New Defects reported by Coverity Scan for LibreOffice
scan-admin at coverity.com
scan-admin at coverity.com
Mon Feb 21 10:44:29 UTC 2022
Hi,
Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan.
243 new defect(s) introduced to LibreOffice found with Coverity Scan.
30 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 243 defect(s)
** CID 1500713: (USE_AFTER_FREE)
/cppu/source/uno/copy.hxx: 451 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
/cppu/source/uno/copy.hxx: 478 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
/cppu/source/uno/copy.hxx: 516 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
________________________________________________________________________________________________________
*** CID 1500713: (USE_AFTER_FREE)
/cppu/source/uno/copy.hxx: 523 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
517 mapping, reinterpret_cast<void **>(pElements) + nPos,
518 pSourceElements[nPos],
519 reinterpret_cast<typelib_InterfaceTypeDescription *>(
520 pElementTypeDescr) );
521 }
522 }
>>> CID 1500713: (USE_AFTER_FREE)
>>> Calling "TYPELIB_DANGER_RELEASE" dereferences freed pointer "pElementTypeDescr".
523 TYPELIB_DANGER_RELEASE( pElementTypeDescr );
524 }
525 break;
526 }
527 default:
528 OSL_FAIL( "### unexpected sequence element type!" );
/cppu/source/uno/copy.hxx: 451 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
445 }
446 case typelib_TypeClass_STRUCT:
447 case typelib_TypeClass_EXCEPTION:
448 {
449 typelib_TypeDescription * pElementTypeDescr = nullptr;
450 TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
>>> CID 1500713: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "pElementTypeDescr".
451 sal_Int32 nElementSize = pElementTypeDescr->nSize;
452 char * pSourceElements = pSource->elements;
453 pDest = allocSeq( nElementSize, nElements );
454 if (pDest != nullptr)
455 {
456 char * pElements = pDest->elements;
/cppu/source/uno/copy.hxx: 478 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
472 // coverity[suspicious_sizeof] - sizeof(uno_Sequence*) is correct here
473 pDest = allocSeq( sizeof (uno_Sequence *), nElements );
474 if (pDest != nullptr)
475 {
476 typelib_TypeDescription * pElementTypeDescr = nullptr;
477 TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
>>> CID 1500713: (USE_AFTER_FREE)
>>> Using freed pointer "pElementTypeDescr".
478 typelib_TypeDescriptionReference * pSeqElementType =
479 reinterpret_cast<typelib_IndirectTypeDescription *>(
480 pElementTypeDescr)->pType;
481
482 uno_Sequence ** pDestElements =
483 reinterpret_cast<uno_Sequence **>(pDest->elements);
/cppu/source/uno/copy.hxx: 516 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
510 TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
511 for ( sal_Int32 nPos = nElements; nPos--; )
512 {
513 reinterpret_cast<void **>(pElements)[nPos] = nullptr;
514 if (pSourceElements[nPos])
515 {
>>> CID 1500713: (USE_AFTER_FREE)
>>> Passing freed pointer "pElementTypeDescr" as an argument to "*mapping->mapInterface".
516 (*mapping->mapInterface)(
517 mapping, reinterpret_cast<void **>(pElements) + nPos,
518 pSourceElements[nPos],
519 reinterpret_cast<typelib_InterfaceTypeDescription *>(
520 pElementTypeDescr) );
521 }
** CID 1500712: Null pointer dereferences (FORWARD_NULL)
/slideshow/source/engine/smilfunctionparser.cxx: 317 in slideshow::internal::<unnamed>::BinaryFunctionFunctor<std::shared_ptr<slideshow::internal::ExpressionNode> (*)(const std::shared_ptr<slideshow::internal::ExpressionNode> &, const std::shared_ptr<slideshow::internal::ExpressionNode> &)>::operator ()(const char *, const char *) const()
________________________________________________________________________________________________________
*** CID 1500712: Null pointer dereferences (FORWARD_NULL)
/slideshow/source/engine/smilfunctionparser.cxx: 317 in slideshow::internal::<unnamed>::BinaryFunctionFunctor<std::shared_ptr<slideshow::internal::ExpressionNode> (*)(const std::shared_ptr<slideshow::internal::ExpressionNode> &, const std::shared_ptr<slideshow::internal::ExpressionNode> &)>::operator ()(const char *, const char *) const()
311 rNodeStack.pop();
312
313 // create combined ExpressionNode
314 std::shared_ptr<ExpressionNode> pNode( maGenerator( pFirstArg,
315 pSecondArg ) );
316 // check for constness
>>> CID 1500712: Null pointer dereferences (FORWARD_NULL)
>>> Attempting to access the managed object of an empty smart pointer "pFirstArg".
