER: framebuffer = context->getReadFramebuffer(); break; default: return error(GL_INVALID_ENUM); } .... } #info A developer forgot to write the break operator. ----------------------------------------------------------------- LLVM-subzero V522 CWE-690 There might be dereferencing of a potential null pointer 'TheTable'. Check lines: 65, 59. stringmap.cpp 65 void StringMapImpl::init(unsigned InitSize) { assert((InitSize & (InitSize-1)) == 0 && "Init Size must be a power of 2 or zero!"); NumBuckets = InitSize ? InitSize : 16; NumItems = 0; NumTombstones = 0; TheTable = (StringMapEntryBase **) calloc(NumBuckets+1, sizeof(StringMapEntryBase **) + sizeof(unsigned)); // Allocate one extra bucket, set it to look filled // so the iterators stop at end. TheTable[NumBuckets] = (StringMapEntryBase*)2; } #info Seemingly, why use LLVM in Chromium? But that's the way it happened. Chromium uses the library SwiftShader. In turns, it uses the library LLVM-subzero. The bug is interesting because if calloc returns 0, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NumBuckets. And this can be a great value. ----------------------------------------------------------------- LLVM-subzero V522 CWE-690 There might be dereferencing of a potential null pointer 'Buckets'. Check lines: 219, 217. foldingset.cpp 219 static void **AllocateBuckets(unsigned NumBuckets) { void **Buckets = static_cast(calloc(NumBuckets+1, sizeof(void*))); // Set the very last bucket to be a non-null "pointer". Buckets[NumBuckets] = reinterpret_cast(-1); return Buckets; } #info Seemingly, why use LLVM in Chromium? But that's the way it happened. Chromium uses the library SwiftShader. In turns, it uses the library LLVM-subzero. The bug is interesting because if calloc returns 0, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NumBuckets. And this can be a great value. ----------------------------------------------------------------- LLVM-subzero V769 CWE-119 The 'NewTableArray' pointer in the 'NewTableArray + NewSize' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 218, 216. stringmap.cpp 218 unsigned StringMapImpl::RehashTable(unsigned BucketNo) { .... StringMapEntryBase **NewTableArray = (StringMapEntryBase **)calloc(NewSize+1, sizeof(StringMapEntryBase *) + sizeof(unsigned)); unsigned *NewHashArray = (unsigned *)(NewTableArray + NewSize + 1); NewTableArray[NewSize] = (StringMapEntryBase*)2; .... } #info Seemingly, why use LLVM in Chromium? But that's the way it happened. Chromium uses the library SwiftShader. In turns, it uses the library LLVM-subzero. The bug is interesting because if calloc returns 0, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NewSize. ----------------------------------------------------------------- yasm V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 52, 51. substr.h 52 static SubStr * SubStr_new_u(unsigned char *s, unsigned int l) { SubStr *r = malloc(sizeof(SubStr)); r->str = (char*)s; r->len = l; return r; } #info There is no protection if the malloc function returns a null pointer. #add V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 68, 67. substr.h 68 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 84, 83. substr.h 84 V522 CWE-690 There might be dereferencing of a potential null pointer 'inc'. Check lines: 80, 79. genmodule.c 80 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 25, 24. token.h 25 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 44, 43. re.h 44 V522 CWE-690 There might be dereferencing of a potential null pointer 'ro'. Check lines: 62, 61. re.h 62 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 126, 125. re.h 126 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 134, 133. re.h 134 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 145, 144. re.h 145 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 155, 154. re.h 155 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 165, 164. re.h 165 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 174, 173. re.h 174 V522 CWE-628 Dereferencing of the null pointer 's' might take place. The potential null pointer is passed into 'Scanner_line' function. Inspect the first argument. Check lines: 'scanner.h:33', 'parser.c:241', 'scanner.h:39'. scanner.h 33 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. substr.c 32 V522 CWE-690 There might be dereferencing of a potential null pointer 'a'. Check lines: 103, 102. dfa.h 103 V522 CWE-690 There might be dereferencing of a potential null pointer 'a'. Check lines: 113, 112. dfa.h 113 V522 CWE-690 There might be dereferencing of a potential null pointer 'a'. Check lines: 124, 123. dfa.h 124 V522 CWE-690 There might be dereferencing of a potential null pointer 'a'. Check lines: 135, 134. dfa.h 135 V522 CWE-690 There might be dereferencing of a potential null pointer 'a'. Check lines: 147, 146. dfa.h 147 V522 CWE-690 There might be dereferencing of a potential null pointer 's'. Check lines: 79, 78. dfa.c 79 V522 CWE-690 There might be dereferencing of a potential null pointer 'd'. Check lines: 132, 126. dfa.c 132 V522 CWE-690 There might be dereferencing of a potential null pointer 'span'. Check lines: 175, 130. dfa.c 175 V522 