New Defects reported by Coverity Scan for LibreOffice
scan-admin at coverity.com
scan-admin at coverity.com
Sun Feb 14 02:34:13 UTC 2016
Hi,
Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan.
80 new defect(s) introduced to LibreOffice found with Coverity Scan.
29 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 80 defect(s)
** CID 1352490: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352490: Memory - corruptions (USE_AFTER_FREE)
/sc/source/ui/sidebar/CellBorderUpdater.cxx: 119 in sc::sidebar::CellBorderUpdater::UpdateCellBorder(bool, bool, bool, bool, Image, bool, bool)()
113 else if( aBmpEx.IsTransparent() )
114 aBmpEx = BitmapEx( aBmp, aMsk );
115 else
116 aBmpEx = aBmp;
117
118 mrTbx.SetItemImage( mnBtnId, Image( aBmpEx ) );
>>> CID 1352490: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "~Bitmap" frees pointer "aMsk.mpImpBmp" which has already been freed.
119 }
120 }
121
122 } } // end of namespace svx::sidebar
123
** CID 1352489: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352489: Memory - corruptions (USE_AFTER_FREE)
/drawinglayer/source/tools/converters.cxx: 150 in drawinglayer::tools::convertToBitmapEx(const drawinglayer::primitive2d::Primitive2DContainer &, const drawinglayer::geometry::ViewInformation2D &, unsigned int, unsigned int, unsigned int)()
144 {
145 SvFileStream aNew(OUString("c:\\test_combined.png"), StreamMode::WRITE|StreamMode::TRUNC);
146 vcl::PNGWriter aPNGWriter(aRetval);
147 aPNGWriter.Write(aNew);
148 }
149 #endif
>>> CID 1352489: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "~Bitmap" frees pointer "aAlpha.mpImpBmp" which has already been freed.
150 }
151 }
152
153 return aRetval;
154 }
155
156 } // end of namespace tools
157 } // end of namespace drawinglayer
158
** CID 1352488: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352488: Memory - corruptions (USE_AFTER_FREE)
/canvas/source/vcl/canvasbitmaphelper.cxx: 483 in vclcanvas::CanvasBitmapHelper::setPixel(const com::sun::star::uno::Sequence<signed char> &, const com::sun::star::rendering::IntegerBitmapLayout &, const com::sun::star::geometry::IntegerPoint2D &)()
477 if( aAlpha.IsEmpty() )
478 setBitmap( BitmapEx( aBitmap ) );
479 else
480 setBitmap( BitmapEx( aBitmap,
481 AlphaMask( aAlpha ) ) );
482 }
>>> CID 1352488: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "~Bitmap" frees pointer "aAlpha.mpImpBmp" which has already been freed.
483 }
484
485 uno::Sequence< sal_Int8 > CanvasBitmapHelper::getPixel( rendering::IntegerBitmapLayout& rLayout,
486 const geometry::IntegerPoint2D& pos )
487 {
488 SAL_INFO( "canvas.vcl", "::vclcanvas::CanvasBitmapHelper::getPixel()" );
** CID 1352487: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352487: Memory - corruptions (USE_AFTER_FREE)
/canvas/source/vcl/canvasbitmaphelper.cxx: 418 in vclcanvas::CanvasBitmapHelper::setData(const com::sun::star::uno::Sequence<signed char> &, const com::sun::star::rendering::IntegerBitmapLayout &, const com::sun::star::geometry::IntegerRectangle2D &)()
412 if( aAlpha.IsEmpty() )
413 setBitmap( BitmapEx( aBitmap ) );
414 else
415 setBitmap( BitmapEx( aBitmap,
416 AlphaMask( aAlpha ) ) );
417 }
>>> CID 1352487: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "~Bitmap" frees pointer "aAlpha.mpImpBmp" which has already been freed.