317 if( pFirstArg->isConstant() &&
318 pSecondArg->isConstant() )
319 {
320 // call the operator() at pNode, store result
321 // in constant value ExpressionNode.
322 rNodeStack.push(
** CID 1500711: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1500711: Null pointer dereferences (FORWARD_NULL)
/sw/source/ui/misc/insfnote.cxx: 181 in SwInsFootNoteDlg::~SwInsFootNoteDlg()()
175 m_xNextBT->show();
176 }
177 }
178
179 SwInsFootNoteDlg::~SwInsFootNoteDlg() COVERITY_NOEXCEPT_FALSE
180 {
>>> CID 1500711: Null pointer dereferences (FORWARD_NULL)
>>> Passing "std::shared_ptr<weld::Window> const(std::nullptr_t())" to "SetCareDialog", which dereferences null "std::shared_ptr<weld::Window> const(std::nullptr_t())".
181 SwViewShell::SetCareDialog(nullptr);
182
183 if (m_bEdit)
184 m_rSh.ResetSelect(nullptr, false);
185 }
186
** CID 1500710: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1500710: (TAINTED_SCALAR)
/filter/source/xmlfilterdetect/filterdetect.cxx: 168 in FilterDetect::detect(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> &)()
162 catch (...) {}
163
164 if (!IsMediaTypeXML(sMediaType))
165 {
166 // This is not an XML stream. It makes no sense to try to detect
167 // a non-XML file type here.
>>> CID 1500710: (TAINTED_SCALAR)
>>> Passing tainted expression "resultString.pData" to "~OUString", which uses it as a loop boundary.
168 return OUString();
169 }
170 }
171
172 // test typedetect code
173 Reference <XNameAccess> xTypeCont(mxCtx->getServiceManager()->createInstanceWithContext("com.sun.star.document.TypeDetection", mxCtx), UNO_QUERY);
/filter/source/xmlfilterdetect/filterdetect.cxx: 144 in FilterDetect::detect(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> &)()
138 OString const str(read_uInt8s_ToOString(*pInStream, nSize));
139 resultString = OUString(str.getStr(), str.getLength(),
140 RTL_TEXTENCODING_ASCII_US,
141 RTL_TEXTTOUNICODE_FLAGS_UNDEFINED_DEFAULT|RTL_TEXTTOUNICODE_FLAGS_MBUNDEFINED_DEFAULT|RTL_TEXTTOUNICODE_FLAGS_INVALID_DEFAULT);
142 }
143 else if ( nUniPos == 2 || bTryUtf16 ) // UTF-16
>>> CID 1500710: (TAINTED_SCALAR)
>>> Passing tainted expression "<temporary>.pData" to "~OUString", which uses it as a loop boundary.
