Examples of errors detected by the V522 diagnostic
V522. Possible null pointer dereference.
Chromium
V522 Dereferencing of the null pointer 'plugin_instance' might take place. Check the logical condition. chrome_frame_npapi chrome_frame_npapi.cc 517
bool ChromeFrameNPAPI::Invoke(....)
{
ChromeFrameNPAPI* plugin_instance =
ChromeFrameInstanceFromNPObject(header);
if (!plugin_instance &&
(plugin_instance->automation_client_.get()))
return false;
....
}
LLVM/Clang
V522 Dereferencing of the null pointer 'DI' might take place. llvm-tblgen dagiselmatchergen.cpp 220
void MatcherGen::EmitLeafMatchCode(const TreePatternNode *N) {
....
if (DI == 0) {
errs() << "Unknown leaf kind: " << *DI << "\n";
abort();
}
....
}
PCSX2
V522 Dereferencing of the null pointer 'ptag' might take place. pcsx2 spr.cpp 376
void _SPR1interleave() {
....
u32 *ptag;
....
if (ptag == NULL) {
SysPrintf("SPR1 Tag BUSERR\n");
spr1->chcr = ( spr1->chcr & 0xFFFF ) |
( (*ptag) & 0xFFFF0000 );
psHu32(DMAC_STAT)|= 1<<15;
done = 1;
spr1finished = done;
return;
}
....
}
GeoLib
V522 Dereferencing of the null pointer 'pRect' might take place. geOLib geolib.cpp 3282
void WINAPI _GetMonitorRectByIndex( int iMonitor, RECT* pRect )
{
int iMonitorCount = ::GetSystemMetrics( SM_CMONITORS );
if ( iMonitor <= iMonitorCount || pRect != NULL ) // <=
{
if ( iMonitorCount == 1 )
{
pRect->left = 0;
pRect->top = 0;
pRect->right = GetSystemMetrics( SM_CXSCREEN );
pRect->bottom = GetSystemMetrics( SM_CYSCREEN );
}
....
}
else
{
pRect->left = -1; // <=
pRect->top = -1;
pRect->right = -1;
pRect->bottom = -1;
}
}
Blender
V522 Dereferencing of the null pointer 'tpart' might take place. bf_render convertblender.c 1788
static int render_new_particle_system(....)
{
ParticleSettings *part, *tpart=0;
....
// tpart don't used
....
psys_particle_on_emitter(psmd,tpart->from,tpa->num,
pa->num_dmcache,tpa->fuv,tpa->foffset,
co,nor,0,0,sd.orco,0);
....
}
Blender
V522 Dereferencing of the null pointer 'eraser' might take place. Check the bitwise operation. gpencil_paint.cc 1429
static bool gpencil_stroke_eraser_is_occluded (tGPsdata *p, bGPDlayer *gpl,
bGPDspoint *pt, const int x,
const int y)
{
Object *obact = (Object *)p->ownerPtr.data;
Brush *brush = p->brush;
Brush *eraser = p->eraser;
BrushGpencilSettings *gp_settings = nullptr;
if (brush->gpencil_tool == GPAINT_TOOL_ERASE)
{
gp_settings = brush->gpencil_settings;
}
else
if ((eraser != nullptr) &
(eraser->gpencil_tool == GPAINT_TOOL_ERASE)) // <=
{
gp_settings = eraser->gpencil_settings;
}
if ((gp_settings != nullptr) &&
(gp_settings->flag & GP_BRUSH_OCCLUDE_ERASER) ) {
RegionView3D *rv3d = static_cast<RegionView3D *>(p->region->regiondata);
....
return false;
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'eraser' might take place. Check the bitwise operation. gpencil_paint.cc 1821
Blender
V522 Dereferencing of the null pointer 'block' might take place. interface_widgets.cc 5294
void ui_draw_popover_back (ARegion *region, uiStyle * /*style*/,
uiBlock *block, rcti *rect )
{
....
if (block)
{
float mval_origin[2] = {float(block->bounds_offset[0]),
float(block->bounds_offset[1])};
ui_window_to_block_fl (region, block, &mval_origin[0], &mval_origin[1]);
ui_draw_popover_back_impl (wt->wcol_theme, rect, block->direction,
U.widget_unit / block->aspect, mval_origin);
}
else
{
const float zoom = 1.0f / block->aspect; // <=
wt->state (wt, &STATE_INFO_NULL, UI_EMBOSS_UNDEFINED);
wt->draw_block (&wt->wcol, rect, 0, 0, zoom);
}
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'em' might take place. transform.cc 2117
- V522 Dereferencing of the null pointer 'mesh' might take place. MOD_cloth.cc 108
- V522 Dereferencing of the null pointer 'data.mval_fl' might take place. editmesh_select.cc 801
Visualization Toolkit (VTK)
V522 Dereferencing of the null pointer 'td' might take place. CommonCxxTests testconditionvariable.cxx 96
VTK_THREAD_RETURN_TYPE vtkTestCondVarThread( void* arg )
{
....
if ( td ) // <=
{
....
}
else
{
cout << "No thread data!\n";
cout << " Thread " << ( threadId + 1 )
<< " of " << threadCount << " exiting.\n";
-- td->NumberOfWorkers; // <=
cout.flush();
}
....
}
ffdshow
V522 Dereferencing of the null pointer 'audio' might take place. tffdshowdecaudioinputpin.cpp 468
STDMETHODIMP_(bool) TffdshowDecAudioInputPin::getsf(
TsampleFormat &outsf)
{
if (!audio)
{
.... // audio don't used
} else if (bitstream_codec(audio->codecId)) {
outsf.sf = TsampleFormat::getSampleFormat(codecId);
outsf.alternateSF = filter->insf.alternateSF;
return true;
}
} else {
....