418 }
419
420 void CanvasBitmapHelper::setPixel( const uno::Sequence< sal_Int8 >& color,
421 const rendering::IntegerBitmapLayout& rLayout,
422 const geometry::IntegerPoint2D& pos )
423 {
** CID 1352486: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352486: Memory - corruptions (USE_AFTER_FREE)
/canvas/source/vcl/impltools.cxx: 504 in vclcanvas::tools::transformBitmap(const BitmapEx &, const basegfx::B2DHomMatrix &, const com::sun::star::uno::Sequence<double> &, vclcanvas::tools::ModulationMode)()
498 ENSURE_OR_THROW( false,
499 "transformBitmap(): could not access bitmap" );
500 }
501 }
502
503 if( bCopyBack )
>>> CID 1352486: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "~Bitmap" frees pointer "aDstAlpha.mpImpBmp" which has already been freed.
504 return BitmapEx( aDstBitmap, AlphaMask( aDstAlpha ) );
505 else
506 return BitmapEx();
507 }
508 }
509 }
510
** CID 1352485: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352485: Memory - corruptions (USE_AFTER_FREE)
/vcl/source/gdi/bitmapex.cxx: 537 in BitmapEx::CopyPixel(const Rectangle &, const Rectangle &, const BitmapEx*)()
531 // cast to use the optimized AlphaMask::CopyPixel
532 aMask.CopyPixel_AlphaOptimized( rRectDst, rRectSrc, &pBmpExSrc->aMask );
533 else if( IsTransparent() )
534 {
535 AlphaMask* pAlpha = new AlphaMask( aMask );
536
>>> CID 1352485: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "operator =" frees pointer "this->aMask.mpImpBmp" which has already been freed.
537 aMask = pAlpha->ImplGetBitmap();
538 delete pAlpha;
539 bAlpha = true;
540 aMask.CopyPixel( rRectDst, rRectSrc, &pBmpExSrc->aMask );
541 }
542 else
** CID 1352484: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352484: Memory - corruptions (USE_AFTER_FREE)
/vcl/source/filter/wmf/winmtf.cxx: 1606 in WinMtfOutput::ImplDrawBitmap(const Point &, const Size &, const BitmapEx &)()
1600 else
1601 {
1602 // no mask yet, create and add new mask. For better quality, use Alpha,
1603 // this allws the drawn mask being processed with AnitAliasing (AAed)
1604 aBmpEx = BitmapEx(rBitmap.GetBitmap(), aVDevMask);
1605 }
>>> CID 1352484: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "~Bitmap" frees pointer "aVDevMask.mpImpBmp" which has already been freed.
1606 }
1607
1608 if ( aBmpEx.IsTransparent() )
1609 mpGDIMetaFile->AddAction( new MetaBmpExScaleAction( rPos, rSize, aBmpEx ) );
1610 else
1611 mpGDIMetaFile->AddAction( new MetaBmpScaleAction( rPos, rSize, aBmpEx.GetBitmap() ) );
** CID 1352483: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352483: Memory - corruptions (USE_AFTER_FREE)
/vcl/source/gdi/bitmapex.cxx: 907 in BitmapEx::TransformBitmapEx(double, double, const basegfx::B2DHomMatrix &, bool) const()
901 // create mask
902 if(IsTransparent())
903 {
904 if(IsAlpha())
905 {
906 const Bitmap aAlpha(impTransformBitmap(GetAlpha().GetBitmap(), aDestinationSize, rTransformation, bSmooth));
>>> CID 1352483: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "~Bitmap" frees pointer "aAlpha.mpImpBmp" which has already been freed.