144 resultString = read_uInt16s_ToOUString( *pInStream, nSize );
145
146 if ( !resultString.startsWith( "<?xml" ) )
147 {
148 // Check the content type; XML declaration is optional in XML files according to XML 1.0 ch.2.8
149 // (see https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCyxjtZGADNAMi9AssFYdP8g2ffr-2FKXDwTbEJqt33OI0hHJdDg6qfWuzr-2FcQMavxTWarG1L2eFiZ83aW0u4GPos3c-3D85Uk_OTq2XUZbbipYjyLSo6GRo-2FpVxQ9OzkDINu9UTS-2FQhSdO0F0jQniitrGlNxDIzPJi-2FDITY-2FO94d2hHUHNOYWNuZVnUMbUvRGUdhO6WcpV2Kab9eGYz7x9i6rZD8ulQepE19aOOXEU-2F0qlllOlvxVGswh2TTe-2FzwWFWIQk4ZsV-2FKmRVkEYrRw3WrrpNraVFWwbPGFzYFaHO3v1Ipm1cukrqJGUpKVG0ug2pucjcn0qXB0-3D
/filter/source/xmlfilterdetect/filterdetect.cxx: 213 in FilterDetect::detect(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> &)()
207 aArguments.realloc(nLength+1);
208 aArguments.getArray()[location].Name = "TypeName";
209 }
210 aArguments.getArray()[location].Value <<=sTypeName;
211 }
212
>>> CID 1500710: (TAINTED_SCALAR)
>>> Passing tainted expression "resultString.pData" to "~OUString", which uses it as a loop boundary.
213 return sTypeName;
214 }
215
216 // XInitialization
217 void SAL_CALL FilterDetect::initialize( const Sequence< Any >& /*aArguments*/ )
218 {
** CID 1500709: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1500709: Insecure data handling (TAINTED_SCALAR)
/sw/source/filter/ww8/ww8toolbar.cxx: 615 in Xst::Read(SvStream &)()
609
610 bool
611 Xst::Read( SvStream& rS )
612 {
613 SAL_INFO("sw.ww8","Xst::Read() stream pos 0x" << std::hex << rS.Tell() );
614 nOffSet = rS.Tell();
>>> CID 1500709: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "<temporary>.pData" to "~OUString", which uses it as a loop boundary.
615 sString = read_uInt16_PascalString(rS);
616 return rS.good();
617 }
618
619 Tcg::Tcg() : nTcgVer( -1 )
620 {
** CID 1500708: (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1500708: (FORWARD_NULL)
/sw/source/uibase/app/swmodul1.cxx: 292 in SwModule::ApplyUserCharUnit(bool, bool)()
286 else
287 {
288 if(!m_pUsrPref)
289 GetUsrPref(false);
290 pPref = m_pUsrPref.get();
291 }
>>> CID 1500708: (FORWARD_NULL)
>>> Passing null pointer "pPref" to "IsApplyCharUnit", which dereferences it.
292 bool bOldApplyCharUnit = pPref->IsApplyCharUnit();
293 bool bHasChanged = false;
294 if(bOldApplyCharUnit != bApplyChar)
295 {
296 pPref->SetApplyCharUnit(bApplyChar);
297 bHasChanged = true;
/sw/source/uibase/app/swmodul1.cxx: 292 in SwModule::ApplyUserCharUnit(bool, bool)()
286 else
287 {
288 if(!m_pUsrPref)
289 GetUsrPref(false);
290 pPref = m_pUsrPref.get();
291 }
>>> CID 1500708: (FORWARD_NULL)
>>> Passing null pointer "pPref" to "IsApplyCharUnit", which dereferences it.