}
D programming language
V522 Dereferencing of the null pointer 'v' might take place. interpret.c 1711
Expression *getVarExp(Loc loc, InterState *istate,
Declaration *d, CtfeGoal goal)
{
....
VarDeclaration *v = d->isVarDeclaration();
if (v)
{
....
}
else if (s)
{
if (s->dsym->toInitializer() == s->sym)
....
else
error(loc,
"cannot interpret symbol %s at compile time",
v->toChars());
}
....
}
ReactOS
V522 Dereferencing of the null pointer 'device' might take place. bus.c 762
static void
acpi_bus_notify (....)
{
struct acpi_device *device = NULL;
....
switch (type) {
....
case ACPI_NOTIFY_EJECT_REQUEST:
DPRINT1("Received EJECT REQUEST "
"notification for device [%s]\n",
device->pnp.bus_id);
/* TBD */
break;
....
}
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'device' might take place. bus.c 768
- V522 Dereferencing of the null pointer 'device' might take place. bus.c 774
- V522 Dereferencing of the null pointer 'device' might take place. bus.c 780
- And 1 additional diagnostic messages.
ReactOS
V522 Dereferencing of the null pointer 'tag' might take place. ir_reader.cpp 904
ir_texture *
ir_reader::read_texture(s_expression *expr)
{
s_symbol *tag = NULL;
....
} else if (MATCH(expr, other_pattern)) {
op = ir_texture::get_opcode(tag->value());
if (op == -1)
return NULL;
}
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 's_shadow' might take place. ir_reader.cpp 964
- V522 Dereferencing of the null pointer 'BootSectorInfo' might take place. disksup.c 1750
- V522 Dereferencing of the null pointer 'BootSectorInfo' might take place. disksup.c 1751
- And 1 additional diagnostic messages.
Windows 8 Driver Samples
V522 Dereferencing of the null pointer 'pSensor' might take place. sensorddi.cpp 903
HRESULT CSensorDDI::OnGetDataFields(....)
{
....
if (nullptr != pSensor)
{
....
}
else
{
hr = E_POINTER;
Trace(TRACE_LEVEL_ERROR,
"pSensor == NULL before getting datafield %!GUID!-%i "
"value from %s, hr = %!HRESULT!",
&Key.fmtid, Key.pid, pSensor->m_SensorName, hr);
}
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'pSensor' might take place. sensorddi.cpp 1852
NetXMS
V522 Dereferencing of the null pointer 'subnet' might take place. session.cpp 10823
void ClientSession::findIpAddress(CSCPMessage *request)
{
....
if (subnet != NULL)
{
debugPrintf(5, _T("findIpAddress(%s): found subnet %s"),
ipAddrText,
subnet->Name());
found = subnet->findMacAddress(ipAddr, macAddr);
}
else
{
debugPrintf(5, _T("findIpAddress(%s): subnet not found"),
ipAddrText,
subnet->Name());
}
....
}
Multi Theft Auto
V522 Dereferencing of the null pointer 'pPlayer' might take place. cgame.cpp 1895
void CGame::Packet_PlayerJoinData ( .... )
{
....
// Add the player
CPlayer* pPlayer = m_pPlayerManager->Create (....);
if ( pPlayer )
{
....
}
else
{
// Tell the console
CLogger::LogPrintf(
"CONNECT: %s failed to connect "
"(Player Element Could not be created.)\n",
pPlayer->GetSourceIP() );
}
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'pPlayer' might take place. cgame.cpp 1901
Multi Theft Auto
V522 Dereferencing of the null pointer 'szCmdLine' might take place. Check the logical condition. clientcommands.cpp 396
void COMMAND_MessageTarget ( const char* szCmdLine )
{
if ( !(szCmdLine || szCmdLine[0]) )
return;
....
}
Trans-Proteomic Pipeline
V522 Dereferencing of the null pointer 'pepIndx' might take place. asapcgidisplay2main.cxx 534
void ASAPRatio_getDataStrctRatio(dataStrct *data, ....)
{
....
int *outliers, *pepIndx=NULL;
....
//pepIndx don't used
....
if(data->dataCnts[i] == 1 && pepIndx[i] == 0)
data->dataCnts[i] = 0;
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'peptides' might take place. asapcgidisplay2main.cxx 556
- V522 Dereferencing of the null pointer 'peptides' might take place. asapcgidisplay2main.cxx 557
- V522 Dereferencing of the null pointer 'peptides' might take place. asapcgidisplay2main.cxx 558
- And 3 additional diagnostic messages.
Data Distribution Service
V522 Dereferencing of the null pointer 'file' might take place. util.h 24
static ACE_FILE_IO *audio_to_text (ACE_FILE_Addr &,
ACE_FILE_Addr &dest)
{
ACE_FILE_Connector connector;
ACE_FILE_IO *file = 0;
if (connector.connect (*file, dest) == -1)
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'file' might take place. util.h 39
Scilab
V522 Dereferencing of the null pointer 'dataPtr' might take place. scilababstractmemoryallocator.hxx 222
inline static int *alloc(void * pvApiCtx, const int position,
const int rows, const int cols, int * ptr)
{
int * _ptr = 0;
SciErr err = allocMatrixOfInteger32(
pvApiCtx, position, rows, cols, &_ptr);
checkError(err);
return _ptr;
}
inline static void create(void * pvApiCtx, const int position,
const int rows, const int cols, long long * ptr)
{
int * dataPtr = 0;
alloc(pvApiCtx, position, rows, cols, dataPtr);
for (int i = 0; i < rows * cols; i++)
{
dataPtr[i] = static_cast<int>(ptr[i]);
}
}
This is what should have been written here: dataPtr = alloc(pvApiCtx, position, rows, cols, dataPtr);
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'dataPtr' might take place. scilababstractmemoryallocator.hxx 237
- V522 Dereferencing of the null pointer 'ptr' might take place. scilababstractmemoryallocator.hxx 401
Unreal Engine 4
V522 Dereferencing of the null pointer 'LevelStreamingObject' might take place. unrealengine.cpp 10768
bool UEngine::CommitMapChange( FWorldContext &Context )
{
....