CWE-628 Dereferencing of the null pointer 's' might take place. The potential null pointer is passed into 'DFA_addState' function. Inspect the third argument. Check lines: 206, 241, 78. dfa.c 206 V522 CWE-690 There might be dereferencing of a potential null pointer 'ss'. actions.c 572 V522 CWE-690 There might be dereferencing of a potential null pointer 'ss'. actions.c 589 V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 604, 603. actions.c 604 V522 CWE-690 There might be dereferencing of a potential null pointer 'b'. Check lines: 171, 170. code.c 171 V522 CWE-690 There might be dereferencing of a potential null pointer 'a'. Check lines: 384, 383. code.c 384 V522 CWE-690 There might be dereferencing of a potential null pointer 's'. Check lines: 655, 654. code.c 655 V522 CWE-690 There might be dereferencing of a potential null pointer 's->go.span'. Check lines: 757, 756. code.c 757 V522 CWE-690 There might be dereferencing of a potential null pointer 'data'. Check lines: 712, 708. nasm-pp.c 712 V522 CWE-690 There might be dereferencing of a potential null pointer 'data'. Check lines: 712, 708. nasm-pp.c 712 V522 CWE-690 There might be dereferencing of a potential null pointer 'struc'. Check lines: 808, 807. nasm-pp.c 808 ----------------------------------------------------------------- WebRTC V522 CWE-690 There might be dereferencing of a potential null pointer 'self'. Check lines: 22, 21. noise_suppression.c 22 NsHandle* WebRtcNs_Create() { NoiseSuppressionC* self = malloc(sizeof(NoiseSuppressionC)); self->initFlag = 0; return (NsHandle*)self; } #info There is no protection if the malloc function returns a null pointer. ----------------------------------------------------------------- WebRTC V522 CWE-690 There might be dereferencing of a potential null pointer 'left'. Check lines: 412, 403. resampler.cc 412 V522 CWE-690 There might be dereferencing of a potential null pointer 'right'. Check lines: 413, 405. resampler.cc 413 int Resampler::Push(....) { .... int16_t* left = static_cast(malloc(lengthIn * sizeof(int16_t) / 2)); int16_t* right = static_cast(malloc(lengthIn * sizeof(int16_t) / 2)); .... for (size_t i = 0; i < lengthIn; i += 2) { left[i >> 1] = samplesIn[i]; right[i >> 1] = samplesIn[i + 1]; } .... } #info There is no protection if the malloc function returns a null pointer. #add V522 CWE-690 There might be dereferencing of a potential null pointer 'aecm'. Check lines: 88, 84. echo_control_mobile.cc 88 V522 CWE-690 There might be dereferencing of a potential null pointer 'aecm'. Check lines: 218, 216. aecm_core.cc 218 V522 CWE-690 There might be dereferencing of a potential null pointer 'stt'. Check lines: 1203, 1195. analog_agc.c 1203 V522 CWE-690 There might be dereferencing of a potential null pointer 'instISAC'. Check lines: 282, 279. isac.c 282 ----------------------------------------------------------------- Angle V545 CWE-253 Such conditional expression of 'if' statement is incorrect for the HRESULT type value '(HRESULT) 0x8007000EL'. The SUCCEEDED or FAILED macro should be used instead. renderer11.cpp 4048 typedef _Return_type_success_(return >= 0) long HRESULT; #define _HRESULT_TYPEDEF_(_sc) ((HRESULT)_sc) #define E_OUTOFMEMORY _HRESULT_TYPEDEF_(0x8007000EL) gl::Error Renderer11::mapResource(....) { HRESULT hr = mDeviceContext->Map(resource, subResource, mapType, mapFlags, mappedResource); if (FAILED(hr)) { .... if (E_OUTOFMEMORY) { glError = gl::OutOfMemory() << genericFailureMessage << gl::FmtHR(hr); } return glError; } return gl::NoError(); } #info Apparently, the correct condition must be as follows: if (hr == E_OUTOFMEMORY) ----------------------------------------------------------------- re2 V547 CWE-570 Expression 'c1 == c' is always false. rune.cc 247 typedef signed int Rune; enum { UTFmax = 4, Runesync = 0x80, Runeself = 0x80, Runeerror = 0xFFFD, Runemax = 0x10FFFF, }; char* utfrune(const char *s, Rune c) { long c1; Rune r; int n; if(c < Runesync) /* not part of utf sequence */ return strchr((char*)s, c); for(;;) { c1 = *(unsigned char*)s; if(c1 < Runeself) { /* one byte rune */ if(c1 == 0) return 0; if(c1 == c) // <= return (char*)s; s++; continue; } n = chartorune(&r, s); if(r == c) return (char*)s; s += n; } return 0; } #info If the variable c < 0x80, the function ends its work. This means that the value of a variable (c)>= 0x80. A comparison, interesting for us is performed only in case if c1 < 0x80. If c >= 80 and c1 < 0x80, the c==c1 a condition will always be false. ----------------------------------------------------------------- skia V547 CWE-571 Expression 'allDone' is always true. skopcontour.cpp 43 V1001 CWE-563 The 'allDone' variable is assigned but is not used until the end of the function. skopcontour.cpp 40 SkOpSpan* SkOpContour::undoneSpan() { SkOpSegment* testSegment = &fHead; bool allDone = true; do { if (testSegment->done()) { continue; } allDone = false; return testSegment->undoneSpan(); } while ((testSegment = testSegment->next())); if (allDone) { fDone = true; } return nullptr; } #info Very suspicious code, but it is difficult for me to understand what is the actual error