292 bool bOldApplyCharUnit = pPref->IsApplyCharUnit();
293 bool bHasChanged = false;
294 if(bOldApplyCharUnit != bApplyChar)
295 {
296 pPref->SetApplyCharUnit(bApplyChar);
297 bHasChanged = true;
** CID 1500707: Null pointer dereferences (REVERSE_INULL)
/sfx2/source/doc/docinsert.cxx: 133 in sfx2::DocumentInserter::CreateMedium(const char *)()
________________________________________________________________________________________________________
*** CID 1500707: Null pointer dereferences (REVERSE_INULL)
/sfx2/source/doc/docinsert.cxx: 133 in sfx2::DocumentInserter::CreateMedium(const char *)()
127 }
128 if ( nError == ERRCODE_NONE && pFilter )
129 pMedium->SetFilter( pFilter );
130 else
131 pMedium.reset();
132
>>> CID 1500707: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "pMedium" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
133 if ( pMedium && CheckPasswd_Impl( nullptr, pMedium.get() ) == ERRCODE_ABORT )
134 pMedium.reset();
135 }
136
137 return pMedium;
138 }
** CID 1500706: Uninitialized members (UNINIT_CTOR)
/sc/source/ui/Accessibility/AccessibleDocument.cxx: 321 in ScChildrenShapes::ScChildrenShapes(ScAccessibleDocument *, ScTabViewShell *, ScSplitPos)()
________________________________________________________________________________________________________
*** CID 1500706: Uninitialized members (UNINIT_CTOR)
/sc/source/ui/Accessibility/AccessibleDocument.cxx: 321 in ScChildrenShapes::ScChildrenShapes(ScAccessibleDocument *, ScTabViewShell *, ScSplitPos)()
315
316 uno::Reference<drawing::XShapes> xShapes(mpViewShell->getSelectedXShapes());
317 if (xShapes.is())
318 FindSelectedShapesChanges(xShapes);
319 }
320 if (!pViewShell)
>>> CID 1500706: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "mnSdrObjCount" is not initialized in this constructor nor in any functions that it calls.
321 return;
322
323 ScViewData& rViewData = pViewShell->GetViewData();
324 SfxBroadcaster* pDrawBC = rViewData.GetDocument().GetDrawBroadcaster();
325 if (pDrawBC)
326 {
** CID 1500705: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1500705: (TAINTED_SCALAR)
/filter/source/msfilter/svdfppt.cxx: 2429 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2423 OUString aSuf = read_uInt16s_ToOUString(rSt, n);
2424 sal_Int32 nV = aSuf.toInt32();
2425 if ( ( nV == nVersion ) && ( aPre == "___PPT" ) )
2426 {
2427 if (!rContentHd.SeekToEndOfRecord(rSt))
2428 {
>>> CID 1500705: (TAINTED_SCALAR)
>>> Passing tainted expression "aSuf.pData" to "~OUString", which uses it as a loop boundary.
2429 break;
2430 }
2431 ReadDffRecordHeader( rSt, rContentHd );
2432 if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433 {
2434 bRetValue = true;
/filter/source/msfilter/svdfppt.cxx: 2438 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2432 if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433 {
2434 bRetValue = true;
2435 break;
2436 }
2437 }
>>> CID 1500705: (TAINTED_SCALAR)
>>> Passing tainted expression "aPre.pData" to "~OUString", which uses it as a loop boundary.
2438 }
2439 }
2440 if (!aProgTagBinaryDataHd.SeekToEndOfRecord(rSt))
2441 break;
2442 }
2443 }
/filter/source/msfilter/svdfppt.cxx: 2438 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2432 if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433 {
2434 bRetValue = true;
2435 break;
2436 }
2437 }
>>> CID 1500705: (TAINTED_SCALAR)
>>> Passing tainted expression "aSuf.pData" to "~OUString", which uses it as a loop boundary.
2438 }
2439 }
2440 if (!aProgTagBinaryDataHd.SeekToEndOfRecord(rSt))
2441 break;
2442 }
2443 }
/filter/source/msfilter/svdfppt.cxx: 2429 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2423 OUString aSuf = read_uInt16s_ToOUString(rSt, n);
2424 sal_Int32 nV = aSuf.toInt32();
2425 if ( ( nV == nVersion ) && ( aPre == "___PPT" ) )
2426 {
2427 if (!rContentHd.SeekToEndOfRecord(rSt))
2428 {
>>> CID 1500705: (TAINTED_SCALAR)
>>> Passing tainted expression "aPre.pData" to "~OUString", which uses it as a loop boundary.
2429 break;
2430 }
2431 ReadDffRecordHeader( rSt, rContentHd );
2432 if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433 {
2434 bRetValue = true;
/filter/source/msfilter/svdfppt.cxx: 2435 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2429 break;
2430 }
2431 ReadDffRecordHeader( rSt, rContentHd );
2432 if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433 {
2434 bRetValue = true;
>>> CID 1500705: (TAINTED_SCALAR)
>>> Passing tainted expression "aSuf.pData" to "~OUString", which uses it as a loop boundary.
