New Defects reported by Coverity Scan for LibreOffice
Stephan Bergmann
sbergman at redhat.com
Fri Aug 7 06:17:06 UTC 2020
On 06/08/2020 22:33, scan-admin at coverity.com wrote:
> ** CID 1462318: Memory - illegal accesses (USE_AFTER_FREE)
>
>
> ________________________________________________________________________________________________________
> *** CID 1462318: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/jni_uno/jni_java2uno.cxx: 218 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const()
> 212 {
> 213 JLocalAutoRef jo_arg(
> 214 jni, jni->GetObjectArrayElement( jo_args, nPos ) );
> 215 jni.ensure_no_exception();
> 216 jvalue java_arg;
> 217 java_arg.l = jo_arg.get();
>>>> CID 1462318: Memory - illegal accesses (USE_AFTER_FREE)
>>>> Calling "map_to_uno" dereferences freed pointer "type".
> 218 map_to_uno(
> 219 jni, uno_args[ nPos ], java_arg, type, nullptr,
> 220 false /* no assign */, param.bOut,
> 221 true /* special wrapped integral types */ );
> 222 }
> 223 catch (...)
>
> ** CID 1462316: (USE_AFTER_FREE)
> /cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const _typelib_TypeDescription *, void *, void **, _uno_Any **)()
>
>
> ________________________________________________________________________________________________________
> *** CID 1462316: (USE_AFTER_FREE)
> /cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 457 in Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const _typelib_TypeDescription *, void *, void **, _uno_Any **)()
> 451 }
> 452 uno_Environment_invoke(m_to.get(), s_type_destructData_v, args[nPos], param.pTypeRef, 0);
> 453 }
> 454 }
> 455 if (ret != pReturn)
> 456 {
>>>> CID 1462316: (USE_AFTER_FREE)
>>>> Calling "uno_type_copyAndConvertData" dereferences freed pointer "pReturnTypeRef".
> 457 uno_type_copyAndConvertData(pReturn,
> 458 ret,
> 459 pReturnTypeRef,
> 460 m_to_from.get());
> 461
> 462 uno_Environment_invoke(m_to.get(), s_type_destructData_v, ret, pReturnTypeRef, 0);
> /cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const _typelib_TypeDescription *, void *, void **, _uno_Any **)()
> 485
> 486 // FIXME: need to destruct in m_to
> 487 uno_any_destruct(exc, nullptr);
> 488 }
> 489
> 490 if (m_probeFun)
>>>> CID 1462316: (USE_AFTER_FREE)
>>>> Passing freed pointer "pReturnTypeRef" as an argument to "*this->m_probeFun".
> 491 m_probeFun(false,
> 492 this,
> 493 m_pProbeContext,
> 494 pReturnTypeRef,
> 495 pParams,
> 496 nParams,
>
> ** CID 1462314: Memory - illegal accesses (USE_AFTER_FREE)
>
>
> ________________________________________________________________________________________________________
> *** CID 1462314: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/cpp_uno/gcc3_linux_x86-64/cpp2uno.cxx: 78 in cpp2uno_call(bridges::cpp_uno::shared::CppInterfaceProxy *, const _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, _typelib_MethodParameter *, void **, void **, void **, unsigned long *)()
> 72
> 73 void * pUnoReturn = nullptr;
> 74 void * pCppReturn = nullptr; // complex return ptr: if != 0 && != pUnoReturn, reconversion need
> 75
> 76 if ( pReturnTypeDescr )
> 77 {
>>>> CID 1462314: Memory - illegal accesses (USE_AFTER_FREE)
>>>> Calling "return_in_hidden_param" dereferences freed pointer "pReturnTypeRef".
> 78 if ( x86_64::return_in_hidden_param( pReturnTypeRef ) )
> 79 {
> 80 pCppReturn = *gpreg++;
> 81 nr_gpr++;
> 82
> 83 pUnoReturn = ( bridges::cpp_uno::shared::relatesToInterfaceType( pReturnTypeDescr )
>
> ** CID 1462313: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
>
>
> ________________________________________________________________________________________________________
> *** CID 1462313: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
> 1041 case typelib_TypeClass_INTERFACE:
> 1042 {
> 1043 TypeDescr element_td( element_type );
> 1044 seq = seq_allocate( nElements, element_td.get()->nSize );
> 1045
> 1046 JNI_type_info const * element_info;
>>>> CID 1462313: Memory - illegal accesses (USE_AFTER_FREE)
>>>> Dereferencing freed pointer "element_type".
