New Defects reported by Coverity Scan for LibreOffice

scan-admin at coverity.com scan-admin at coverity.com
Mon Feb 21 10:44:29 UTC 2022


Hi,

Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan.

243 new defect(s) introduced to LibreOffice found with Coverity Scan.
30 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 243 defect(s)


** CID 1500713:    (USE_AFTER_FREE)
/cppu/source/uno/copy.hxx: 451 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
/cppu/source/uno/copy.hxx: 478 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
/cppu/source/uno/copy.hxx: 516 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()


________________________________________________________________________________________________________
*** CID 1500713:    (USE_AFTER_FREE)
/cppu/source/uno/copy.hxx: 523 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
517                                     mapping, reinterpret_cast<void **>(pElements) + nPos,
518                                     pSourceElements[nPos],
519                                     reinterpret_cast<typelib_InterfaceTypeDescription *>(
520                                         pElementTypeDescr) );
521                             }
522                         }
>>>     CID 1500713:    (USE_AFTER_FREE)
>>>     Calling "TYPELIB_DANGER_RELEASE" dereferences freed pointer "pElementTypeDescr".
523                         TYPELIB_DANGER_RELEASE( pElementTypeDescr );
524                     }
525                     break;
526                 }
527                 default:
528                     OSL_FAIL( "### unexpected sequence element type!" );
/cppu/source/uno/copy.hxx: 451 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
445                 }
446                 case typelib_TypeClass_STRUCT:
447                 case typelib_TypeClass_EXCEPTION:
448                 {
449                     typelib_TypeDescription * pElementTypeDescr = nullptr;
450                     TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
>>>     CID 1500713:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "pElementTypeDescr".
451                     sal_Int32 nElementSize = pElementTypeDescr->nSize;
452                     char * pSourceElements = pSource->elements;
453                     pDest = allocSeq( nElementSize, nElements );
454                     if (pDest != nullptr)
455                     {
456                         char * pElements = pDest->elements;
/cppu/source/uno/copy.hxx: 478 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
472                     // coverity[suspicious_sizeof] - sizeof(uno_Sequence*) is correct here
473                     pDest = allocSeq( sizeof (uno_Sequence *), nElements );
474                     if (pDest != nullptr)
475                     {
476                         typelib_TypeDescription * pElementTypeDescr = nullptr;
477                         TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
>>>     CID 1500713:    (USE_AFTER_FREE)
>>>     Using freed pointer "pElementTypeDescr".
478                         typelib_TypeDescriptionReference * pSeqElementType =
479                             reinterpret_cast<typelib_IndirectTypeDescription *>(
480                                 pElementTypeDescr)->pType;
481     
482                         uno_Sequence ** pDestElements =
483                             reinterpret_cast<uno_Sequence **>(pDest->elements);
/cppu/source/uno/copy.hxx: 516 in cppu::icopyConstructSequence(_sal_Sequence *, _typelib_TypeDescriptionReference *, void (*)(void *), _uno_Mapping *)()
510                         TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
511                         for ( sal_Int32 nPos = nElements; nPos--; )
512                         {
513                             reinterpret_cast<void **>(pElements)[nPos] = nullptr;
514                             if (pSourceElements[nPos])
515                             {
>>>     CID 1500713:    (USE_AFTER_FREE)
>>>     Passing freed pointer "pElementTypeDescr" as an argument to "*mapping->mapInterface".
516                                 (*mapping->mapInterface)(
517                                     mapping, reinterpret_cast<void **>(pElements) + nPos,
518                                     pSourceElements[nPos],
519                                     reinterpret_cast<typelib_InterfaceTypeDescription *>(
520                                         pElementTypeDescr) );
521                             }

** CID 1500712:  Null pointer dereferences  (FORWARD_NULL)
/slideshow/source/engine/smilfunctionparser.cxx: 317 in slideshow::internal::<unnamed>::BinaryFunctionFunctor<std::shared_ptr<slideshow::internal::ExpressionNode> (*)(const std::shared_ptr<slideshow::internal::ExpressionNode> &, const std::shared_ptr<slideshow::internal::ExpressionNode> &)>::operator ()(const char *, const char *) const()