2435 break;
2436 }
2437 }
2438 }
2439 }
2440 if (!aProgTagBinaryDataHd.SeekToEndOfRecord(rSt))
** CID 1500704: Resource leaks (RESOURCE_LEAK)
/editeng/source/editeng/editdoc.cxx: 2098 in EditDoc::Release(int)()
________________________________________________________________________________________________________
*** CID 1500704: Resource leaks (RESOURCE_LEAK)
/editeng/source/editeng/editdoc.cxx: 2098 in EditDoc::Release(int)()
2092 {
2093 if (nPos < 0 || nPos >= static_cast<sal_Int32>(maContents.size()))
2094 {
2095 SAL_WARN( "editeng", "EditDoc::Release - out of bounds pos " << nPos);
2096 return;
2097 }
>>> CID 1500704: Resource leaks (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "this->maContents[nPos]->release()" leaks it.
2098 (void)maContents[nPos].release();
2099 maContents.erase(maContents.begin() + nPos);
2100 }
2101
2102 sal_Int32 EditDoc::Count() const
2103 {
** CID 1500703: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1500703: Insecure data handling (TAINTED_SCALAR)
/svtools/source/misc/templatefoldercache.cxx: 672 in svt::TemplateFolderCacheImpl::readPreviousState()()
666 m_aPreviousState.reserve( nRootDirectories );
667 while ( nRootDirectories-- )
668 {
669 OUString sURL = m_pCacheStream->ReadUniOrByteString(m_pCacheStream->GetStreamCharSet());
670 // #116281# Keep office installation relocatable. Never store
671 // any direct references to office installation directory.
>>> CID 1500703: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "sURL.pData" to "operator =", which uses it as a loop boundary.
672 sURL = getOfficeInstDirs()->makeAbsoluteURL( sURL );
673 m_aPreviousState.push_back(
674 new TemplateContent( INetURLObject(sURL) ) );
675 }
676
677 // read the contents of the root folders
** CID 1500702: Null pointer dereferences (REVERSE_INULL)
/dbaccess/source/ui/dlg/tablespage.cxx: 379 in dbaui::OTableSubscriptionPage::collectDetailedSelection() const()
________________________________________________________________________________________________________
*** CID 1500702: Null pointer dereferences (REVERSE_INULL)
/dbaccess/source/ui/dlg/tablespage.cxx: 379 in dbaui::OTableSubscriptionPage::collectDetailedSelection() const()
373 if (xAllObjectsEntry->equal(*xCatalog))
374 {
375 // do not want to have the root entry
376 xCatalog.reset();
377 }
378
>>> CID 1500702: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "xCatalog" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
379 if (xCatalog)
380 { // it's a real catalog entry, not the "all objects" root
381 bCatalogWildcard = m_xTablesList->isWildcardChecked(*xCatalog);
382 if (m_bCatalogAtStart)
383 {
384 sComposedName.append(m_xTablesList->GetWidget().get_text(*xCatalog) + m_sCatalogSeparator);
** CID 1500701: Null pointer dereferences (FORWARD_NULL)
/connectivity/source/drivers/hsqldb/HStorageAccess.cxx: 362 in Java_com_sun_star_sdbcx_comp_hsqldb_NativeStorageAccess_seek()
________________________________________________________________________________________________________
*** CID 1500701: Null pointer dereferences (FORWARD_NULL)
/connectivity/source/drivers/hsqldb/HStorageAccess.cxx: 362 in Java_com_sun_star_sdbcx_comp_hsqldb_NativeStorageAccess_seek()
356 {
357 static const ::sal_Int64 BUFFER_SIZE = 9192;
358 #ifdef HSQLDB_DBG
359 aDataLog.seek( nLen );
360 #endif
361 xSeek->seek(nLen);
>>> CID 1500701: Null pointer dereferences (FORWARD_NULL)
>>> Attempting to access the managed object of an empty smart pointer "pHelper".