907 return BitmapEx(aDestination, AlphaMask(aAlpha));
908 }
909 else
910 {
911 const Bitmap aLclMask(impTransformBitmap(GetMask(), aDestinationSize, rTransformation, false));
912 return BitmapEx(aDestination, aLclMask);
** CID 1352482: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352482: Memory - corruptions (USE_AFTER_FREE)
/vcl/source/helper/canvastools.cxx: 317 in vcl::unotools::bitmapExFromXBitmap(const com::sun::star::uno::Reference<com::sun::star::rendering::XIntegerReadOnlyBitmap> &)()
311 if( !readBmp(nWidth,nHeight,aLayout,xInputBitmap,
312 pWriteAccess,pAlphaWriteAccess) )
313 continue;
314 } // limit scoped access
315
316 if( nAlphaDepth )
>>> CID 1352482: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "~Bitmap" frees pointer "aAlpha.mpImpBmp" which has already been freed.
317 return ::BitmapEx( aBitmap,
318 AlphaMask( aAlpha ) );
319 else
320 return ::BitmapEx( aBitmap );
321 }
322
** CID 1352481: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1352481: Memory - corruptions (USE_AFTER_FREE)
/vcl/source/outdev/bitmap.cxx: 487 in OutputDevice::GetBitmapEx(const Point &, const Size &) const()
481 Bitmap aAlphaBitmap( mpAlphaVDev->GetBitmap( rSrcPt, rSize ) );
482
483 // ensure 8 bit alpha
484 if( aAlphaBitmap.GetBitCount() > 8 )
485 aAlphaBitmap.Convert( BMP_CONVERSION_8BIT_GREYS );
486
>>> CID 1352481: Memory - corruptions (USE_AFTER_FREE)
>>> Calling "~Bitmap" frees pointer "aAlphaBitmap.mpImpBmp" which has already been freed.
487 return BitmapEx(GetBitmap( rSrcPt, rSize ), AlphaMask( aAlphaBitmap ) );
488 }
489 else
490 return GetBitmap( rSrcPt, rSize );
491 }
492
** CID 1352480: Incorrect expression (UNINTENDED_INTEGER_DIVISION)
/vcl/opengl/gdiimpl.cxx: 1079 in OpenGLSalGraphicsImpl::DrawTransformedTexture(OpenGLTexture &, OpenGLTexture &, const basegfx::B2DPoint &, const basegfx::B2DPoint &, const basegfx::B2DPoint &)()
________________________________________________________________________________________________________
*** CID 1352480: Incorrect expression (UNINTENDED_INTEGER_DIVISION)
/vcl/opengl/gdiimpl.cxx: 1079 in OpenGLSalGraphicsImpl::DrawTransformedTexture(OpenGLTexture &, OpenGLTexture &, const basegfx::B2DPoint &, const basegfx::B2DPoint &, const basegfx::B2DPoint &)()
1073 const long nDestHeight = basegfx::fround(basegfx::B2DVector(rY - rNull).getLength());
1074
1075 // Invisibly small images shouldn't divide by zero.
1076 if( nDestHeight == 0 || nDestWidth == 0 )
1077 return;
1078
>>> CID 1352480: Incorrect expression (UNINTENDED_INTEGER_DIVISION)
>>> Dividing integer expressions "rTexture->GetWidth()" and "nDestWidth", and then converting the integer quotient to type "double". Any remainder, or fractional part of the quotient, is ignored.
1079 const double ixscale = rTexture.GetWidth() / nDestWidth;
1080 const double iyscale = rTexture.GetHeight() / nDestHeight;
1081
1082 bool areaScaling = false;
1083 bool fastAreaScaling = false;
1084 OUString textureFragmentShader;
** CID 1352479: Incorrect expression (UNINTENDED_INTEGER_DIVISION)
/vcl/opengl/gdiimpl.cxx: 1080 in OpenGLSalGraphicsImpl::DrawTransformedTexture(OpenGLTexture &, OpenGLTexture &, const basegfx::B2DPoint &, const basegfx::B2DPoint &, const basegfx::B2DPoint &)()
________________________________________________________________________________________________________
*** CID 1352479: Incorrect expression (UNINTENDED_INTEGER_DIVISION)
/vcl/opengl/gdiimpl.cxx: 1080 in OpenGLSalGraphicsImpl::DrawTransformedTexture(OpenGLTexture &, OpenGLTexture &, const basegfx::B2DPoint &, const basegfx::B2DPoint &, const basegfx::B2DPoint &)()
1074
1075 // Invisibly small images shouldn't divide by zero.
