New Defects reported by Coverity Scan for LibreOffice
scan-admin at coverity.com
scan-admin at coverity.com
Mon Apr 20 05:14:10 UTC 2020
Hi,
Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan.
12 new defect(s) introduced to LibreOffice found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 1462318: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1462318: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_java2uno.cxx: 218 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const()
212 {
213 JLocalAutoRef jo_arg(
214 jni, jni->GetObjectArrayElement( jo_args, nPos ) );
215 jni.ensure_no_exception();
216 jvalue java_arg;
217 java_arg.l = jo_arg.get();
>>> CID 1462318: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "map_to_uno" dereferences freed pointer "type".
218 map_to_uno(
219 jni, uno_args[ nPos ], java_arg, type, nullptr,
220 false /* no assign */, param.bOut,
221 true /* special wrapped integral types */ );
222 }
223 catch (...)
** CID 1462317: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1462317: Null pointer dereferences (FORWARD_NULL)
/sw/source/core/crsr/crsrsh.cxx: 1235 in SwCursorShell::GetPageNumSeqNonEmpty()()
1229 // page number: first visible page or the one at the cursor
1230 const SwContentFrame* pCFrame = GetCurrFrame(/*bCalcFrame*/true);
1231 const SwPageFrame* pPg = nullptr;
1232
1233 if (!pCFrame )
1234 {
>>> CID 1462317: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "pCFrame" to "FindPageFrame", which dereferences it.
1235 pPg = pCFrame->FindPageFrame();
1236 if( !pPg )
1237 {
1238 pPg = Imp()->GetFirstVisPage(GetOut());
1239 while (pPg && pPg->IsEmptyPage())
1240 pPg = static_cast<const SwPageFrame*>(pPg->GetNext());
** CID 1462316: (USE_AFTER_FREE)
/cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const _typelib_TypeDescription *, void *, void **, _uno_Any **)()
________________________________________________________________________________________________________
*** CID 1462316: (USE_AFTER_FREE)
/cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 457 in Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const _typelib_TypeDescription *, void *, void **, _uno_Any **)()
451 }
452 uno_Environment_invoke(m_to.get(), s_type_destructData_v, args[nPos], param.pTypeRef, 0);
453 }
454 }
455 if (ret != pReturn)
456 {
>>> CID 1462316: (USE_AFTER_FREE)
>>> Calling "uno_type_copyAndConvertData" dereferences freed pointer "pReturnTypeRef".
457 uno_type_copyAndConvertData(pReturn,
458 ret,
459 pReturnTypeRef,
460 m_to_from.get());
461
462 uno_Environment_invoke(m_to.get(), s_type_destructData_v, ret, pReturnTypeRef, 0);
/cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const _typelib_TypeDescription *, void *, void **, _uno_Any **)()
485
486 // FIXME: need to destruct in m_to
487 uno_any_destruct(exc, nullptr);
488 }
489
490 if (m_probeFun)
>>> CID 1462316: (USE_AFTER_FREE)
>>> Passing freed pointer "pReturnTypeRef" as an argument to "*this->m_probeFun".
491 m_probeFun(false,
492 this,
493 m_pProbeContext,
494 pReturnTypeRef,
495 pParams,
496 nParams,
** CID 1462315: Integer handling issues (DIVIDE_BY_ZERO)
/vcl/unx/gtk3/gtk3gtkinst.cxx: 12791 in <unnamed>::GtkInstanceComboBox::get_popup_height()()
________________________________________________________________________________________________________
*** CID 1462315: Integer handling issues (DIVIDE_BY_ZERO)
/vcl/unx/gtk3/gtk3gtkinst.cxx: 12791 in <unnamed>::GtkInstanceComboBox::get_popup_height()()
12785 if (m_nNonCustomLineHeight != -1)
12786 {
12787 gint nNormalHeight = get_height_rows(m_nNonCustomLineHeight, nSeparatorHeight, nMaxRows);
12788 if (nHeight > nNormalHeight)
12789 {
12790 gint nRowsOnly = nNormalHeight - get_height_rows(0, nSeparatorHeight, nMaxRows);
>>> CID 1462315: Integer handling issues (DIVIDE_BY_ZERO)
>>> In expression "(nRowsOnly + (nRowHeight - 1)) / nRowHeight", division by expression "nRowHeight" which may be zero has undefined behavior.