362 Reference< XOutputStream> xOut = pHelper->getOutputStream();
363 OSL_ENSURE(xOut.is(),"No output stream!");
364
365 ::sal_Int64 diff = position - nLen;
366 sal_Int32 n;
367 while( diff != 0 )
** CID 1500700: Resource leaks (RESOURCE_LEAK)
/registry/source/regimpl.cxx: 700 in ORegistry::openKey(void *, std::basic_string_view<char16_t, std::char_traits<char16_t>>, void **)()
________________________________________________________________________________________________________
*** CID 1500700: Resource leaks (RESOURCE_LEAK)
/registry/source/regimpl.cxx: 700 in ORegistry::openKey(void *, std::basic_string_view<char16_t, std::char_traits<char16_t>>, void **)()
694 default:
695 break;
696 }
697
698 std::unique_ptr< ORegKey > p(new ORegKey(path, this));
699 i = m_openKeyTable.insert(std::make_pair(path, p.get())).first;
>>> CID 1500700: Resource leaks (RESOURCE_LEAK)
>>> Ignoring storage allocated by "p.release()" leaks it.
700 p.release();
701 } else {
702 i->second->acquire();
703 }
704 *phOpenKey = i->second;
705 return RegError::NO_ERROR;
** CID 1500699: Memory - illegal accesses (USE_AFTER_FREE)
/binaryurp/source/incomingrequest.cxx: 231 in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny *, std::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny>> *) const()
________________________________________________________________________________________________________
*** CID 1500699: Memory - illegal accesses (USE_AFTER_FREE)
/binaryurp/source/incomingrequest.cxx: 231 in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny *, std::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny>> *) const()
225 default:
226 assert(false); // this cannot happen
227 break;
228 }
229 size_t nSize = 0;
230 if (retType.is())
>>> CID 1500699: Memory - illegal accesses (USE_AFTER_FREE)
>>> Dereferencing freed pointer "retType.get()".
231 nSize = size_t_round(retType.get()->nSize);
232 std::vector< char > retBuf(nSize);
233 uno_Any exc;
234 uno_Any * pexc = &exc;
235 (*object_.get()->pDispatcher)(
236 object_.get(), member_.get(), retBuf.empty() ? nullptr : retBuf.data(),
** CID 1500698: (UNINIT)
________________________________________________________________________________________________________
*** CID 1500698: (UNINIT)
/sc/source/ui/view/dbfunc3.cxx: 1083 in ScDBFunc::DateGroupDataPilot(const ScDPNumGroupInfo &, int)()
1077 ScDBDocFunc aFunc( *GetViewData().GetDocShell() );
1078 pDPObj->SetSaveData( aData );
1079 aFunc.RefreshPivotTableGroups(pDPObj);
1080
1081 // unmark cell selection
1082 Unmark();
>>> CID 1500698: (UNINIT)
>>> Using uninitialized value "aData.mpGrandTotalName._M_payload._M_payload" when calling "~ScDPSaveData".
1083 }
1084
1085 void ScDBFunc::NumGroupDataPilot( const ScDPNumGroupInfo& rInfo )
1086 {
1087 ScDPObject* pDPObj = GetViewData().GetDocument().GetDPAtCursor( GetViewData().GetCurX(),
1088 GetViewData().GetCurY(), GetViewData().GetTabNo() );
/sc/source/ui/view/dbfunc3.cxx: 1078 in ScDBFunc::DateGroupDataPilot(const ScDPNumGroupInfo &, int)()
1072 nMask *= 2;
1073 }
1074 }
1075
1076 // apply changes
1077 ScDBDocFunc aFunc( *GetViewData().GetDocShell() );
>>> CID 1500698: (UNINIT)
>>> Using uninitialized value "aData.mpGrandTotalName". Field "aData.mpGrandTotalName._M_payload._M_payload" is uninitialized when calling "SetSaveData".