________________________________________________________________________________________________________
*** CID 1500712:  Null pointer dereferences  (FORWARD_NULL)
/slideshow/source/engine/smilfunctionparser.cxx: 317 in slideshow::internal::<unnamed>::BinaryFunctionFunctor<std::shared_ptr<slideshow::internal::ExpressionNode> (*)(const std::shared_ptr<slideshow::internal::ExpressionNode> &, const std::shared_ptr<slideshow::internal::ExpressionNode> &)>::operator ()(const char *, const char *) const()
311                         rNodeStack.pop();
312     
313                         // create combined ExpressionNode
314                         std::shared_ptr<ExpressionNode> pNode( maGenerator( pFirstArg,
315                                                                     pSecondArg ) );
316                         // check for constness
>>>     CID 1500712:  Null pointer dereferences  (FORWARD_NULL)
>>>     Attempting to access the managed object of an empty smart pointer "pFirstArg".
317                         if( pFirstArg->isConstant() &&
318                             pSecondArg->isConstant() )
319                         {
320                             // call the operator() at pNode, store result
321                             // in constant value ExpressionNode.
322                             rNodeStack.push(

** CID 1500711:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1500711:  Null pointer dereferences  (FORWARD_NULL)
/sw/source/ui/misc/insfnote.cxx: 181 in SwInsFootNoteDlg::~SwInsFootNoteDlg()()
175             m_xNextBT->show();
176         }
177     }
178     
179     SwInsFootNoteDlg::~SwInsFootNoteDlg() COVERITY_NOEXCEPT_FALSE
180     {
>>>     CID 1500711:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing "std::shared_ptr<weld::Window> const(std::nullptr_t())" to "SetCareDialog", which dereferences null "std::shared_ptr<weld::Window> const(std::nullptr_t())".
181         SwViewShell::SetCareDialog(nullptr);
182     
183         if (m_bEdit)
184             m_rSh.ResetSelect(nullptr, false);
185     }
186     

** CID 1500710:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1500710:    (TAINTED_SCALAR)
/filter/source/xmlfilterdetect/filterdetect.cxx: 168 in FilterDetect::detect(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> &)()
162                 catch (...) {}
163     
164                 if (!IsMediaTypeXML(sMediaType))
165                 {
166                     // This is not an XML stream.  It makes no sense to try to detect
167                     // a non-XML file type here.
>>>     CID 1500710:    (TAINTED_SCALAR)
>>>     Passing tainted expression "resultString.pData" to "~OUString", which uses it as a loop boundary.
168                     return OUString();
169                 }
170             }
171     
172             // test typedetect code
173             Reference <XNameAccess> xTypeCont(mxCtx->getServiceManager()->createInstanceWithContext("com.sun.star.document.TypeDetection", mxCtx), UNO_QUERY);
/filter/source/xmlfilterdetect/filterdetect.cxx: 144 in FilterDetect::detect(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> &)()
138                 OString const str(read_uInt8s_ToOString(*pInStream, nSize));
139                 resultString = OUString(str.getStr(), str.getLength(),
140                     RTL_TEXTENCODING_ASCII_US,
141                     RTL_TEXTTOUNICODE_FLAGS_UNDEFINED_DEFAULT|RTL_TEXTTOUNICODE_FLAGS_MBUNDEFINED_DEFAULT|RTL_TEXTTOUNICODE_FLAGS_INVALID_DEFAULT);
142             }
143             else if ( nUniPos == 2 || bTryUtf16 ) // UTF-16
>>>     CID 1500710:    (TAINTED_SCALAR)
>>>     Passing tainted expression "<temporary>.pData" to "~OUString", which uses it as a loop boundary.
144                 resultString = read_uInt16s_ToOUString( *pInStream, nSize );
145     
146             if ( !resultString.startsWith( "<?xml" ) )
147             {
148                 // Check the content type; XML declaration is optional in XML files according to XML 1.0 ch.2.8
149                 // (see https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCyxjtZGADNAMi9AssFYdP8g2ffr-2FKXDwTbEJqt33OI0hHJdDg6qfWuzr-2FcQMavxTWarG1L2eFiZ83aW0u4GPos3c-3D85Uk_OTq2XUZbbipYjyLSo6GRo-2FpVxQ9OzkDINu9UTS-2FQhSdO0F0jQniitrGlNxDIzPJi-2FDITY-2FO94d2hHUHNOYWNuZVnUMbUvRGUdhO6WcpV2Kab9eGYz7x9i6rZD8ulQepE19aOOXEU-2F0qlllOlvxVGswh2TTe-2FzwWFWIQk4ZsV-2FKmRVkEYrRw3WrrpNraVFWwbPGFzYFaHO3v1Ipm1cukrqJGUpKVG0ug2pucjcn0qXB0-3D
/filter/source/xmlfilterdetect/filterdetect.cxx: 213 in FilterDetect::detect(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue> &)()
207                 aArguments.realloc(nLength+1);
208                 aArguments.getArray()[location].Name = "TypeName";
209             }
210             aArguments.getArray()[location].Value <<=sTypeName;
211         }
212     
>>>     CID 1500710:    (TAINTED_SCALAR)
>>>     Passing tainted expression "resultString.pData" to "~OUString", which uses it as a loop boundary.
213         return sTypeName;
214     }
215     
216     // XInitialization
217     void SAL_CALL FilterDetect::initialize( const Sequence< Any >& /*aArguments*/ )
218     {