LevelStreamingObject = Context.World()->StreamingLevels[j];
if (LevelStreamingObject != NULL)
{
....
}
else
{
check(LevelStreamingObject);
UE_LOG(LogStreaming, Log,
TEXT("Unable to handle streaming object %s"),
*LevelStreamingObject->GetName());
}
....
}
Unreal Engine 4
V522 Dereferencing of the null pointer 'GStreamingPauseBackground' might take place. streamingpauserendering.cpp 197
void FStreamingPause::Init()
{
....
if( GStreamingPauseBackground == NULL && GUseStreamingPause )
{
// @todo UE4 merge andrew
// GStreamingPauseBackground = new FFrontBufferTexture(....);
GStreamingPauseBackground->InitRHI();
}
}
Qt
V522 Dereferencing of the null pointer 'dn' might take place. qdocindexfiles.cpp 539
void QDocIndexFiles::readIndexSection(....)
{
....
DocNode* dn = qdb_->findGroup(groupNames[i]);
if (dn) {
dn->addMember(node);
}
else {
....
qDebug() << "DID NOT FIND GROUP:" << dn->name()
<< "for:" << node->name();
}
....
}
Qt
V522 Dereferencing of the null pointer 'm' might take place. qquickcontext2d.cpp 3169
QV4::ReturnedValue QQuickJSContext2DPixelData::getIndexed(
QV4::Managed *m, uint index, bool *hasProperty)
{
....
if (!m)
return m->engine()->currentContext()->throwTypeError();
....
}
OpenJPEG
V522 Dereferencing of the null pointer 'l_image' might take place. j2k.c 5205
bool j2k_write_rgn(....)
{
OPJ_BYTE * l_current_data = 00;
OPJ_UINT32 l_nb_comp;
OPJ_UINT32 l_rgn_size;
opj_image_t *l_image = 00;
opj_cp_t *l_cp = 00;
opj_tcp_t *l_tcp = 00;
opj_tccp_t *l_tccp = 00;
OPJ_UINT32 l_comp_room;
// preconditions
assert(p_j2k != 00);
assert(p_manager != 00);
assert(p_stream != 00);
l_cp = &(p_j2k->m_cp);
l_tcp = &l_cp->tcps[p_tile_no];
l_tccp = &l_tcp->tccps[p_comp_no];
l_nb_comp = l_image->numcomps;
....
}
Miranda NG
V522 Dereferencing of the null pointer 'cont' might take place. EmLanProto mlan.cpp 342
void CMLan::OnRecvPacket(u_char* mes, int len, in_addr from)
{
....
TContact* cont = m_pRootContact;
....
if (!cont)
RequestStatus(true, cont->m_addr.S_un.S_addr);
....
}
LibreOffice
V522 Dereferencing of the null pointer 'pLabelData' might take place. Check the logical condition. pivotlayouttreelistdata.cxx 157
void ScPivotLayoutTreeListData::PushDataFieldNames(
vector<ScDPName>& rDataFieldNames)
{
....
ScDPLabelData* pLabelData = mpParent->GetLabelData(nColumn);
if (pLabelData == NULL && pLabelData->maName.isEmpty())
continue;
....
}
LibreOffice
V522 Dereferencing of the null pointer 'pWindow' might take place. Check the logical condition. querycontroller.cxx 293
void grabFocusFromLimitBox( OQueryController& _rController )
{
....
vcl::Window* pWindow = VCLUnoHelper::GetWindow( xWindow );
if( pWindow || pWindow->HasChildPathFocus() )
{
pWindow->GrabFocusToDocument();
}
....
}
LibreOffice
V522 Dereferencing of the null pointer 'piTmpConnection' might take place. adodatalinks.cxx 84
BSTR PromptNew(long hWnd)
{
....
ADOConnection* piTmpConnection = NULL;
::CoInitialize( NULL );
hr = CoCreateInstance(
CLSID_DataLinks,
NULL,
CLSCTX_INPROC_SERVER,
IID_IDataSourceLocator,
(void**)&dlPrompt
);
if( FAILED( hr ) )
{
piTmpConnection->Release();
dlPrompt->Release( );
return connstr;
}
....
}
.NET CoreCLR
V522 Dereferencing of the null pointer 'hp' might take place. cee_wks gc.cpp 4488
heap_segment* gc_heap::get_segment_for_loh (size_t size
#ifdef MULTIPLE_HEAPS
, gc_heap* hp
#endif //MULTIPLE_HEAPS
)
{
#ifndef MULTIPLE_HEAPS
gc_heap* hp = 0;
#endif //MULTIPLE_HEAPS
heap_segment* res = hp->get_segment (size, TRUE);
....
}
When 'MULTIPLE_HEAPS' is not defined, it's no good because the pointer will equal zero.
Godot Engine
V522 Dereferencing of the null pointer 'create_trimesh_collision_node()' might take place. mesh_instance.cpp 177
Node* MeshInstance::create_trimesh_collision_node()
{
if (mesh.is_null())
return NULL;
Ref<Shape> shape = mesh->create_trimesh_shape();
if (shape.is_null())
return NULL;
StaticBody * static_body = memnew( StaticBody );
static_body->add_shape( shape );
return static_body;
return NULL;
}
void MeshInstance::create_trimesh_collision()
{
StaticBody* static_body =
create_trimesh_collision_node()->cast_to<StaticBody>();
ERR_FAIL_COND(!static_body);
static_body->set_name( String(get_name()) + "_col" );
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'create_convex_collision_node()' might take place. mesh_instance.cpp 211
Unreal Engine 4
V522 Dereferencing of the null pointer 'GEngine' might take place. Check the logical condition. gameplaystatics.cpp 988
void UGameplayStatics::DeactivateReverbEffect(....)