here. ----------------------------------------------------------------- WebKit V547 CWE-570 Expression '!first' is always false. webmediaconstraints.cpp 302 WebString StringConstraint::ToString() const { .... bool first = true; for (const auto& iter : exact_) { if (!first) builder.Append(", "); builder.Append('"'); builder.Append(iter); builder.Append('"'); } .... } #info As the first variable is always true, the commas between items will not be added.Correct code variant: bool first = true; for (const auto& iter : exact_) { if (first) first = false; else builder.Append(", "); builder.Append('"'); builder.Append(iter); builder.Append('"'); } ----------------------------------------------------------------- libvpx V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 931 V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 932 V557 CWE-119 Array overrun is possible. The value of 'i' index could reach 254. vp9_encoder.h 933 #define VP9_LEVELS 14 extern const Vp9LevelSpec vp9_level_defs[VP9_LEVELS]; typedef enum { .... LEVEL_MAX = 255 } VP9_LEVEL; static INLINE int log_tile_cols_from_picsize_level( uint32_t width, uint32_t height) { int i; const uint32_t pic_size = width * height; const uint32_t pic_breadth = VPXMAX(width, height); for (i = LEVEL_1; i < LEVEL_MAX; ++i) { if (vp9_level_defs[i].max_luma_picture_size >= pic_size && vp9_level_defs[i].max_luma_picture_breadth >= pic_breadth) { return get_msb(vp9_level_defs[i].max_col_tiles); } } return INT_MAX; } #info Apparently, a wrong constant is used. In an array of 14 elements the cycle index reaches a value of 254. Probably, the cycle was supposed to be as follows: for (i = LEVEL_1; i < VP9_LEVELS; ++i) { ----------------------------------------------------------------- Sqlite V557 CWE-125 Array overrun is possible. The value of 'stateno' index could reach 992. sqlite3.c 138802 static const short yy_shift_ofst[] = { /* 0 */ 355, 888, 1021, 909, 1063, 1063, 1063, 1063, 20, -19, .... /* 450 */ 1440, 1443, 1538, 1542, 1562, } #define YY_SHIFT_COUNT (454) #define YY_MIN_REDUCE 993 static unsigned int yy_find_shift_action(....) { int i; int stateno = pParser->yytos->stateno; if( stateno>=YY_MIN_REDUCE ) return stateno; // <= assert( stateno <= YY_SHIFT_COUNT ); do { i = yy_shift_ofst[stateno]; // <= .... } #info An array yy_shift_ofst consists of 455 items. In this case, the protection in function is made in the way that when accessing to this array the index must not be greater than 993. Something is clearly wrong here. Below there is a correct assert, but it will not help in the Release-version. Most likely, a check should be rewritten as follows: if (stateno > YY_SHIFT_COUNT) { assert(false); return stateno; } ----------------------------------------------------------------- fips181 how to make dangerous code from nothing, one could at least make an array of 4 characters on the stack... V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the second argument. Check lines: 136, 132. convert.cc 136 void numerize (char *syllable) { char *tmp = (char *)calloc(1, 4); if ( strlen (syllable) == 1 ) { (void) gen_rand_symbol(tmp, S_NB); (void) memcpy ((void *)syllable, (void *)tmp, 1); } free ((void *)tmp); } #info This is an example of how you can overshoot and create overly complex and potentially dangerous code. It is dangerous as there is no check, if memory was allocated using the calloc function. It would be easier and safer to do as follows: void numerize (char *syllable) { if ( strlen (syllable) == 1 ) { char tmp[4] = { 0 }; (void) gen_rand_symbol(tmp, S_NB); (void) memcpy ((void *)syllable, (void *)tmp, 1); } } #add V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the second argument. Check lines: 160, 156. convert.cc 160 ----------------------------------------------------------------- openvr V575 CWE-628 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 35, 34. dirtools_public.cpp 35 bool BCreateDirectoryRecursive( const char *pchPath ) { .... int len = (int)strlen( pchPath ); char *path = (char *)malloc( len + 1 ); strcpy( path, pchPath ); .... } #info There is no protection if the malloc function returns a null pointer. ----------------------------------------------------------------- SwiftShader V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 102, 101. bitvector.h 102 BitVector(const BitVector &RHS) : Size(RHS.size()) { .... Bits = (BitWord *)std::malloc(Capacity * sizeof(BitWord)); std::memcpy(Bits, RHS.Bits, Capacity * sizeof(BitWord)); } #info There is no protection if the malloc function returns a null pointer. #add V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 440, 439. bitvector.h 440 V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 31, 28. smallvector.cpp 31 ----------------------------------------------------------------- yasm V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 134, 129. dfa.c 134 DFA * DFA_new(Ins *ins, unsigned int ni, unsigned int lb, unsigned int ub, Char *rep) { DFA *d = malloc(sizeof(DFA)); Ins **work = malloc(sizeof(Ins*)*(ni+1)); unsigned int nc = ub - lb; GoTo *goTo = malloc(sizeof(GoTo)*nc); // <= Span *span = malloc(sizeof(Span)*nc); d->lbChar = lb; d->ubChar = ub; memset((char*) goTo, 