** CID 1500709:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1500709:  Insecure data handling  (TAINTED_SCALAR)
/sw/source/filter/ww8/ww8toolbar.cxx: 615 in Xst::Read(SvStream &)()
609     
610     bool
611     Xst::Read( SvStream& rS )
612     {
613         SAL_INFO("sw.ww8","Xst::Read() stream pos 0x" << std::hex << rS.Tell() );
614         nOffSet = rS.Tell();
>>>     CID 1500709:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "<temporary>.pData" to "~OUString", which uses it as a loop boundary.
615         sString = read_uInt16_PascalString(rS);
616         return rS.good();
617     }
618     
619     Tcg::Tcg() : nTcgVer( -1 )
620     {

** CID 1500708:    (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 1500708:    (FORWARD_NULL)
/sw/source/uibase/app/swmodul1.cxx: 292 in SwModule::ApplyUserCharUnit(bool, bool)()
286         else
287         {
288             if(!m_pUsrPref)
289                 GetUsrPref(false);
290             pPref = m_pUsrPref.get();
291         }
>>>     CID 1500708:    (FORWARD_NULL)
>>>     Passing null pointer "pPref" to "IsApplyCharUnit", which dereferences it.
292         bool bOldApplyCharUnit = pPref->IsApplyCharUnit();
293         bool bHasChanged = false;
294         if(bOldApplyCharUnit != bApplyChar)
295         {
296             pPref->SetApplyCharUnit(bApplyChar);
297             bHasChanged = true;
/sw/source/uibase/app/swmodul1.cxx: 292 in SwModule::ApplyUserCharUnit(bool, bool)()
286         else
287         {
288             if(!m_pUsrPref)
289                 GetUsrPref(false);
290             pPref = m_pUsrPref.get();
291         }
>>>     CID 1500708:    (FORWARD_NULL)
>>>     Passing null pointer "pPref" to "IsApplyCharUnit", which dereferences it.
292         bool bOldApplyCharUnit = pPref->IsApplyCharUnit();
293         bool bHasChanged = false;
294         if(bOldApplyCharUnit != bApplyChar)
295         {
296             pPref->SetApplyCharUnit(bApplyChar);
297             bHasChanged = true;

** CID 1500707:  Null pointer dereferences  (REVERSE_INULL)
/sfx2/source/doc/docinsert.cxx: 133 in sfx2::DocumentInserter::CreateMedium(const char *)()


________________________________________________________________________________________________________
*** CID 1500707:  Null pointer dereferences  (REVERSE_INULL)
/sfx2/source/doc/docinsert.cxx: 133 in sfx2::DocumentInserter::CreateMedium(const char *)()
127             }
128             if ( nError == ERRCODE_NONE && pFilter )
129                 pMedium->SetFilter( pFilter );
130             else
131                 pMedium.reset();
132     
>>>     CID 1500707:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "pMedium" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
133             if ( pMedium && CheckPasswd_Impl( nullptr, pMedium.get() ) == ERRCODE_ABORT )
134                 pMedium.reset();
135         }
136     
137         return pMedium;
138     }