{
if (GEngine || !GEngine->UseSound())
{
return;
}
UWorld* ThisWorld = GEngine->GetWorldFromContextObject(....);
....
}
Mozilla Thunderbird
V522 Dereferencing of the null pointer 'aStyleValues' might take place. sdnaccessible.cpp 252
STDMETHODIMP sdnAccessible::get_computedStyle(
BSTR __RPC_FAR* aStyleProperties,
BSTR __RPC_FAR* aStyleValues,
unsigned short __RPC_FAR* aNumStyleProperties)
{
if (!aStyleProperties || aStyleValues || !aNumStyleProperties)
return E_INVALIDARG;
....
aStyleValues[realIndex] = ::SysAllocString(value.get());
....
}
ChakraCore
V522 Dereferencing of the null pointer 'tempNumberTracker' might take place. backwardpass.cpp 578
void
BackwardPass::MergeSuccBlocksInfo(BasicBlock * block)
{
TempNumberTracker * tempNumberTracker = nullptr; // <= line 346
....
if (!block->isDead)
{
....
if(!IsCollectionPass())
{
....
if (this->DoMarkTempNumbers())
{
tempNumberTracker = JitAnew(....); // <= line 413
}
....
....
if (blockSucc->tempNumberTracker != nullptr)
{
....
tempNumberTracker->MergeData(....); // <= line 578
if (deleteData)
{
blockSucc->tempNumberTracker = nullptr;
}
}
....
}
FreeBSD Kernel
V522 Dereferencing of the null pointer 'sc' might take place. mrsas.c 4027
void
mrsas_aen_handler(struct mrsas_softc *sc)
{
....
if (!sc) {
device_printf(sc->mrsas_dev, "invalid instance!\n");
return;
}
if (sc->evt_detail_mem) {
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'sc' might take place. mrsas.c 1279
- V522 Dereferencing of the null pointer 'sc' might take place. tws_cam.c 1066
- V522 Dereferencing of the null pointer 'sc' might take place. blkfront.c 677
- And 4 additional diagnostic messages.
OpenToonz
V522 Dereferencing of the null pointer 'region' might take place. Check the logical condition. palettecmd.cpp 102
bool isStyleUsed(const TVectorImageP vi, int styleId)
{
....
TRegion *region = vi->getRegion(i);
if (region || region->getStyle() != styleId)
return true;
....
}
OpenJDK
V522 Dereferencing of the null pointer 'data' might take place. util.c 2424
static jint JNICALL
cbObjectTagInstance(....)
{
ClassInstancesData *data;
/* Check data structure */
data = (ClassInstancesData*)user_data;
if (data == NULL) {
data->error = AGENT_ERROR_ILLEGAL_ARGUMENT;
return JVMTI_VISIT_ABORT;
}
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'data' might take place. util.c 2543
- V522 Dereferencing of the null pointer 'data' might take place. util.c 2601
- V522 Dereferencing of the null pointer 'data' might take place. util.c 2760
Blender
V522 Dereferencing of the null pointer 've' might take place. functions1d.cpp 107
int QuantitativeInvisibilityF1D::operator()(....)
{
ViewEdge *ve = dynamic_cast<ViewEdge*>(&inter);
if (ve) {
result = ve->qi();
return 0;
}
FEdge *fe = dynamic_cast<FEdge*>(&inter);
if (fe) {
result = ve->qi(); // <=
return 0;
}
....
}
Blender
V522 Dereferencing of the null pointer 'ibuf' might take place. tracking_util.c 765
static ImBuf *accessor_get_ibuf(....)
{
ImBuf *ibuf, *orig_ibuf, *final_ibuf;
....
/* First try to get fully processed image from the cache. */
ibuf = accesscache_get(accessor,
clip_index,
frame,
input_mode,
downscale,
transform_key);
if (ibuf != NULL) {
return ibuf;
}
/* And now we do postprocessing of the original frame. */
orig_ibuf = accessor_get_preprocessed_ibuf(accessor,
clip_index,
frame);
if (orig_ibuf == NULL) {
return NULL;
}
....
if (downscale > 0) {
if (final_ibuf == orig_ibuf) {
final_ibuf = IMB_dupImBuf(orig_ibuf);
}
IMB_scaleImBuf(final_ibuf,
ibuf->x / (1 << downscale), // <=
ibuf->y / (1 << downscale)); // <=
}
....
if (input_mode == LIBMV_IMAGE_MODE_RGBA) {
BLI_assert(ibuf->channels == 3 || // <=
ibuf->channels == 4); // <=
}
....
return final_ibuf;
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'ibuf' might take place. tracking_util.c 766
- V522 Dereferencing of the null pointer 'ibuf' might take place. tracking_util.c 783
Chromium
V522 Dereferencing of the null pointer 'item' might take place. action_wait.cc 41
// Returns the item associated with the component |id| or nullptr
// in case of errors.
CrxUpdateItem* FindUpdateItemById(const std::string& id) const;
void ActionWait::Run(UpdateContext* update_context,
Callback callback)
{
....
while (!update_context->queue.empty())
{
auto* item =
FindUpdateItemById(update_context->queue.front());
if (!item) { // <=
item->error_category = // <=
static_cast<int>(ErrorCategory::kServiceError);
item->error_code = // <=
static_cast<int>(ServiceError::ERROR_WAIT);
ChangeItemState(item, CrxUpdateItem::State::kNoUpdate);
} else {
NOTREACHED();
}
update_context->queue.pop();
}
....