0, nc*sizeof(GoTo)); // <= .... } #info There is no protection if the malloc function returns a null pointer. #add V575 CWE-628 The potential null pointer is passed into 'strcpy' function. Inspect the first argument. Check lines: 81, 80. genmodule.c 81 V575 CWE-628 The potential null pointer is passed into 'fgets' function. Inspect the first argument. Check lines: 76, 59. genmacro.c 76 V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 83, 82. main.c 83 V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 184, 183. dfa.c 184 V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 244, 243. dfa.c 244 V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 672, 671. actions.c 672 V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 208, 203. code.c 208 V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 796, 795. code.c 796 V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 816, 815. code.c 816 V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the first argument. Check lines: 872, 871. code.c 872 V575 CWE-628 The potential null pointer is passed into 'memcpy' function. Inspect the second argument. Check lines: 872, 859. code.c 872 ----------------------------------------------------------------- WebRTC V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 154, 153. resampler.cc 154 int Resampler::Reset(int inFreq, int outFreq, size_t num_channels) { .... state1_ = malloc(8 * sizeof(int32_t)); memset(state1_, 0, 8 * sizeof(int32_t)); .... } #info There is no protection if the malloc function returns a null pointer. #add V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 167, 166. resampler.cc 167 V575 CWE-628 The potential null pointer is passed into 'memset' function. Inspect the first argument. Check lines: 237, 236. resampler.cc 237 ----------------------------------------------------------------- Skia V581 The conditional expressions of the 'if' statements situated alongside each other are identical. Check lines: 758, 761. skpathref.cpp 761 V649 CWE-561 There are two 'if' statements with identical conditional expressions. The first 'if' statement contains function return. This means that the second 'if' statement is senseless. Check lines: 758, 761. skpathref.cpp 761 bool SkPathRef::isValid() const { .... if (nullptr == fPoints && 0 != fFreeSpace) { return false; } if (nullptr == fPoints && 0 != fFreeSpace) { return false; } .... } #info The same check is performed twice. Or the second check is redundant. Or one forgot to check out something else. ----------------------------------------------------------------- Skia V656 Variables 'dstTex', 'srcTex' are initialized through the call to the same function. It's probably an error or un-optimized code. Check lines: 3312, 3313. grglgpu.cpp 3313 static inline bool can_blit_framebuffer_for_copy_surface( const GrSurface* dst, GrSurfaceOrigin dstOrigin, const GrSurface* src, GrSurfaceOrigin srcOrigin, ....) { .... const GrGLTexture* dstTex = static_cast(dst->asTexture()); const GrGLTexture* srcTex = static_cast(dst->asTexture()); // <= const GrRenderTarget* dstRT = dst->asRenderTarget(); const GrRenderTarget* srcRT = src->asRenderTarget(); if (dstTex && dstTex->target() != GR_GL_TEXTURE_2D) { return false; } if (srcTex && srcTex->target() != GR_GL_TEXTURE_2D) { return false; } .... } #info A typo. After Copy-Paste a developer forgot to change dst with src. It should be as follows: const GrGLTexture* srcTex = static_cast(src->asTexture()); // <= P.S. If you would like to use dst twice, there would be no sense to do two similar checks below. ----------------------------------------------------------------- usrsctp V665 Possibly, the usage of '#pragma warning(default: X)' is incorrect in this context. The '#pragma warning(push/pop)' should be used instead. Check lines: 42, 1271. usrsctp.h 1271 .... #ifdef _WIN32 #ifdef _MSC_VER #pragma warning(disable: 4200) // <= #endif #include #include #else #include #include #endif .... #ifdef _WIN32 #ifdef _MSC_VER #pragma warning(default: 4200) // <= #endif #endif #ifdef __cplusplus .... #info A compiler warning is incorrectly suppressed and restored. It’s especially not good as it’s a h-file. ----------------------------------------------------------------- Angle V668 CWE-570 There is no sense in testing the 'mStreamingBuffer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. vertexdatamanager.cpp 209 gl::Error VertexDataManager::initialize() { mStreamingBuffer.reset( new StreamingVertexBufferInterface(mFactory, INITIAL_STREAM_BUFFER_SIZE)); if (!mStreamingBuffer) { return gl::OutOfMemory() << "Failed to allocate the streaming vertex buffer."; } return gl::NoError(); } #info A pointless check. The new operator will generate an exception std::bad_alloc, if memory is not allocated. #add V668 CWE-570 There is no sense in testing the 'memory' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. poolalloc.cpp 294 V668 CWE-570 There is no sense in testing the 'memory' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. poolalloc.cpp 319 ----------------------------------------------------------------- hunspell V668 CWE-570 There is no sense in testing the 'iterator' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. affixmgr.cxx 277 int AffixMgr::parse_file(const char* affpath, const char* key) { .... FileMgr* iterator = new FileMgr(&affix_iterator); if (!iterator) { HUNSPELL_WARNING(stderr, "error: could not create a FileMgr from an " "affix line iterator.