** CID 1500706:  Uninitialized members  (UNINIT_CTOR)
/sc/source/ui/Accessibility/AccessibleDocument.cxx: 321 in ScChildrenShapes::ScChildrenShapes(ScAccessibleDocument *, ScTabViewShell *, ScSplitPos)()


________________________________________________________________________________________________________
*** CID 1500706:  Uninitialized members  (UNINIT_CTOR)
/sc/source/ui/Accessibility/AccessibleDocument.cxx: 321 in ScChildrenShapes::ScChildrenShapes(ScAccessibleDocument *, ScTabViewShell *, ScSplitPos)()
315     
316             uno::Reference<drawing::XShapes> xShapes(mpViewShell->getSelectedXShapes());
317             if (xShapes.is())
318                 FindSelectedShapesChanges(xShapes);
319         }
320         if (!pViewShell)
>>>     CID 1500706:  Uninitialized members  (UNINIT_CTOR)
>>>     Non-static class member "mnSdrObjCount" is not initialized in this constructor nor in any functions that it calls.
321             return;
322     
323         ScViewData& rViewData = pViewShell->GetViewData();
324         SfxBroadcaster* pDrawBC = rViewData.GetDocument().GetDrawBroadcaster();
325         if (pDrawBC)
326         {

** CID 1500705:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1500705:    (TAINTED_SCALAR)
/filter/source/msfilter/svdfppt.cxx: 2429 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2423                         OUString aSuf = read_uInt16s_ToOUString(rSt, n);
2424                         sal_Int32 nV = aSuf.toInt32();
2425                         if ( ( nV == nVersion ) && ( aPre == "___PPT" ) )
2426                         {
2427                             if (!rContentHd.SeekToEndOfRecord(rSt))
2428                             {
>>>     CID 1500705:    (TAINTED_SCALAR)
>>>     Passing tainted expression "aSuf.pData" to "~OUString", which uses it as a loop boundary.
2429                                 break;
2430                             }
2431                             ReadDffRecordHeader( rSt, rContentHd );
2432                             if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433                             {
2434                                 bRetValue = true;
/filter/source/msfilter/svdfppt.cxx: 2438 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2432                             if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433                             {
2434                                 bRetValue = true;
2435                                 break;
2436                             }
2437                         }
>>>     CID 1500705:    (TAINTED_SCALAR)
>>>     Passing tainted expression "aPre.pData" to "~OUString", which uses it as a loop boundary.
2438                     }
2439                 }
2440                 if (!aProgTagBinaryDataHd.SeekToEndOfRecord(rSt))
2441                     break;
2442             }
2443         }
/filter/source/msfilter/svdfppt.cxx: 2438 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2432                             if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433                             {
2434                                 bRetValue = true;
2435                                 break;
2436                             }
2437                         }
>>>     CID 1500705:    (TAINTED_SCALAR)
>>>     Passing tainted expression "aSuf.pData" to "~OUString", which uses it as a loop boundary.
2438                     }
2439                 }
2440                 if (!aProgTagBinaryDataHd.SeekToEndOfRecord(rSt))
2441                     break;
2442             }
2443         }
/filter/source/msfilter/svdfppt.cxx: 2429 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2423                         OUString aSuf = read_uInt16s_ToOUString(rSt, n);
2424                         sal_Int32 nV = aSuf.toInt32();
2425                         if ( ( nV == nVersion ) && ( aPre == "___PPT" ) )
2426                         {
2427                             if (!rContentHd.SeekToEndOfRecord(rSt))
2428                             {
>>>     CID 1500705:    (TAINTED_SCALAR)
>>>     Passing tainted expression "aPre.pData" to "~OUString", which uses it as a loop boundary.
2429                                 break;
2430                             }
2431                             ReadDffRecordHeader( rSt, rContentHd );
2432                             if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433                             {
2434                                 bRetValue = true;
/filter/source/msfilter/svdfppt.cxx: 2435 in SdrPowerPointImport::SeekToContentOfProgTag(int, SvStream &, const DffRecordHeader &, DffRecordHeader &)()
2429                                 break;
2430                             }
2431                             ReadDffRecordHeader( rSt, rContentHd );
2432                             if ( rContentHd.nRecType == PPT_PST_BinaryTagData )
2433                             {
2434                                 bRetValue = true;
>>>     CID 1500705:    (TAINTED_SCALAR)
>>>     Passing tainted expression "aSuf.pData" to "~OUString", which uses it as a loop boundary.
2435                                 break;
2436                             }
2437                         }
2438                     }
2439                 }
2440                 if (!aProgTagBinaryDataHd.SeekToEndOfRecord(rSt))