1076 if( nDestHeight == 0 || nDestWidth == 0 )
1077 return;
1078
1079 const double ixscale = rTexture.GetWidth() / nDestWidth;
>>> CID 1352479: Incorrect expression (UNINTENDED_INTEGER_DIVISION)
>>> Dividing integer expressions "rTexture->GetHeight()" and "nDestHeight", and then converting the integer quotient to type "double". Any remainder, or fractional part of the quotient, is ignored.
1080 const double iyscale = rTexture.GetHeight() / nDestHeight;
1081
1082 bool areaScaling = false;
1083 bool fastAreaScaling = false;
1084 OUString textureFragmentShader;
1085 if( ixscale >= 2 && iyscale >= 2 ) // Downscaling to 50% or less? (inverted scale ratios)
** CID 1352453: (UNCAUGHT_EXCEPT)
/sc/source/ui/vba/vbaformat.cxx: 792 in ScVbaFormat<ooo::vba::excel::XStyle>::getCurrentDataSet()()
/sc/source/ui/vba/vbaformat.cxx: 792 in ScVbaFormat<ooo::vba::excel::XRange>::getCurrentDataSet()()
________________________________________________________________________________________________________
*** CID 1352453: (UNCAUGHT_EXCEPT)
/sc/source/ui/vba/vbaformat.cxx: 792 in ScVbaFormat<ooo::vba::excel::XStyle>::getCurrentDataSet()()
786 {
787 return ScCellRangesBase::getImplementation( mxPropertySet );
788 }
789
790 template< typename... Ifc >
791 SfxItemSet*
>>> CID 1352453: (UNCAUGHT_EXCEPT)
>>> An exception of type "mdds::general_error" is thrown but the throw list "throw(com::sun::star::uno::RuntimeException)" doesn't allow it to be thrown. This will cause a call to unexpected() which usually calls terminate().
792 ScVbaFormat< Ifc... >::getCurrentDataSet( ) throw ( uno::RuntimeException )
793 {
794 SfxItemSet* pDataSet = excel::ScVbaCellRangeAccess::GetDataSet( getCellRangesBase() );
795 if ( !pDataSet )
796 throw uno::RuntimeException("Can't access Itemset for XPropertySet" );
797 return pDataSet;
/sc/source/ui/vba/vbaformat.cxx: 792 in ScVbaFormat<ooo::vba::excel::XRange>::getCurrentDataSet()()
786 {
787 return ScCellRangesBase::getImplementation( mxPropertySet );
788 }
789
790 template< typename... Ifc >
791 SfxItemSet*
>>> CID 1352453: (UNCAUGHT_EXCEPT)
>>> An exception of type "mdds::general_error" is thrown but the throw list "throw(com::sun::star::uno::RuntimeException)" doesn't allow it to be thrown. This will cause a call to unexpected() which usually calls terminate().
792 ScVbaFormat< Ifc... >::getCurrentDataSet( ) throw ( uno::RuntimeException )
793 {
794 SfxItemSet* pDataSet = excel::ScVbaCellRangeAccess::GetDataSet( getCellRangesBase() );
795 if ( !pDataSet )
796 throw uno::RuntimeException("Can't access Itemset for XPropertySet" );
797 return pDataSet;
** CID 1352452: Error handling issues (UNCAUGHT_EXCEPT)
/sc/source/ui/vba/vbarange.cxx: 266 in ScVbaRange::getCurrentDataSet()()
________________________________________________________________________________________________________
*** CID 1352452: Error handling issues (UNCAUGHT_EXCEPT)
/sc/source/ui/vba/vbarange.cxx: 266 in ScVbaRange::getCurrentDataSet()()
260
261 ScCellRangeObj* ScVbaRange::getCellRangeObj() throw ( uno::RuntimeException )
262 {
263 return dynamic_cast< ScCellRangeObj* >( getCellRangesBase() );
264 }
265
>>> CID 1352452: Error handling issues (UNCAUGHT_EXCEPT)
>>> An exception of type "mdds::general_error" is thrown but the throw list "throw(com::sun::star::uno::RuntimeException)" doesn't allow it to be thrown. This will cause a call to unexpected() which usually calls terminate().