12791 gint nCustomRows = (nRowsOnly + (nRowHeight - 1)) / nRowHeight;
12792 nHeight = get_height_rows(nRowHeight, nSeparatorHeight, nCustomRows);
12793 }
12794 }
12795
12796 return nHeight;
** CID 1462314: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1462314: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/cpp_uno/gcc3_linux_x86-64/cpp2uno.cxx: 78 in cpp2uno_call(bridges::cpp_uno::shared::CppInterfaceProxy *, const _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, _typelib_MethodParameter *, void **, void **, void **, unsigned long *)()
72
73 void * pUnoReturn = nullptr;
74 void * pCppReturn = nullptr; // complex return ptr: if != 0 && != pUnoReturn, reconversion need
75
76 if ( pReturnTypeDescr )
77 {
>>> CID 1462314: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "return_in_hidden_param" dereferences freed pointer "pReturnTypeRef".
78 if ( x86_64::return_in_hidden_param( pReturnTypeRef ) )
79 {
80 pCppReturn = *gpreg++;
81 nr_gpr++;
82
83 pUnoReturn = ( bridges::cpp_uno::shared::relatesToInterfaceType( pReturnTypeDescr )
** CID 1462313: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
________________________________________________________________________________________________________
*** CID 1462313: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
1041 case typelib_TypeClass_INTERFACE:
1042 {
1043 TypeDescr element_td( element_type );
1044 seq = seq_allocate( nElements, element_td.get()->nSize );
1045
1046 JNI_type_info const * element_info;
>>> CID 1462313: Memory - illegal accesses (USE_AFTER_FREE)
>>> Dereferencing freed pointer "element_type".
1047 if (element_type->eTypeClass == typelib_TypeClass_STRUCT ||
1048 element_type->eTypeClass == typelib_TypeClass_EXCEPTION ||
1049 element_type->eTypeClass == typelib_TypeClass_INTERFACE)
1050 {
1051 element_info =
1052 getJniInfo()->get_type_info( jni, element_td.get() );
** CID 1462312: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const jni_uno::JNI_context &, jvalue *, const void *, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
________________________________________________________________________________________________________
*** CID 1462312: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const jni_uno::JNI_context &, jvalue *, const void *, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
2382 }
2383 }
2384 break;
2385 }
2386 default:
2387 {
>>> CID 1462312: Memory - illegal accesses (USE_AFTER_FREE)
>>> Dereferencing freed pointer "type".
2388 throw BridgeRuntimeError(
2389 "[map_to_java():" + OUString::unacquired( &type->pTypeName )
2390 + "] unsupported element type: "
2391 + OUString::unacquired( &element_type->pTypeName )
2392 + jni.get_stack_trace() );
2393 }
** CID 1462311: Memory - illegal accesses (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One()
________________________________________________________________________________________________________
*** CID 1462311: Memory - illegal accesses (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One()
799 &pNew, pSequence->elements,
800 reinterpret_cast<typelib_IndirectTypeDescription *>(pTypeDescr)->pType,
801 pSequence->nElements, acquire,
802 pSequence->nElements ); // alloc nElements
803 if (ret)
804 {
>>> CID 1462311: Memory - illegal accesses (USE_AFTER_FREE)
>>> Passing freed pointer "pType" as an argument to "idestructSequence".
805 idestructSequence( *ppSequence, pType, pTypeDescr, release );
806 *ppSequence = pNew;
807 }
808
809 TYPELIB_DANGER_RELEASE( pTypeDescr );
810 }
** CID 1462310: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
________________________________________________________________________________________________________
*** CID 1462310: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
1088 }
1089 }
1090 break;
1091 }
1092 default:
1093 {
>>> CID 1462310: Memory - illegal accesses (USE_AFTER_FREE)
>>> Dereferencing freed pointer "type".