}
LLVM/Clang
V522 Dereferencing of the null pointer 'PdbFileBuffer' might take place. PDBFileBuilder.cpp 106
Expected<std::unique_ptr<PDBFile>>
PDBFileBuilder::build(
std::unique_ptr<msf::WritableStream> PdbFileBuffer)
{
....
auto File = llvm::make_unique<PDBFile>(
std::move(PdbFileBuffer), Allocator);
File->ContainerLayout = *ExpectedLayout;
if (Info) {
auto ExpectedInfo = Info->build(*File, *PdbFileBuffer);
....
}
The code is not clear to me, as I have not studied what llvm::make_unique is, and how it works in general. Nevertheless, both myself and the analyzer are confused by the fact that at first glance the possession of an object from a smart pointer PdbFileBuffer goes to File. After that we have dereferencing of a null pointer PdbFileBuffer that already contains nullptr
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'PdbFileBuffer' might take place. PDBFileBuilder.cpp 113
- V522 Dereferencing of the null pointer 'PdbFileBuffer' might take place. PDBFileBuilder.cpp 120
- V522 Dereferencing of the null pointer 'PdbFileBuffer' might take place. PDBFileBuilder.cpp 127
FreeBSD Kernel
V522 Dereferencing of the null pointer 'ccb' might take place. The null pointer is passed into 'iscsi_outstanding_add' function. Inspect the third argument. Check lines: 'iscsi.c:2157'. iscsi.c 2091
static struct iscsi_outstanding *
iscsi_outstanding_add(struct iscsi_session *is,
struct icl_pdu *request,
union ccb *ccb,
uint32_t *initiator_task_tagp)
{
struct iscsi_outstanding *io;
int error;
ISCSI_SESSION_LOCK_ASSERT(is);
io = uma_zalloc(iscsi_outstanding_zone, M_NOWAIT | M_ZERO);
if (io == NULL) {
ISCSI_SESSION_WARN(is, "failed to allocate %zd bytes",
sizeof(*io));
return (NULL);
}
error = icl_conn_task_setup(is->is_conn, request, &ccb->csio,
initiator_task_tagp, &io->io_icl_prv);
....
}
static void
iscsi_action_abort(struct iscsi_session *is, union ccb *ccb)
{
....
io = iscsi_outstanding_add(is, request, NULL,
&initiator_task_tag);
....
}
CryEngine V
V522 Dereferencing of the null pointer 'pCEntity' might take place. BreakableManager.cpp 2396
int CBreakableManager::HandlePhysics_UpdateMeshEvent(....)
{
CEntity* pCEntity = 0;
....
if (pmu && pSrcStatObj && GetSurfaceType(pSrcStatObj))
{
....
if (pEffect)
{
....
if (normal.len2() > 0)
pEffect->Spawn(true, pCEntity->GetSlotWorldTM(...); // <=
}
}
....
if (iForeignData == PHYS_FOREIGN_ID_ENTITY)
{
pCEntity = (CEntity*)pForeignData;
if (!pCEntity || !pCEntity->GetPhysicalProxy())
return 1;
}
....
}
Scilab
V522 Dereferencing of the null pointer 'dataz' might take place. polylinedata_wrap.c 373
BOOL translatePolyline(int uid, double x, double y, double z,
int flagX, int flagY, int flagZ)
{
double *datax = NULL;
double *datay = NULL;
double *dataz = NULL; // <=
int i = 0;
if (x != 0.0)
{
datax = getDataX(uid);
if (datax == NULL) return FALSE;
....
if (z != 0 && isZCoordSet(uid))
{
if (flagZ) {
for (i = 0; i < getDataSize_(uid); ++i)
{
dataz[i] = pow(10.,log10(dataz[i]) + z); // <=
}
} else {
for (i = 0; i < getDataSize_(uid); ++i)
{
dataz[i] += z; // <=
}
}
}
return TRUE;
}
Bind
V522 Dereferencing of the null pointer 'stylep' might take place. Check the logical condition. delv.c 500
static isc_result_t
setup_style(dns_master_style_t **stylep) {
isc_result_t result;
dns_master_style_t *style = NULL;
REQUIRE(stylep != NULL || *stylep == NULL);
....
}
Aspell
V522 There might be dereferencing of a potential null pointer 'first'. objstack.cpp 21
ObjStack::ObjStack(size_t chunk_s, size_t align)
: chunk_size(chunk_s), min_align(align), temp_end(0)
{
first_free = first = (Node *)malloc(chunk_size);
first->next = 0;
reserve = 0;
setup_chunk();
}
Similar errors can be found in some other places:
- V522 There might be dereferencing of a potential null pointer 'reinterpret_cast< void * * > (block)'. block_slist-t.hpp 27
- V522 There might be dereferencing of a potential null pointer 'w1.str'. prezip.c 87
- V522 There might be dereferencing of a potential null pointer 'w'. prezip.c 164
- And 2 additional diagnostic messages.
Tizen
V522 There might be dereferencing of a potential null pointer 'list'. storage-plugin-sample.c 564
storage_error_code_t sample_get_list(....)
{
....
storage_adaptor_file_info_h *list = NULL;
int len = g_list_length(_file_list);
if (0 < len) {
list = (storage_adaptor_file_info_h *) // <=
calloc(len, sizeof(storage_adaptor_file_info_h));
for (int i = 0; i < len; i++)
list[i] = (storage_adaptor_file_info_h) // <=
g_list_nth_data(_file_list, i);
}
....
}
Tizen
V522 There might be dereferencing of a potential null pointer 'plugin_task'. storage-plugin-sample.c 1016
static async_job_t *create_job_s(int fd)
{
async_job_t *job =
(async_job_t *) calloc(1, sizeof(async_job_t)); // <=
if (job) {
job->local_path = NULL;
job->cloud_path = NULL;
job->fd = fd;
}
return job; // <=
}
storage_error_code_t sample_upload_async(....)