266 SfxItemSet* ScVbaRange::getCurrentDataSet( ) throw ( uno::RuntimeException )
267 {
268 SfxItemSet* pDataSet = excel::ScVbaCellRangeAccess::GetDataSet( getCellRangesBase() );
269 if ( !pDataSet )
270 throw uno::RuntimeException("Can't access Itemset for range" );
271 return pDataSet;
** CID 1352451: Error handling issues (UNCAUGHT_EXCEPT)
/sc/source/ui/vba/vbarange.cxx: 2563 in ScVbaRange::getNumberFormat()()
________________________________________________________________________________________________________
*** CID 1352451: Error handling issues (UNCAUGHT_EXCEPT)
/sc/source/ui/vba/vbarange.cxx: 2563 in ScVbaRange::getNumberFormat()()
2557 }
2558 NumFormatHelper numFormat( mxRange );
2559 numFormat.setNumberFormat( sFormat );
2560 }
2561
2562 uno::Any
>>> CID 1352451: Error handling issues (UNCAUGHT_EXCEPT)
>>> An exception of type "mdds::general_error" is thrown but the throw list "throw(com::sun::star::uno::RuntimeException, com::sun::star::script::BasicErrorException)" doesn't allow it to be thrown. This will cause a call to unexpected() which usually calls terminate().
2563 ScVbaRange::getNumberFormat() throw ( script::BasicErrorException, uno::RuntimeException)
2564 {
2565
2566 if ( m_Areas->getCount() > 1 )
2567 {
2568 sal_Int32 nItems = m_Areas->getCount();
** CID 1352449: Insecure data handling (TAINTED_SCALAR)
/sal/qa/rtl/random/rtl_random.cxx: 368 in rtl_random::getBytes::getBytes_003_1()()
________________________________________________________________________________________________________
*** CID 1352449: Insecure data handling (TAINTED_SCALAR)
/sal/qa/rtl/random/rtl_random.cxx: 368 in rtl_random::getBytes::getBytes_003_1()()
362 for(nCount = 0;nCount < nCountMax; ++nCount) // run 100000000 through getBytes(...)
363 {
364 /* rtlRandomError aError = */ rtl_random_getBytes(aPool, pBuffer, nBufLen);
365 // CPPUNIT_ASSERT_MESSAGE("wrong parameter", aError == rtl_Random_E_None);
366
367 for (sal_uInt32 i=0;i<nBufLen;++i)
>>> CID 1352449: Insecure data handling (TAINTED_SCALAR)
>>> Casting narrower unsigned "pBuffer[i]" to wider signed type "short" effectively tests its lower bound.
368 aStat.addValue(pBuffer[i], 1);
369 }
370
371 aStat.build(nCountMax * nBufLen);
372 aStat.print();
373
** CID 1352448: Insecure data handling (TAINTED_SCALAR)
/sal/qa/rtl/random/rtl_random.cxx: 335 in rtl_random::getBytes::getBytes_003()()
________________________________________________________________________________________________________
*** CID 1352448: Insecure data handling (TAINTED_SCALAR)
/sal/qa/rtl/random/rtl_random.cxx: 335 in rtl_random::getBytes::getBytes_003()()
329 int nCountMax = 1000000;
330 for(nCount = 0;nCount < nCountMax; ++nCount) // run 100000000 through getBytes(...)