** CID 1500704:  Resource leaks  (RESOURCE_LEAK)
/editeng/source/editeng/editdoc.cxx: 2098 in EditDoc::Release(int)()


________________________________________________________________________________________________________
*** CID 1500704:  Resource leaks  (RESOURCE_LEAK)
/editeng/source/editeng/editdoc.cxx: 2098 in EditDoc::Release(int)()
2092     {
2093         if (nPos < 0 || nPos >= static_cast<sal_Int32>(maContents.size()))
2094         {
2095             SAL_WARN( "editeng", "EditDoc::Release - out of bounds pos " << nPos);
2096             return;
2097         }
>>>     CID 1500704:  Resource leaks  (RESOURCE_LEAK)
>>>     Failing to save or free storage allocated by "this->maContents[nPos]->release()" leaks it.
2098         (void)maContents[nPos].release();
2099         maContents.erase(maContents.begin() + nPos);
2100     }
2101     
2102     sal_Int32 EditDoc::Count() const
2103     {

** CID 1500703:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1500703:  Insecure data handling  (TAINTED_SCALAR)
/svtools/source/misc/templatefoldercache.cxx: 672 in svt::TemplateFolderCacheImpl::readPreviousState()()
666             m_aPreviousState.reserve( nRootDirectories );
667             while ( nRootDirectories-- )
668             {
669                 OUString sURL = m_pCacheStream->ReadUniOrByteString(m_pCacheStream->GetStreamCharSet());
670                 // #116281# Keep office installation relocatable. Never store
671                 // any direct references to office installation directory.
>>>     CID 1500703:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "sURL.pData" to "operator =", which uses it as a loop boundary.
672                 sURL = getOfficeInstDirs()->makeAbsoluteURL( sURL );
673                 m_aPreviousState.push_back(
674                     new TemplateContent( INetURLObject(sURL) ) );
675             }
676     
677             // read the contents of the root folders

** CID 1500702:  Null pointer dereferences  (REVERSE_INULL)
/dbaccess/source/ui/dlg/tablespage.cxx: 379 in dbaui::OTableSubscriptionPage::collectDetailedSelection() const()


________________________________________________________________________________________________________
*** CID 1500702:  Null pointer dereferences  (REVERSE_INULL)
/dbaccess/source/ui/dlg/tablespage.cxx: 379 in dbaui::OTableSubscriptionPage::collectDetailedSelection() const()
373                                 if (xAllObjectsEntry->equal(*xCatalog))
374                                 {
375                                     // do not want to have the root entry
376                                     xCatalog.reset();
377                                 }
378     
>>>     CID 1500702:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "xCatalog" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
379                                 if (xCatalog)
380                                 {   // it's a real catalog entry, not the "all objects" root
381                                     bCatalogWildcard = m_xTablesList->isWildcardChecked(*xCatalog);
382                                     if (m_bCatalogAtStart)
383                                     {
384                                         sComposedName.append(m_xTablesList->GetWidget().get_text(*xCatalog) + m_sCatalogSeparator);

** CID 1500701:  Null pointer dereferences  (FORWARD_NULL)
/connectivity/source/drivers/hsqldb/HStorageAccess.cxx: 362 in Java_com_sun_star_sdbcx_comp_hsqldb_NativeStorageAccess_seek()


