[Xcb] Null pointer dereference in xcb_image_get
Peter Harris
pharris at opentext.com
Tue Aug 20 07:19:13 PDT 2013
On 2013-08-18 19:38, Alan Coopersmith wrote:
> Our in-house static analyzer has reported:
>
> Error: Null pointer dereference
> Null pointer dereference (CWE 476): Read from null pointer image
> at line 339 of xcb/util-image/image/xcb_image.c in function
> 'xcb_image_get'.
> at line 341 of xcb/util-image/image/xcb_image.c in function
> 'xcb_image_get'.
>
> It seems to be correct from looking at the code:
> http://cgit.freedesktop.org/xcb/util-image/tree/image/xcb_image.c#n300
>
> image is set to 0 at line 313, and isn't set to another value until 355,
> well after the uses at 339 & 341.
>
> I'm not sure what the fix should be - from the src_plane & dst_plane
> references
> in 339 & 340, it appears the code believes there should be two distinct
> images
> here, but I don't know at where or to what image should be set to make that
> true. My best guess is something in imrep should be used. Anyone know?
Looks like it should be 339:"src_plane = data", 341:"size =
tmp_image->height * tmp_image->stride", 346:"if (rpm & (1 << i))", and
371:"assert(bytes == image->size)" should be moved up into the ZPixmap case.
I didn't send this in patch format partly because I didn't even compile
it, but mostly for the following reason:
Given that XYPixmap is completely broken, nobody can be using it. There
are probably more bugs lurking. Perhaps the best fix is to document that
only ZPixmap is a valid argument to xcb_image_get and remove the whole
XCB_IMAGE_FORMAT_XY_PIXMAP case entirely.
Peter Harris
--
Open Text Connectivity Solutions Group
Peter Harris http://connectivity.opentext.com/
Research and Development Phone: +1 905 762 6001
pharris at opentext.com Toll Free: 1 877 359 4866
More information about the Xcb
mailing list