> 1047 if (element_type->eTypeClass == typelib_TypeClass_STRUCT ||
> 1048 element_type->eTypeClass == typelib_TypeClass_EXCEPTION ||
> 1049 element_type->eTypeClass == typelib_TypeClass_INTERFACE)
> 1050 {
> 1051 element_info =
> 1052 getJniInfo()->get_type_info( jni, element_td.get() );
>
> ** CID 1462312: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const jni_uno::JNI_context &, jvalue *, const void *, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
>
>
> ________________________________________________________________________________________________________
> *** CID 1462312: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const jni_uno::JNI_context &, jvalue *, const void *, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
> 2382 }
> 2383 }
> 2384 break;
> 2385 }
> 2386 default:
> 2387 {
>>>> CID 1462312: Memory - illegal accesses (USE_AFTER_FREE)
>>>> Dereferencing freed pointer "type".
> 2388 throw BridgeRuntimeError(
> 2389 "[map_to_java():" + OUString::unacquired( &type->pTypeName )
> 2390 + "] unsupported element type: "
> 2391 + OUString::unacquired( &element_type->pTypeName )
> 2392 + jni.get_stack_trace() );
> 2393 }
>
> ** CID 1462311: Memory - illegal accesses (USE_AFTER_FREE)
> /cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One()
>
>
> ________________________________________________________________________________________________________
> *** CID 1462311: Memory - illegal accesses (USE_AFTER_FREE)
> /cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One()
> 799 &pNew, pSequence->elements,
> 800 reinterpret_cast<typelib_IndirectTypeDescription *>(pTypeDescr)->pType,
> 801 pSequence->nElements, acquire,
> 802 pSequence->nElements ); // alloc nElements
> 803 if (ret)
> 804 {
>>>> CID 1462311: Memory - illegal accesses (USE_AFTER_FREE)
>>>> Passing freed pointer "pType" as an argument to "idestructSequence".
> 805 idestructSequence( *ppSequence, pType, pTypeDescr, release );
> 806 *ppSequence = pNew;
> 807 }
> 808
> 809 TYPELIB_DANGER_RELEASE( pTypeDescr );
> 810 }
>
> ** CID 1462310: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
>
>
> ________________________________________________________________________________________________________
> *** CID 1462310: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, bool) const()
> 1088 }
> 1089 }
> 1090 break;
> 1091 }
> 1092 default:
> 1093 {
>>>> CID 1462310: Memory - illegal accesses (USE_AFTER_FREE)
>>>> Dereferencing freed pointer "type".
> 1094 throw BridgeRuntimeError(
> 1095 "[map_to_uno():" + OUString::unacquired( &type->pTypeName )
> 1096 + "] unsupported sequence element type: "
> 1097 + OUString::unacquired( &element_type->pTypeName )
> 1098 + jni.get_stack_trace() );
> 1099 }
>
> ** CID 1462309: Memory - illegal accesses (USE_AFTER_FREE)
>
>
> ________________________________________________________________________________________________________
> *** CID 1462309: Memory - illegal accesses (USE_AFTER_FREE)
> /cppu/source/uno/destr.hxx: 139 in cppu::_destructAny(_uno_Any *, void (*)(void *))()
> 133 break;
> 134 }
> 135 #if OSL_DEBUG_LEVEL > 0
> 136 pAny->pData = reinterpret_cast<void *>(uintptr_t(0xdeadbeef));
> 137 #endif
> 138
>>>> CID 1462309: Memory - illegal accesses (USE_AFTER_FREE)
>>>> Calling "typelib_typedescriptionreference_release" dereferences freed pointer "pType".
> 139 ::typelib_typedescriptionreference_release( pType );
> 140 }
> 141
> 142 inline sal_Int32 idestructElements(
> 143 void * pElements, typelib_TypeDescriptionReference * pElementType,
> 144 sal_Int32 nStartIndex, sal_Int32 nStopIndex,
>
> ** CID 1462308: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const()
>
>
> ________________________________________________________________________________________________________
> *** CID 1462308: Memory - illegal accesses (USE_AFTER_FREE)
> /bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const()
> 280 type->eTypeClass != typelib_TypeClass_ENUM) // opt
> 281 {
> 282 uno_type_destructData( uno_args[ nPos ], type, nullptr );
> 283 }
> 284 }
> 285
>>>> CID 1462308: Memory - illegal accesses (USE_AFTER_FREE)
>>>> Dereferencing freed pointer "return_type".
> 286 if (return_type->eTypeClass != typelib_TypeClass_VOID)
> 287 {
> 288 // convert uno return value
> 289 jvalue java_ret;
> 290 try
> 291 {
The above CIDs 1462308--1462314, 1462316, and 1462318 all appear to
center on the false assumption that TYPELIB_DANGER_GET
(include/typelib/typedescription.h) could destroy its *ppMacroTypeDescr
argument (while it will actually only shave off an excess refcount via
typelib_typedescription_release).
Question is whether there is a good way to centrally teach Coverity Scan
about its false assumption there.
More information about the LibreOffice
mailing list