________________________________________________________________________________________________________
*** CID 1500701:  Null pointer dereferences  (FORWARD_NULL)
/connectivity/source/drivers/hsqldb/HStorageAccess.cxx: 362 in Java_com_sun_star_sdbcx_comp_hsqldb_NativeStorageAccess_seek()
356         {
357             static const ::sal_Int64 BUFFER_SIZE = 9192;
358         #ifdef HSQLDB_DBG
359             aDataLog.seek( nLen );
360         #endif
361             xSeek->seek(nLen);
>>>     CID 1500701:  Null pointer dereferences  (FORWARD_NULL)
>>>     Attempting to access the managed object of an empty smart pointer "pHelper".
362             Reference< XOutputStream> xOut = pHelper->getOutputStream();
363             OSL_ENSURE(xOut.is(),"No output stream!");
364     
365             ::sal_Int64 diff = position - nLen;
366             sal_Int32 n;
367             while( diff != 0 )

** CID 1500700:  Resource leaks  (RESOURCE_LEAK)
/registry/source/regimpl.cxx: 700 in ORegistry::openKey(void *, std::basic_string_view<char16_t, std::char_traits<char16_t>>, void **)()


________________________________________________________________________________________________________
*** CID 1500700:  Resource leaks  (RESOURCE_LEAK)
/registry/source/regimpl.cxx: 700 in ORegistry::openKey(void *, std::basic_string_view<char16_t, std::char_traits<char16_t>>, void **)()
694             default:
695                 break;
696             }
697     
698             std::unique_ptr< ORegKey > p(new ORegKey(path, this));
699             i = m_openKeyTable.insert(std::make_pair(path, p.get())).first;
>>>     CID 1500700:  Resource leaks  (RESOURCE_LEAK)
>>>     Ignoring storage allocated by "p.release()" leaks it.
700             p.release();
701         } else {
702             i->second->acquire();
703         }
704         *phOpenKey = i->second;
705         return RegError::NO_ERROR;

** CID 1500699:  Memory - illegal accesses  (USE_AFTER_FREE)
/binaryurp/source/incomingrequest.cxx: 231 in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny *, std::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny>> *) const()


________________________________________________________________________________________________________
*** CID 1500699:  Memory - illegal accesses  (USE_AFTER_FREE)
/binaryurp/source/incomingrequest.cxx: 231 in binaryurp::IncomingRequest::execute_throw(binaryurp::BinaryAny *, std::vector<binaryurp::BinaryAny, std::allocator<binaryurp::BinaryAny>> *) const()
225                 default:
226                     assert(false); // this cannot happen
227                     break;
228                 }
229                 size_t nSize = 0;
230                 if (retType.is())
>>>     CID 1500699:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "retType.get()".
231                     nSize = size_t_round(retType.get()->nSize);
232                 std::vector< char > retBuf(nSize);
233                 uno_Any exc;
234                 uno_Any * pexc = &exc;
235                 (*object_.get()->pDispatcher)(
236                     object_.get(), member_.get(), retBuf.empty() ? nullptr : retBuf.data(),

** CID 1500698:    (UNINIT)


________________________________________________________________________________________________________
*** CID 1500698:    (UNINIT)
/sc/source/ui/view/dbfunc3.cxx: 1083 in ScDBFunc::DateGroupDataPilot(const ScDPNumGroupInfo &, int)()
1077         ScDBDocFunc aFunc( *GetViewData().GetDocShell() );
1078         pDPObj->SetSaveData( aData );
1079         aFunc.RefreshPivotTableGroups(pDPObj);
1080     
1081         // unmark cell selection
1082         Unmark();
>>>     CID 1500698:    (UNINIT)
>>>     Using uninitialized value "aData.mpGrandTotalName._M_payload._M_payload" when calling "~ScDPSaveData".
1083     }
1084     
1085     void ScDBFunc::NumGroupDataPilot( const ScDPNumGroupInfo& rInfo )
1086     {
1087         ScDPObject* pDPObj = GetViewData().GetDocument().GetDPAtCursor( GetViewData().GetCurX(),
1088                                             GetViewData().GetCurY(), GetViewData().GetTabNo() );
/sc/source/ui/view/dbfunc3.cxx: 1078 in ScDBFunc::DateGroupDataPilot(const ScDPNumGroupInfo &, int)()
1072                 nMask *= 2;
1073             }
1074         }
1075     
1076         // apply changes
1077         ScDBDocFunc aFunc( *GetViewData().GetDocShell() );
>>>     CID 1500698:    (UNINIT)
>>>     Using uninitialized value "aData.mpGrandTotalName". Field "aData.mpGrandTotalName._M_payload._M_payload" is uninitialized when calling "SetSaveData".
1078         pDPObj->SetSaveData( aData );
1079         aFunc.RefreshPivotTableGroups(pDPObj);
1080     
1081         // unmark cell selection
1082         Unmark();
1083     }