{
....
async_job_t *plugin_task = create_job_s(src_file_descriptor);
char *path = NULL;
path = g_strconcat(VIRTUAL_ROOT_PATH(context),
dir_path ? dir_path : "", "/", file_name, NULL);
plugin_task->cloud_path = path; // <=
....
}
Tizen
V522 There might be dereferencing of a potential null pointer 'cb_data'. util.c 37
void back_button_cb_push(....)
{
back_button_cb_data *cb_data = malloc(sizeof(*cb_data));
cb_data->cb = cb;
....
}
Tizen
V522 There might be dereferencing of a potential null pointer 'info'. navigator.c 2819
static void on_gesture_detected(void *data,
const Eldbus_Message *msg)
{
....
Gesture_Info *info = calloc(sizeof(Gesture_Info), 1); // <=
int g_type;
if (!msg) {
DEBUG("Incoming message is empty");
free(info);
return;
}
if (!eldbus_message_arguments_get(....)) {
DEBUG("Getting message arguments failed");
free(info);
return;
}
info->type = (Gesture)g_type; // <=
....
}
Tizen
V522 There might be dereferencing of a potential null pointer 'item_type'. list_util.c 72
HAPI void quickpanel_list_util_set_item_type(....)
{
....
if (item_type == NULL) {
item_type = (int*)malloc(sizeof(int));
*item_type = type;
evas_object_data_set(item, E_DATA_ITEM_LABEL_H,
(void*)item_type);
}
}
Tizen
V522 There might be dereferencing of a potential null pointer 'popup_data'. popup.c 1167
void
popup_cb(void *data, Evas_Object *obj, void *event_info)
{
....
win_data *popup_data = (win_data*)malloc(sizeof(win_data));
elm_theme_extension_add(NULL, ELM_DEMO_EDJ);
/* We convince the top widget is a window */
win = ad->win;
list = elm_list_add(ad->nf);
elm_list_mode_set(list, ELM_LIST_COMPRESS);
popup_data->list = list;
popup_data->win = win;
....
}
Tizen
V522 There might be dereferencing of a potential null pointer 'inputHandle'. cpp_audio_io.cpp 928
int cpp_audio_in_peek(audio_in_h input, const void **buffer,
unsigned int *length) {
....
CAudioInput* inputHandle =
dynamic_cast<CAudioInput*>(handle->audioIoHandle);
assert(inputHandle);
inputHandle->peek(buffer, &_length);
....
}
Tizen
V522 There might be dereferencing of a potential null pointer 'preedit_attr'. ise.cpp 392
void ise_update_preedit_string(....)
{
....
ime_preedit_attribute *preedit_attr;
....
preedit_attr = (ime_preedit_attribute *)
calloc(1, sizeof(ime_preedit_attribute));
preedit_attr->start = 0;
....
}
Tizen
V522 There might be dereferencing of a potential null pointer 'msg'. QuickAccess.cpp 743
void QuickAccess::setButtonColor(Evas_Object* button,
int r, int g, int b, int a)
{
Edje_Message_Int_Set* msg =
(Edje_Message_Int_Set *)malloc(sizeof(*msg) + 3 * sizeof(int));
msg->count = 4;
msg->val[0] = r;
msg->val[1] = g;
msg->val[2] = b;
msg->val[3] = a;
edje_object_message_send(elm_layout_edje_get(button),
EDJE_MESSAGE_INT_SET, 0, msg);
free(msg);
}
Tizen
V522 There might be dereferencing of a potential null pointer 'selected_device'. setting_item_device_list.c 121
static void device_list_select_cb(void *data, Evas_Object *obj,
void *event_info)
{
do_haptic(50);
device_info_s *info = (device_info_s *) data;
selected_device = (device_info_s *)
calloc(sizeof(device_info_s), 1);
selected_device->index = info->index;
....
}
Tizen
V522 There might be dereferencing of a potential null pointer 'sql_callback'. download-db-service.cpp 75
void initialize_datacontrol_provider()
{
DM_LOGI("initialize_datacontrol_provider");
int result;
sql_callback = (data_control_provider_sql_cb *)
malloc(sizeof(data_control_provider_sql_cb));
sql_callback->select_cb = select_request_cb;
....
}
Tizen
V522 There might be dereferencing of a potential null pointer 'msg'. util.c 113
void util_bg_color_rgba_set(Evas_Object *layout,
char r, char g, char b, char a)
{
Edje_Message_Int_Set *msg;
ret_if(!layout);
msg = malloc(sizeof(*msg) + 3 * sizeof(int));
msg->count = 4;
msg->val[0] = r;
msg->val[1] = g;
msg->val[2] = b;
msg->val[3] = a;
edje_object_message_send(elm_layout_edje_get(layout),
EDJE_MESSAGE_INT_SET, 1, msg);
free(msg);
}
Similar errors can be found in some other places:
- V522 There might be dereferencing of a potential null pointer 'pkg_data'. privacy_package_list_view.c 320
- V522 There might be dereferencing of a potential null pointer 'data'. privacy_guard_package_list_view.c 126
- V522 There might be dereferencing of a potential null pointer 'id'. privacy_package_list_view.c 470
- And 58 additional diagnostic messages.