1094 throw BridgeRuntimeError(
1095 "[map_to_uno():" + OUString::unacquired( &type->pTypeName )
1096 + "] unsupported sequence element type: "
1097 + OUString::unacquired( &element_type->pTypeName )
1098 + jni.get_stack_trace() );
1099 }
** CID 1462309: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1462309: Memory - illegal accesses (USE_AFTER_FREE)
/cppu/source/uno/destr.hxx: 139 in cppu::_destructAny(_uno_Any *, void (*)(void *))()
133 break;
134 }
135 #if OSL_DEBUG_LEVEL > 0
136 pAny->pData = reinterpret_cast<void *>(uintptr_t(0xdeadbeef));
137 #endif
138
>>> CID 1462309: Memory - illegal accesses (USE_AFTER_FREE)
>>> Calling "typelib_typedescriptionreference_release" dereferences freed pointer "pType".
139 ::typelib_typedescriptionreference_release( pType );
140 }
141
142 inline sal_Int32 idestructElements(
143 void * pElements, typelib_TypeDescriptionReference * pElementType,
144 sal_Int32 nStartIndex, sal_Int32 nStopIndex,
** CID 1462308: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const()
________________________________________________________________________________________________________
*** CID 1462308: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const()
280 type->eTypeClass != typelib_TypeClass_ENUM) // opt
281 {
282 uno_type_destructData( uno_args[ nPos ], type, nullptr );
283 }
284 }
285
>>> CID 1462308: Memory - illegal accesses (USE_AFTER_FREE)
>>> Dereferencing freed pointer "return_type".
286 if (return_type->eTypeClass != typelib_TypeClass_VOID)
287 {
288 // convert uno return value
289 jvalue java_ret;
290 try
291 {
** CID 1401307: Error handling issues (UNCAUGHT_EXCEPT)
/usr/include/c++/8/bits/unique_ptr.h: 270 in std::unique_ptr<ImpSwapFile, std::default_delete<ImpSwapFile>>::~unique_ptr()()
________________________________________________________________________________________________________
*** CID 1401307: Error handling issues (UNCAUGHT_EXCEPT)
/usr/include/c++/8/bits/unique_ptr.h: 270 in std::unique_ptr<ImpSwapFile, std::default_delete<ImpSwapFile>>::~unique_ptr()()
264 is_convertible<_Up*, _Tp*>, is_same<_Dp, default_delete<_Tp>>>>
265 unique_ptr(auto_ptr<_Up>&& __u) noexcept;
266 #pragma GCC diagnostic pop
267 #endif
268
269 /// Destructor, invokes the deleter if the stored pointer is not null.
>>> CID 1401307: Error handling issues (UNCAUGHT_EXCEPT)
>>> An exception of type "com::sun::star::uno::DeploymentException" is thrown but the throw list "noexcept" doesn't allow it to be thrown. This will cause a call to unexpected() which usually calls terminate().
270 ~unique_ptr() noexcept
271 {
272 auto& __ptr = _M_t._M_ptr();
273 if (__ptr != nullptr)
274 get_deleter()(__ptr);
275 __ptr = pointer();
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklAc1eEA-2F1zfUjH6teExViPHTTReBArhCRZ3BE4kCjKjDqn2Dq3ZyEbAvAs31gRpU3vMPHDnoSx68vDAWjNU-3Dq6Zf_OTq2XUZbbipYjyLSo6GRo-2FpVxQ9OzkDINu9UTS-2FQhSdO0F0jQniitrGlNxDIzPJiWxs1vCErrIoYNhvdSMCQZgtcTF1D1LHrM3BsCXfAnGLgzcESsBiDVBNAzScIJMBKxkjb-2FR4nA3EkYvrk3n8Jn3JSKruVetBKAm4VVL7T9gKyxdchpudUX5yfzsH9q8XL9yh0-2Fozoj-2Fj46ltBXuk8AF60n-2FfLRJ15DL4KQnpvIQnifjmsyCotlUhezAX6JNBi
More information about the LibreOffice
mailing list