** CID 1500697:    (USE_AFTER_FREE)
/cppu/source/uno/eq.hxx: 571 in cppu::_equalData(void *, _typelib_TypeDescriptionReference *, _typelib_TypeDescription *, void *, _typelib_TypeDescriptionReference *, void *(*)(void *, _typelib_TypeDescriptionReference *), void (*)(void *))()


________________________________________________________________________________________________________
*** CID 1500697:    (USE_AFTER_FREE)
/cppu/source/uno/eq.hxx: 571 in cppu::_equalData(void *, _typelib_TypeDescriptionReference *, _typelib_TypeDescription *, void *, _typelib_TypeDescriptionReference *, void *(*)(void *, _typelib_TypeDescriptionReference *), void (*)(void *))()
565                         reinterpret_cast<typelib_IndirectTypeDescription *>(pDestTypeDescr)->pType,
566                         queryInterface, release );
567                 }
568                 else
569                 {
570                     TYPELIB_DANGER_GET( &pDestTypeDescr, pDestType );
>>>     CID 1500697:    (USE_AFTER_FREE)
>>>     Using freed pointer "pDestTypeDescr".
571                     bool bRet = _equalSequence(
572                         *static_cast<uno_Sequence **>(pDest), *static_cast<uno_Sequence **>(pSource),
573                         reinterpret_cast<typelib_IndirectTypeDescription *>(pDestTypeDescr)->pType,
574                         queryInterface, release );
575                     TYPELIB_DANGER_RELEASE( pDestTypeDescr );
576                     return bRet;
/cppu/source/uno/eq.hxx: 551 in cppu::_equalData(void *, _typelib_TypeDescriptionReference *, _typelib_TypeDescription *, void *, _typelib_TypeDescriptionReference *, void *(*)(void *, _typelib_TypeDescriptionReference *), void (*)(void *))()
545                     reinterpret_cast<typelib_CompoundTypeDescription *>(pDestTypeDescr),
546                     queryInterface, release );
547             }
548             else
549             {
550                 TYPELIB_DANGER_GET( &pDestTypeDescr, pDestType );
>>>     CID 1500697:    (USE_AFTER_FREE)
>>>     Calling "_equalStruct" dereferences freed pointer "reinterpret_cast<typelib_CompoundTypeDescription *>(pDestTypeDescr)".
551                 bool bRet = _equalStruct(
552                     pDest, pSource,
553                     reinterpret_cast<typelib_CompoundTypeDescription *>(pDestTypeDescr),
554                     queryInterface, release );
555                 TYPELIB_DANGER_RELEASE( pDestTypeDescr );
556                 return bRet;

** CID 1500696:  Memory - illegal accesses  (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1500696:  Memory - illegal accesses  (USE_AFTER_FREE)
/cppu/source/uno/destr.hxx: 117 in cppu::_destructAny(_uno_Any *, void (*)(void *))()
111             break;
112         case typelib_TypeClass_STRUCT:
113         case typelib_TypeClass_EXCEPTION:
114         {
115             typelib_TypeDescription * pTypeDescr = nullptr;
116             TYPELIB_DANGER_GET( &pTypeDescr, pType );
>>>     CID 1500696:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Calling "_destructStruct" dereferences freed pointer "reinterpret_cast<typelib_CompoundTypeDescription *>(pTypeDescr)".
117             _destructStruct( pAny->pData, reinterpret_cast<typelib_CompoundTypeDescription *>(pTypeDescr), release );
118             TYPELIB_DANGER_RELEASE( pTypeDescr );
119             std::free( pAny->pData );
120             break;
121         }
122         case typelib_TypeClass_SEQUENCE:

** CID 1500695:  Resource leaks  (RESOURCE_LEAK)
/svx/source/svdraw/svdundo.cxx: 1303 in SdrUndoDelLayer::Redo()()


________________________________________________________________________________________________________
*** CID 1500695:  Resource leaks  (RESOURCE_LEAK)
/svx/source/svdraw/svdundo.cxx: 1303 in SdrUndoDelLayer::Redo()()
1297     void SdrUndoDelLayer::Redo()
1298     {
1299         DBG_ASSERT(!bItsMine,"SdrUndoDelLayer::Undo(): Layer already belongs to UndoAction.");
1300         bItsMine=true;
1301         SdrLayer* pCmpLayer= pLayerAdmin->RemoveLayer(nNum).release();
1302         DBG_ASSERT(pCmpLayer==pLayer,"SdrUndoDelLayer::Redo(): Removed layer is != pLayer.");
>>>     CID 1500695:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "pCmpLayer" going out of scope leaks the storage it points to.
1303     }
1304     
1305     OUString SdrUndoDelLayer::GetComment() const
1306     {
1307         return SvxResId(STR_UndoDelLayer);
1308     }

** CID 1500694:    (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 474 in cppu::icopyConstructFromElements(_sal_Sequence **, void *, _typelib_TypeDescriptionReference *, int, void (*)(void *), int)()
/cppu/source/uno/sequence.cxx: 525 in cppu::icopyConstructFromElements(_sal_Sequence **, void *, _typelib_TypeDescriptionReference *, int, void (*)(void *), int)()


________________________________________________________________________________________________________
*** CID 1500694:    (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 474 in cppu::icopyConstructFromElements(_sal_Sequence **, void *, _typelib_TypeDescriptionReference *, int, void (*)(void *), int)()
468         }
469         case typelib_TypeClass_STRUCT:
470         case typelib_TypeClass_EXCEPTION:
471         {
472             typelib_TypeDescription * pElementTypeDescr = nullptr;
473             TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
>>>     CID 1500694:    (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "pElementTypeDescr".
474             sal_Int32 nElementSize = pElementTypeDescr->nSize;
475     
476             pSeq = reallocSeq( pSeq, nElementSize, nAlloc );
477             if (pSeq != nullptr)
478             {
479                 char * pDestElements = pSeq->elements;
/cppu/source/uno/sequence.cxx: 525 in cppu::icopyConstructFromElements(_sal_Sequence **, void *, _typelib_TypeDescriptionReference *, int, void (*)(void *), int)()
519             // coverity[suspicious_sizeof : FALSE] - sizeof(uno_Sequence*) is correct here
520             pSeq = reallocSeq(pSeq, sizeof(uno_Sequence*), nAlloc);
521             if (pSeq != nullptr)
522             {
523                 typelib_TypeDescription * pElementTypeDescr = nullptr;
524                 TYPELIB_DANGER_GET( &pElementTypeDescr, pElementType );
>>>     CID 1500694:    (USE_AFTER_FREE)
>>>     Using freed pointer "pElementTypeDescr".
525                 typelib_TypeDescriptionReference * pSeqElementType =
526                     reinterpret_cast<typelib_IndirectTypeDescription *>(pElementTypeDescr)->pType;
527                 uno_Sequence ** pDestElements = reinterpret_cast<uno_Sequence **>(pSeq->elements);
528                 for ( sal_Int32 nPos = 0; nPos < nStopIndex; ++nPos )
529                 {
530                     uno_Sequence * pNew = icopyConstructSequence(


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypSs1kiFPuCn2xFdlMIFBirii0zZ9j2-2F9F2XPBcBm2BNgi9duPy3v-2FzgFDd2LJ-2BDKI-3Dl5we_OTq2XUZbbipYjyLSo6GRo-2FpVxQ9OzkDINu9UTS-2FQhSdO0F0jQniitrGlNxDIzPJi-2FDITY-2FO94d2hHUHNOYWNuUirFwUaO10LjYYZ39T3pn8KXmdukoQhEum1Ckke9-2FsylJmhB3fDRW-2FqPTPmsFpD24NBugIdG1S0fhh10GGzy8hMeLdIMqWwAoO4biEkVMaLmRV0GRnqqQAwpLzROe0sRUljIvSf915YbR5R5e84Raw-3D



More information about the LibreOffice mailing list