331 {
332 /* rtlRandomError aError = */ rtl_random_getBytes(aPool, pBuffer, nBufLen);
333 /* CPPUNIT_ASSERT_MESSAGE("wrong parameter", aError == rtl_Random_E_None); */
334
>>> CID 1352448: Insecure data handling (TAINTED_SCALAR)
>>> Casting narrower unsigned "pBuffer[0]" to wider signed type "short" effectively tests its lower bound.
335 aStat.addValue(pBuffer[0], 1);
336 }
337
338 aStat.build(nCountMax);
339 aStat.print();
340
** CID 1352441: Resource leaks (RESOURCE_LEAK)
/connectivity/source/drivers/evoab2/EApi.cxx: 147 in EApiInit()()
________________________________________________________________________________________________________
*** CID 1352441: Resource leaks (RESOURCE_LEAK)
/connectivity/source/drivers/evoab2/EApi.cxx: 147 in EApiInit()()
141
142 if (tryLink( aModule, eBookLibNames[ j ], aCommonApiMap))
143 {
144 if (eds_check_version( 3, 6, 0 ) != nullptr)
145 {
146 if (tryLink( aModule, eBookLibNames[ j ], aOldApiMap))
>>> CID 1352441: Resource leaks (RESOURCE_LEAK)
>>> Variable "aModule" going out of scope leaks the storage it points to.
147 return true;
148 }
149 else if (tryLink( aModule, eBookLibNames[ j ], aNewApiMap))
150 {
151 if (eds_check_version( 3, 7, 6 ) != nullptr)
152 {
** CID 1352407: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1352407: Memory - corruptions (OVERRUN)
/connectivity/source/drivers/firebird/Util.cxx: 37 in connectivity::firebird::StatusVectorToString(const long (&)[20], const rtl::OUString &)()
31 const ISC_STATUS* pStatus = reinterpret_cast<const ISC_STATUS*>(&rStatusVector);
32
33 buf.append("firebird_sdbc error:");
34 try
35 {
36 char msg[512]; // Size is based on suggestion in docs.
>>> CID 1352407: Memory - corruptions (OVERRUN)
>>> Overrunning array "msg" of 512 bytes by passing it to a function which accesses it at byte offset 512 using argument "512U".
37 while(fb_interpret(msg, sizeof(msg), &pStatus))
38 {
39 // TODO: verify encoding
40 buf.append("\n*");
41 buf.append(OUString(msg, strlen(msg), RTL_TEXTENCODING_UTF8));
42 }
** CID 1352322: Null pointer dereferences (NULL_RETURNS)
/sc/source/core/data/dociter.cxx: 791 in ScFormulaGroupIterator::ScFormulaGroupIterator(ScDocument *)()
________________________________________________________________________________________________________
*** CID 1352322: Null pointer dereferences (NULL_RETURNS)
/sc/source/core/data/dociter.cxx: 791 in ScFormulaGroupIterator::ScFormulaGroupIterator(ScDocument *)()
785 ScFormulaGroupIterator::ScFormulaGroupIterator( ScDocument* pDoc ) :
786 mpDoc(pDoc),
787 mnTab(0),
788 mnCol(0),
789 mnIndex(0)
790 {
>>> CID 1352322: Null pointer dereferences (NULL_RETURNS)
>>> Assigning: "pTab" = null return value from "FetchTable".
791 ScTable *pTab = mpDoc->FetchTable(mnTab);
792 ScColumn *pCol = pTab->FetchColumn(mnCol);
793 if (pCol)
794 {
795 mbNullCol = false;
796 maEntries = pCol->GetFormulaGroupEntries();
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/libreoffice?tab=overview
To manage Coverity Scan email notifications for "libreoffice at lists.freedesktop.org", click https://scan.coverity.com/subscriptions/edit?email=libreoffice%40lists.freedesktop.org&token=d6481d718a775246b2340f282ebe5939
More information about the LibreOffice
mailing list