\n"); return 1; } .... } #info A pointless check. The new operator will generate an exception std::bad_alloc, if memory is not allocated. #add V668 CWE-570 There is no sense in testing the 'afflst' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. affixmgr.cxx 297 V668 CWE-570 There is no sense in testing the 'afflst' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. hashmgr.cxx 963 V668 CWE-570 There is no sense in testing the 'r' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. replist.cxx 163 ----------------------------------------------------------------- SwiftShader V668 CWE-570 There is no sense in testing the 'memory' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. poolalloc.cpp 284 void* TPoolAllocator::allocate(size_t numBytes) { .... tHeader* memory = reinterpret_cast(::new char[numBytesToAlloc]); if (memory == 0) return 0; .... } #info A pointless check. The new operator will generate an exception std::bad_alloc, if memory is not allocated. #add V668 CWE-571 There is no sense in testing the 'block' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. memory.cpp 71 V668 CWE-571 There is no sense in testing the 'block' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. memory.cpp 71 V668 CWE-570 There is no sense in testing the 'mStreamingBuffer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. indexdatamanager.cpp 38 V668 CWE-570 There is no sense in testing the 'mIndexBuffer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. indexdatamanager.cpp 383 V668 CWE-570 There is no sense in testing the 'mIndexBuffer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. indexdatamanager.cpp 443 V668 CWE-570 There is no sense in testing the 'mContents' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. buffer.cpp 63 V668 CWE-570 There is no sense in testing the 'mQuery' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. query.cpp 59 V668 CWE-570 There is no sense in testing the 'mStreamingBuffer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. vertexdatamanager.cpp 43 V668 CWE-570 There is no sense in testing the 'mVertexBuffer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. vertexdatamanager.cpp 245 V668 CWE-570 There is no sense in testing the 'mVertexBuffer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. vertexdatamanager.cpp 338 ----------------------------------------------------------------- WebRTC #info A pointless check. The new operator will generate an exception std::bad_alloc, if memory is not allocated. V668 CWE-570 There is no sense in testing the 'aec' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. aec_core.cc 1472 AecCore* WebRtcAec_CreateAec(int instance_count) { AecCore* aec = new AecCore(instance_count); if (!aec) { return NULL; } .... } #add V668 CWE-570 There is no sense in testing the 'aecpc' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. echo_cancellation.cc 126 V668 CWE-570 There is no sense in testing the 'newBuffer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. i420.cc 65 V668 CWE-570 There is no sense in testing the 'pointer' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. externalhmac.cc 79 V668 CWE-570 There is no sense in testing the 'default_network_manager_' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. peerconnectionfactory.cc 135 V668 CWE-570 There is no sense in testing the 'default_socket_factory_' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. peerconnectionfactory.cc 141 V668 CWE-570 There is no sense in testing the '_ptrFileUtilityObj' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. media_file_impl.cc 194 V668 CWE-571 There is no sense in testing the 'self' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. voice_engine_impl.cc 32 ----------------------------------------------------------------- WevKit V668 CWE-571 There is no sense in testing the 'bitmap' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. imagebitmap.cpp 823 void ImageBitmap::ResolvePromiseOnOriginalThread(....) { .... ImageBitmap* bitmap = new ImageBitmap(image); if (bitmap && bitmap->BitmapImage()) bitmap->BitmapImage()->SetOriginClean(origin_clean); .... } #info A pointless check. The new operator will generate an exception std::bad_alloc, if memory is not allocated. #add V668 CWE-571 There is no sense in testing the 'bitmap' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. imagebitmap.cpp 825 V668 CWE-571 There is no sense in testing the 'bitmap' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. imagebitmap.cpp 889 V668 CWE-571 There is no sense in testing the 'bitmap' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. imagebitmap.cpp 893 V668 CWE-570 There is no sense in testing the 'node' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. audioworkletnode.cpp 305 V668 CWE-570 There is no sense in testing the 