1078 pDPObj->SetSaveData( aData );
1079 aFunc.RefreshPivotTableGroups(pDPObj);
1080
1081 // unmark cell selection
1082 Unmark();
1083 }
** CID 1500697: (USE_AFTER_FREE)
/cppu/source/uno/eq.hxx: 571 in cppu::_equalData(void *, _typelib_TypeDescriptionReference *, _typelib_TypeDescription *, void *, _typelib_TypeDescriptionReference *, void *(*)(void *, _typelib_TypeDescriptionReference *), void (*)(void *))()
________________________________________________________________________________________________________
*** CID 1500697: (USE_AFTER_FREE)
/cppu/source/uno/eq.hxx: 571 in cppu::_equalData(void *, _typelib_TypeDescriptionReference *, _typelib_TypeDescription *, void *, _typelib_TypeDescriptionReference *, void *(*)(void *, _typelib_TypeDescriptionReference *), void (*)(void *))()
565 reinterpret_cast<typelib_IndirectTypeDescription *>(pDestTypeDescr)->pType,
566 queryInterface, release );
567 }
568 else
569 {
570 TYPELIB_DANGER_GET( &pDestTypeDescr, pDestType );
>>> CID 1500697: (USE_AFTER_FREE)
>>> Using freed pointer "pDestTypeDescr".
571 bool bRet = _equalSequence(
572 *static_cast<uno_Sequence **>(pDest), *static_cast<uno_Sequence **>(pSource),
573 reinterpret_cast<typelib_IndirectTypeDescription *>(pDestTypeDescr)->pType,
574 queryInterface, release );
575 TYPELIB_DANGER_RELEASE( pDestTypeDescr );
576 return bRet;
/cppu/source/uno/eq.hxx: 551 in cppu::_equalData(void *, _typelib_TypeDescriptionReference *, _typelib_TypeDescription *, void *, _typelib_TypeDescriptionReference *, void *(*)(void *, _typelib_TypeDescriptionReference *), void (*)(void *))()
545 reinterpret_cast<typelib_CompoundTypeDescription *>(pDestTypeDescr),
546 queryInterface, release );
547 }
548 else
549 {
550 TYPELIB_DANGER_GET( &pDestTypeDescr, pDestType );
>>> CID 1500697: (USE_AFTER_FREE)
>>> Calling "_equalStruct" dereferences freed pointer "reinterpret_cast<typelib_CompoundTypeDescription *>(pDestTypeDescr)".
551 bool bRet = _equalStruct(
552 pDest, pSource,
553 reinterpret_cast<typelib_CompoundTypeDescription *>(pDestTypeDescr),
554 queryInterface, release );
555 TYPELIB_DANGER_RELEASE( pDestTypeDescr );
556 return bRet;
** CID 1500696: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1500696: Memory - illegal accesses (USE_AFTER_FREE)
/cppu/source/uno/destr.hxx: 117 in cppu::_destructAny(_uno_Any *, void (*)(void *))()
111 break;
112 case typelib_TypeClass_STRUCT:
113 case typelib_TypeClass_EXCEPTION:
114 {
115 typelib_TypeDescription * pTypeDescr = nullptr;
116 TYPELIB_DANGER_GET( &pTypeDescr, pType );
>>> CID 1500696: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "_destructStruct" dereferences freed pointer "reinterpret_cast<typelib_CompoundTypeDescription *>(pTypeDescr)".