EFL Core Libraries
V522 There might be dereferencing of a potential null pointer 't'. eina_tiler.c 1146
EAPI Eina_Tiler *eina_tiler_new(int w, int h)
{
Eina_Tiler *t;
EINA_SAFETY_ON_TRUE_RETURN_VAL((w <= 0) || (h <= 0), NULL);
t = calloc(1, sizeof(Eina_Tiler));
t->last.add.w = -1;
t->last.add.h = -1;
t->last.del.w = -1;
t->last.del.h = -1;
t->area.w = w;
t->area.h = h;
t->tile.w = 32;
t->tile.h = 32;
t->rounding = EINA_TRUE;
EINA_MAGIC_SET(t, EINA_MAGIC_TILER);
_splitter_new(t);
return t;
}
EFL Core Libraries
V522 There might be dereferencing of a potential null pointer 'e'. evas_cserve2_fonts.c 66
static void *
_font_slave_error_send(Error_Type error)
{
Error_Type *e = calloc(1, sizeof(*e));
*e = error;
return e;
}
Similar errors can be found in some other places:
- V522 There might be dereferencing of a potential null pointer 'tmpstr'. eo_generator.c 158
- V522 There might be dereferencing of a potential null pointer 'ctx'. eo_lexer.c 1220
- V522 Dereferencing of the null pointer 'v' might take place. The potential null pointer is passed into 'evas_triangle3_set' function. Inspect the first argument. Check lines: 'evas_3d_utils.h:2449'. evas_3d_utils.h 651
- And 390 additional diagnostic messages.
Enlightenment
V522 There might be dereferencing of a potential null pointer 'task'. e_fm_ipc.c 489
static void
_e_fm_ipc_mkdir(int id, const char *src, const char *rel,
int rel_to EINA_UNUSED, int x, int y)
{
E_Fm_Task *task;
task = malloc(sizeof(E_Fm_Task));
task->id = id;
task->type = E_FM_OP_MKDIR;
task->slave = NULL;
....
}
Similar errors can be found in some other places:
- V522 There might be dereferencing of a potential null pointer 'm'. e_fm_ipc.c 1046
- V522 There might be dereferencing of a potential null pointer 't'. e_fm_op.c 444
- V522 There might be dereferencing of a potential null pointer 'ntask'. e_fm_op.c 896
- And 599 additional diagnostic messages.
ClickHouse
V522 Dereferencing of the null pointer 'cond_col' might take place. FunctionsConditional.h 765
bool executeForNullThenElse(....)
{
....
const ColumnUInt8 * cond_col =
typeid_cast<const ColumnUInt8 *>(arg_cond.column.get());
....
if (cond_col)
{
....
}
else if (cond_const_col)
{
....
}
else
throw Exception(
"Illegal column " + cond_col->getName() + // <=
" of first argument of function " + getName() +
". Must be ColumnUInt8 or ColumnConstUInt8.",
ErrorCodes::ILLEGAL_COLUMN);
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'cond_col' might take place. FunctionsConditional.h 1061
MuseScore
V522 Dereferencing of the null pointer 'customDrumset' might take place. instrument.cpp 328
bool Instrument::readProperties(XmlReader& e, Part* part,
bool* customDrumset)
{
....
else if (tag == "Drum") {
// if we see on of this tags, a custom drumset will
// be created
if (!_drumset)
_drumset = new Drumset(*smDrumset);
if (!customDrumset) { // <=
const_cast<Drumset*>(_drumset)->clear();
*customDrumset = true; // <=
}
const_cast<Drumset*>(_drumset)->load(e);
}
....
}
MuseScore
V522 Dereferencing of the null pointer 'segment' might take place. measure.cpp 2220
void Measure::read(XmlReader& e, int staffIdx)
{
Segment* segment = 0;
....
while (e.readNextStartElement()) {
const QStringRef& tag(e.name());
if (tag == "move")
e.initTick(e.readFraction().ticks() + tick());
....
else if (tag == "sysInitBarLineType") {
const QString& val(e.readElementText());
BarLine* barLine = new BarLine(score());
barLine->setTrack(e.track());
barLine->setBarLineType(val);
segment = getSegmentR(SegmentType::BeginBarLine, 0); //!!!
segment->add(barLine); // <= OK
}
....
else if (tag == "Segment")
segment->read(e); // <= ERR
....
}
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'segment' might take place. read114.cpp 1551
- V522 Dereferencing of the null pointer 'segment' might take place. read206.cpp 1879
Audacity
V522 Dereferencing of the null pointer 'mInputStream' might take place. FileIO.cpp 65
std::unique_ptr<wxInputStream> mInputStream;
std::unique_ptr<wxOutputStream> mOutputStream;
wxInputStream & FileIO::Read(void *buf, size_t size)
{
if (mInputStream == NULL) {
return *mInputStream;
}
return mInputStream->Read(buf, size);
}
wxOutputStream & FileIO::Write(const void *buf, size_t size)
{
if (mOutputStream == NULL) {
return *mOutputStream;
}
return mOutputStream->Write(buf, size);
}
Sphinx (search engine)
V522 Dereferencing of the null pointer 'pConsts' might take place. The null pointer is passed into 'Expr_StrIn_c' function. Inspect the third argument. Check lines: 5407, 5946. sphinxexpr.cpp 5407
Expr_StrIn_c ( const CSphAttrLocator & tLoc, int iLocator,
ConstList_c * pConsts, UservarIntSet_c * pUservar,
ESphCollation eCollation )
: Expr_ArgVsConstSet_c<int64_t> ( NULL, pConsts )
, ExprLocatorTraits_t ( tLoc, iLocator )
, m_pStrings ( NULL )
, m_pUservar ( pUservar )
{
assert ( tLoc.m_iBitOffset>=0 && tLoc.m_iBitCount>0 );
assert ( !pConsts || !pUservar );
m_fnStrCmp = GetCollationFn ( eCollation );
const char * sExpr = pConsts->m_sExpr.cstr(); // <=
....