'node' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. mediastreamaudiosourcenode.cpp 160 V668 CWE-571 There is no sense in testing the 'node' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. mediaelementaudiosourcenode.cpp 259 V668 CWE-570 There is no sense in testing the 'node' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. scriptprocessornode.cpp 485 V668 CWE-570 There is no sense in testing the 'iterator' pointer against null, as the memory was allocated using the 'new' operator. The exception will be generated in the case of memory allocation error. textbreakiteratoricu.cpp 882 ----------------------------------------------------------------- flac V701 CWE-401 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'object->parameters' is lost. Consider assigning realloc() to a temporary pointer. format.c 576 V701 CWE-401 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'object->raw_bits' is lost. Consider assigning realloc() to a temporary pointer. format.c 578 FLAC__bool FLAC__format_entropy_codi.....ce_contents_ensure_size( FLAC__EntropyCodingMethod_PartitionedRiceContents *object, unsigned max_partition_order) { .... if(object->capacity_by_order < max_partition_order) { if(0 == (object->parameters = realloc(object->parameters, ....))) return false; if(0 == (object->raw_bits = realloc(object->raw_bits, ....))) return false; .... } #info A memory leak will occur if the function realloc returns NULL. ----------------------------------------------------------------- WebRTC V701 CWE-401 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'self->binary_far_history' is lost. Consider assigning realloc() to a temporary pointer. delay_estimator.cc 303 V701 CWE-401 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'self->far_bit_counts' is lost. Consider assigning realloc() to a temporary pointer. delay_estimator.cc 306 int WebRtc_AllocateFarendBufferMemory( BinaryDelayEstimatorFarend* self, int history_size) { .... self->binary_far_history = static_cast( realloc(self->binary_far_history, history_size * sizeof(*self->binary_far_history))); self->far_bit_counts = static_cast( realloc(self->far_bit_counts, history_size * sizeof(*self->far_bit_counts))); .... } #info A memory leak will occur if the function realloc returns NULL. #add V701 CWE-401 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'self->mean_bit_counts' is lost. Consider assigning realloc() to a temporary pointer. delay_estimator.cc 453 V701 CWE-401 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'self->bit_counts' is lost. Consider assigning realloc() to a temporary pointer. delay_estimator.cc 456 V701 CWE-401 realloc() possible leak: when realloc() fails in allocating memory, original pointer 'self->histogram' is lost. Consider assigning realloc() to a temporary pointer. delay_estimator.cc 458 ----------------------------------------------------------------- yasm V707 Giving short names to global variables is considered to be bad practice. It is suggested to rename 'in' variable. parser.c 18 static Scanner *in; #info A dangerous name for a global variable. ----------------------------------------------------------------- yasm V707 Giving short names to global variables is considered to be bad practice. It is suggested to rename 'i' variable. nasm-eval.c 29 static int i; /* The t_type of tokval */ *#info A dangerous name for a global variable. ----------------------------------------------------------------- HarfBuzz V751 Parameter 'right' is not used inside function body. hb-ot-kern-table.hh 115 inline int get_kerning (hb_codepoint_t left, hb_codepoint_t right, const char *end) const { unsigned int l = (this+leftClassTable).get_class (left); unsigned int r = (this+leftClassTable).get_class (left); // <= unsigned int offset = l * rowWidth + r * sizeof (FWORD); .... } #info Nice error due to Copy-Paste. One copied the line, but forgot to change the left with right twice. It should be as follows: unsigned int l = (this+leftClassTable).get_class (left); unsigned int r = (this+rightClassTable).get_class (right); ----------------------------------------------------------------- PDFium V760 Two identical blocks of text were found. The second block begins from line 420. fx_codec_jpx_opj.cpp 416 void sycc420_to_rgb(opj_image_t* img) { .... opj_image_data_free(img->comps[0].data); opj_image_data_free(img->comps[1].data); opj_image_data_free(img->comps[2].data); img->comps[0].data = d0; img->comps[1].data = d1; img->comps[2].data = d2; img->comps[1].w = yw; // 1 img->comps[1].h = yh; // 1 img->comps[2].w = yw; // 1 img->comps[2].h = yh; // 1 img->comps[1].w = yw; // 2 img->comps[1].h = yh; // 2 img->comps[2].w = yw; // 2 img->comps[2].h = yh; // 2 img->comps[1].dx = img->comps[0].dx; img->comps[2].dx = img->comps[0].dx; img->comps[1].dy = img->comps[0].dy; img->comps[2].dy = img->comps[0].dy; } #info Repeated assignments block. ----------------------------------------------------------------- hunspell V769 CWE-119 The 'candidate' pointer in the 'candidate + 1' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 864, 863. suggestmgr.cxx 864 int SuggestMgr::twowords(....) { .... char* candidate = (char*)malloc(wl + 2); strcpy(candidate + 1, word); .... } #info There is no protection if the malloc function returns a null pointer. ----------------------------------------------------------------- ICU V774 CWE-416 The 'mzMappings' pointer was used after the memory was released. zonemeta.cpp 713 UVector* ZoneMeta::createMetazoneMappings(const UnicodeString &tzid) { UVector *mzMappings = NULL; .... if (U_SUCCESS(status)) { .... if (U_SUCCESS(status)) { .... while (ures_hasNext(rb)) { .... if (mzMappings == NULL) { mzMappings = new UVector( deleteOlsonToMetaMappingEntry, NULL, status); if (U_FAILURE(status)) { delete mzMappings; uprv_free(entry); break; } } .... } .... } } ures_close(rb); return mzMappings; } #info Code is complicated and I find it difficult to say exactly, if there is a bug or not. But it seems to me, it is possible that this function will return a pointer to the memory block being freed. ----------------------------------------------------------------- PDFium V778 CWE-682 Two similar code fragments were found. Perhaps, this is a typo and 'res_y' variable should be used instead of 'res_x'. cfx_imagetransformer.cpp 201 void Transform(int x, int y, int* x1, int* y1, int* res_x, int* res_y) const { .... if (*res_x < 0 && *res_x > -kBase) *res_x = kBase + *res_x; if (*res_y < 0 && *res_x > -kBase) *res_y = kBase + *res_y; } } #info A typo. No check: *res_y > -kBase. ----------------------------------------------------------------- SwiftShader V778 CWE-682 Two similar code fragments were found. Perhaps, this is a typo and 'SymTab' variable should be used instead of 'ShStrTab'. iceelfobjectwriter.cpp 194 class ELFObjectWriter { .... ELFStringTableSection *ShStrTab; ELFSymbolTableSection *SymTab; ELFStringTableSection *StrTab; .... }; void ELFObjectWriter::assignSectionNumbersInfo( SectionList &AllSections) { .... ShStrTab->setNumber(CurSectionNumber++); ShStrTab->setNameStrIndex(ShStrTab->getIndex(ShStrTab->getName())); AllSections.push_back(ShStrTab); SymTab->setNumber(CurSectionNumber++); SymTab->setNameStrIndex(ShStrTab->getIndex(SymTab->getName())); AllSections.push_back(SymTab); StrTab->setNumber(CurSectionNumber++); StrTab->setNameStrIndex(ShStrTab->getIndex(StrTab->getName())); AllSections.push_back(StrTab); .... } #info Apparently, this code was written using the Copy-Paste method. In doing so, in the second block of text one forgot to change hStrTab->getIndex with SymTab->getIndex. And in the third did not replace hStrTab->getIndex with StrTab->getIndex. ----------------------------------------------------------------- WebKit V778 CWE-682 Two similar code fragments were found. Perhaps, this is a typo and 'height' variable should be used instead of 'width'. ng_fragment_builder.cc 326 void NGFragmentBuilder::ComputeInlineContainerFragments(....) { .... value.start_fragment_union_rect.size.width = std::max(descendant.offset_to_container_box.left + descendant.fragment->Size().width - value.start_fragment_union_rect.offset.left, value.start_fragment_union_rect.size.width); value.start_fragment_union_rect.size.height = std::max(descendant.offset_to_container_box.top + descendant.fragment->Size().height - value.start_fragment_union_rect.offset.top, value.start_fragment_union_rect.size.width); // <= .... } #info Apparently, this code was written using the Copy-Paste method. At the very end one forgot to change width with height. ----------------------------------------------------------------- ICU V779 CWE-561 Unreachable code detected. It is possible that an error is present. collationdatabuilder.cpp 392 uint32_t CollationDataBuilder::setPrimaryRangeAndReturnNext(....) { .... } else { // Short range: Set individual CE32s. for(;;) { utrie2_set32(....); ++start; primary = Collation::incThreeBytePrimaryByOffset(....); if(start > end) { return primary; } } modified = TRUE; // <= } } #info The loop may be interrupted only by calling the operator'return'. This means that assignment, located in the code after the loop will never be executed. ----------------------------------------------------------------- Angle V794 The copy operator should be protected from the case of 'this == &other'. error.inl 56 Error &Error::operator=(const Error &other) { mCode = other.mCode; mID = other.mID; if (other.mMessage) { createMessageString(); *mMessage = *(other.mMessage); } else { mMessage.release(); } return *this; } #info There is no protection for the case when the object is copied in itself. #add V794 The copy operator should be protected from the case of 'this == &other'. error.inl 145 V794 The copy operator should be protected from the case of 'this == &t'. types.cpp 250 ----------------------------------------------------------------- re2 V794 The copy operator should be protected from the case of 'this == &src'. sparse_array.h 362 template SparseArray& SparseArray::operator=( const SparseArray& src) { size_ = src.size_; max_size_ = src.max_size_; std::unique_ptr a(new int[max_size_]); std::copy_n(src.sparse_.get(), src.max_size_, a.get()); sparse_ = std::move(a); std::unique_ptr b(new IndexValue[max_size_]); std::copy_n(src.dense_.get(), src.max_size_, b.get()); dense_ = std::move(b); return *this; } #info There is no protection for the case when the object is copied in itself. ----------------------------------------------------------------- WebRTC V794 The copy operator should be protected from the case of 'this == &other'. desktop_region.cc 50 DesktopRegion& DesktopRegion::operator=( const DesktopRegion& other) { Clear(); rows_ = other.rows_; for (Rows::iterator it = rows_.begin(); it != rows_.end(); ++it) { // Copy each row. Row* row = it->second; it->second = new Row(*row); } return *this; } #info There is no protection for the case when the object is copied in itself. ----------------------------------------------------------------- WebKit V794 The copy operator should be protected from the case of 'this == &other'. transformstate.cpp 30 TransformState& TransformState::operator=( const TransformState& other) { accumulated_offset_ = other.accumulated_offset_; map_point_ = other.map_point_; map_quad_ = other.map_quad_; if (map_point_) last_planar_point_ = other.last_planar_point_; if (map_quad_) last_planar_quad_ = other.last_planar_quad_; accumulating_transform_ = other.accumulating_transform_; force_accumulating_transform_ = other.force_accumulating_transform_; direction_ = other.direction_; accumulated_transform_.reset(); if (other.accumulated_transform_) accumulated_transform_ = TransformationMatrix::Create(*other.accumulated_transform_); return *this; } #info There is no protection for the case when the object is copied in itself. ----------------------------------------------------------------- PDFium V1004 CWE-476 The 'pObject2Device' pointer was used unsafely after it was verified against nullptr. Check lines: 237, 248. cfx_psrenderer.cpp 248 void CFX_PSRenderer::SetClip_PathStroke(...., const CFX_Matrix* pObject2Device, ....) { .... if (pObject2Device) { .... } .... m_ClipBox.Intersect( pObject2Device->TransformRect(rect).GetOuterRect()); .... } #info The pObject2Device pointer may be null, as evidenced by a check of this pointer for its equality for nullptr. However, the pointer is dereferenced before the preliminary check. #add V1004 CWE-476 The 'pGraphState' pointer was used unsafely after it was verified against nullptr. Check lines: 964, 977. fx_win32_gdipext.cpp 977 ----------------------------------------------------------------- PDFium V1004 CWE-476 The 'pGraphState' pointer was used unsafely after it was verified against nullptr. Check lines: 101, 110. fx_win32_device.cpp 110 HPEN CreatePen(const CFX_GraphStateData* pGraphState, ....) { .... if (pGraphState) { width = scale * pGraphState->m_LineWidth; } else { width = 1.0f; } uint32_t PenStyle = PS_GEOMETRIC; if (width < 1) { width = 1; } if (pGraphState->m_DashCount) { .... } #info The pGraphState pointer may be null, as evidenced by a check of this pointer for its equality for nullptr. However, the pointer is dereferenced before the preliminary check. ----------------------------------------------------------------- SwiftShader V1004 CWE-476 The 'shader' pointer was used unsafely after it was verified against nullptr. Check lines: 43, 53. vertexprogram.cpp 53 VertexProgram::VertexProgram(...., const VertexShader *shader) : VertexRoutine(state, shader), shader(shader), r(shader->dynamicallyIndexedTemporaries) { .... if(shader && shader->containsBreakInstruction()) { enableBreak = ....; } if(shader && shader->containsContinueInstruction()) { enableContinue = ....; } if(shader->isInstanceIdDeclared()) { instanceID = ....; } } #info The shader pointer may be null, as evidenced by a check of this pointer for its equality for nullptr. However, the pointer is dereferenced before the preliminary check. ----------------------------------------------------------------- Ced V751 Parameter 'byte1' is not used inside function body. compact_enc_det.cc 2559 // Boost, whack, or leave alone HZ probablilty void HzBoostWhack(DetectEncodingState* destatep, uint8 byte1, uint8 byte2) { if ((byte2 == '{') || (byte2 == '}')) { // Found ~{ or ~} Boost(destatep, F_HZ_GB_2312, kBoostOnePair); } else if ((byte2 == '~') || (byte2 == '\n')) { // neutral destatep->enc_prob[F_HZ_GB_2312] += 0; } else { // Illegal pair Whack(destatep, F_HZ_GB_2312, kBadPairWhack); } } #info The byte1 argument is not used in the function. I’m not sure if it is an error or not. Even if it is not a bug, it is better not to write this way. ----------------------------------------------------------------- WebRTC V512 CWE-682 A call of the 'memset' function will lead to underflow of the buffer '_jumpBuf'. rtt_filter.cc 52 class VCMRttFilter { .... enum { kMaxDriftJumpCount = 5 }; .... int64_t _jumpBuf[kMaxDriftJumpCount]; int64_t _driftBuf[kMaxDriftJumpCount]; .... }; void VCMRttFilter::Reset() { _gotNonZeroUpdate = false; _avgRtt = 0; _varRtt = 0; _maxRtt = 0; _filtFactCount = 1; _jumpCount = 0; _driftCount = 0; memset(_jumpBuf, 0, kMaxDriftJumpCount); memset(_driftBuf, 0, kMaxDriftJumpCount); } #info Confusion between the number of elements in the array and the size of the buffer in bytes. ----------------------------------------------------------------- -----------------------------------------------------------------