117 _destructStruct( pAny->pData, reinterpret_cast<typelib_CompoundTypeDescription *>(pTypeDescr), release );
118 TYPELIB_DANGER_RELEASE( pTypeDescr );
119 std::free( pAny->pData );
120 break;
121 }
122 case typelib_TypeClass_SEQUENCE:
** CID 1500695: Resource leaks (RESOURCE_LEAK)
/svx/source/svdraw/svdundo.cxx: 1303 in SdrUndoDelLayer::Redo()()
________________________________________________________________________________________________________
*** CID 1500695: Resource leaks (RESOURCE_LEAK)
/svx/source/svdraw/svdundo.cxx: 1303 in SdrUndoDelLayer::Redo()()
1297 void SdrUndoDelLayer::Redo()
1298 {
1299 DBG_ASSERT(!bItsMine,"SdrUndoDelLayer::Undo(): Layer already belongs to UndoAction.");
1300 bItsMine=true;
1301 SdrLayer* pCmpLayer= pLayerAdmin->RemoveLayer(nNum).release();
1302 DBG_ASSERT(pCmpLayer==pLayer,"SdrUndoDelLayer::Redo(): Removed layer is != pLayer.");
>>> CID 1500695: Resource leaks (RESOURCE_LEAK)
>>> Variable "pCmpLayer" going out of scope leaks the storage it points to.
1303 }
1304
1305 OUString SdrUndoDelLayer::GetComment() const
1306 {
1307 return SvxResId(STR_UndoDelLayer);
1308 }
** CID 1500694: (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 474 in cppu::icopyConstructFromElements(_sal_Sequence **, void *, _typelib_TypeDescriptionReference *, int, void (*)(void *), int)()
/cppu/source/uno/sequence.cxx: 525 in cppu::icopyConstructFromElements(_sal_Sequence **, void *, _typelib_TypeDescriptionReference *, int, void (*)(void *), int)()
________________________________________________________________________________________________________
*** CID 1500694: (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 474 in cppu::icopyConstructFromElements(_sal_Sequence **, void *, _typelib_TypeDescriptionReference *, int, void (*)(void *), int)()
468 }
469 case typelib_TypeClass_STRUCT:
470 case typelib_TypeClass_EXCEPTION:
471 {
472 typelib_TypeDescription * pElementTypeDescr = nullptr;
473 TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
>>> CID 1500694: (USE_AFTER_FREE)
>>> Dereferencing freed pointer "pElementTypeDescr".
474 sal_Int32 nElementSize = pElementTypeDescr->nSize;
475
476 pSeq = reallocSeq( pSeq, nElementSize, nAlloc );
477 if (pSeq != nullptr)
478 {
479 char * pDestElements = pSeq->elements;
/cppu/source/uno/sequence.cxx: 525 in cppu::icopyConstructFromElements(_sal_Sequence **, void *, _typelib_TypeDescriptionReference *, int, void (*)(void *), int)()
519 // coverity[suspicious_sizeof : FALSE] - sizeof(uno_Sequence*) is correct here
520 pSeq = reallocSeq(pSeq, sizeof(uno_Sequence*), nAlloc);
521 if (pSeq != nullptr)
522 {
523 typelib_TypeDescription * pElementTypeDescr = nullptr;
524 TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
>>> CID 1500694: (USE_AFTER_FREE)
>>> Using freed pointer "pElementTypeDescr".
525 typelib_TypeDescriptionReference * pSeqElementType =
526 reinterpret_cast<typelib_IndirectTypeDescription *>(pElementTypeDescr)->pType;
527 uno_Sequence ** pDestElements = reinterpret_cast<uno_Sequence **>(pSeq->elements);
528 for ( sal_Int32 nPos = 0; nPos < nStopIndex; ++nPos )
529 {
530 uno_Sequence * pNew = icopyConstructSequence(
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypSs1kiFPuCn2xFdlMIFBirii0zZ9j2-2F9F2XPBcBm2BNgi9duPy3v-2FzgFDd2LJ-2BDKI-3Dl5we_OTq2XUZbbipYjyLSo6GRo-2FpVxQ9OzkDINu9UTS-2FQhSdO0F0jQniitrGlNxDIzPJi-2FDITY-2FO94d2hHUHNOYWNuUirFwUaO10LjYYZ39T3pn8KXmdukoQhEum1Ckke9-2FsylJmhB3fDRW-2FqPTPmsFpD24NBugIdG1S0fhh10GGzy8hMeLdIMqWwAoO4biEkVMaLmRV0GRnqqQAwpLzROe0sRUljIvSf915YbR5R5e84Raw-3D
More information about the LibreOffice
mailing list