}
ISphExpr * ExprParser_t::CreateInNode ( int iNode )
{
....
case TOK_ATTR_STRING:
return new Expr_StrIn_c ( tLeft.m_tLocator,
tLeft.m_iLocator,
NULL, // <=
pUservar,
m_eCollation );
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'pConsts' might take place. The null pointer is passed into 'Expr_JsonFieldIn_c' function. Inspect the first argument. Check lines: 5238, 5948. sphinxexpr.cpp 5238
Sphinx (search engine)
V522 Dereferencing of the null pointer 'pBuf' might take place. The null pointer is passed into 'Ok' function. Inspect the third argument. Check lines: 2567, 12267, 12424, 14979. searchd.cpp 2567
void ISphOutputBuffer::SendBytes ( const void * pBuf, int iLen )
{
int iOff = m_dBuf.GetLength();
m_dBuf.Resize ( iOff + iLen );
memcpy ( m_dBuf.Begin() + iOff, pBuf, iLen ); // <=
}
void SendMysqlOkPacket ( ISphOutputBuffer & tOut, BYTE uPacketID,
int iAffectedRows=0, int iWarns=0,
const char * sMessage=NULL,
bool bMoreResults=false )
{
DWORD iInsert_id = 0;
char sVarLen[20] = {0};
void * pBuf = sVarLen;
pBuf = MysqlPack ( pBuf, iAffectedRows );
pBuf = MysqlPack ( pBuf, iInsert_id );
int iLen = (char *) pBuf - sVarLen;
int iMsgLen = 0;
if ( sMessage )
iMsgLen = strlen(sMessage) + 1;
tOut.SendLSBDword ( (uPacketID<<24) + iLen + iMsgLen + 5);
tOut.SendByte ( 0 );
tOut.SendBytes ( sVarLen, iLen );
if ( iWarns<0 ) iWarns = 0;
if ( iWarns>65535 ) iWarns = 65535;
DWORD uWarnStatus = iWarns<<16;
if ( bMoreResults )
uWarnStatus |= ( SPH_MYSQL_FLAG_MORE_RESULTS );
tOut.SendLSBDword ( uWarnStatus );
tOut.SendBytes ( sMessage, iMsgLen ); // <=
}
inline void Ok( int iAffectedRows=0, int iWarns=0,
const char * sMessage=NULL,
bool bMoreResults=false )
{
SendMysqlOkPacket ( m_tOut, m_uPacketID, iAffectedRows, // <=
iWarns, sMessage, bMoreResults );
if ( bMoreResults )
m_uPacketID++;
}
void HandleMysqlMultiStmt (....)
{
....
dRows.Ok ( 0, 0, NULL, bMoreResultsFollow );
....
}
Chromium
V522 CWE-476 Dereferencing of the null pointer 'focus_controller_' might take place. display.cc 52
class Display : ....
{
....
std::unique_ptr<FocusController> focus_controller_;
....
}
Display::~Display() {
....
if (!focus_controller_) {
focus_controller_->RemoveObserver(this);
focus_controller_.reset();
}
....
}
An incorrectly written condition. Pointer is dereferenced, if it is null.
Chromium
V522 CWE-476 Dereferencing of the null pointer 'context' might take place. device_media_async_file_util.cc 322
void DeviceMediaAsyncFileUtil::CreateOrOpen(
std::unique_ptr<FileSystemOperationContext> context, ....) {
....
CreateSnapshotFile(
std::move(context), url,
base::Bind(
&NativeMediaFileUtil::CreatedSnapshotFileForCreateOrOpen,
base::RetainedRef(context->task_runner()),
file_flags, callback));
}
The order of arguments evaluation when calling the CreateSnapshotFile function defines whether a dereference of a null pointer will be or not. In C++ the function argument evaluation order is not defined (unspecified behavior). If in the beginning the argument std::move(context) is evaluated, a dereference of a null pointer will occur.
Similar errors can be found in some other places:
- V522 CWE-476 Dereferencing of the null pointer 'delegate' might take place. payment_request_web_contents_manager.cc 39
Chromium
V522 CWE-476 Dereferencing of the null pointer 'embedder_extension' might take place. Check the bitwise operation. app_view_guest.cc 186
void AppViewGuest::CreateWebContents(....) {
....
if (!guest_extension ||
!guest_extension->is_platform_app() ||
!embedder_extension |
!embedder_extension->is_platform_app()) {
callback.Run(nullptr);
return;
}
....
}
A typo. Instead of || a developer accidentally wrote |. As a result, a pointer embedder_extension is dereferenced regardless if it's null or not.
Chromium
V522 CWE-476 Dereferencing of the null pointer 'network_list' might take place. networking_private_service_client.cc 351
std::unique_ptr<base::ListValue>
NetworkingPrivateServiceClient::GetEnabledNetworkTypes() {
std::unique_ptr<base::ListValue> network_list;
network_list->AppendString(::onc::network_type::kWiFi);
return network_list;
}
A smart pointer is null by default. As a smart pointer is not initialized before its usage, a dereference of a null pointer will occur.
Chromium
V522 CWE-690 There might be dereferencing of a potential null pointer 'device_interface_detail_data'. Check lines: 103, 102. hid_service_win.cc 103
void HidServiceWin::EnumerateBlocking(....)
{
....
std::unique_ptr<SP_DEVICE_INTERFACE_DETAIL_DATA,
base::FreeDeleter>
device_interface_detail_data(
static_cast<SP_DEVICE_INTERFACE_DETAIL_DATA*>(
malloc(required_size)));
device_interface_detail_data->cbSize =
sizeof(SP_DEVICE_INTERFACE_DETAIL_DATA);
....
}
There is no protection if the malloc function returns a null pointer.
Chromium
V522 CWE-690 There might be dereferencing of a potential null pointer 'file_'. Check lines: 716, 715. visitedlink_master.cc 716
void VisitedLinkMaster::OnTableLoadComplete(....)
{
....
file_ = static_cast<FILE**>(malloc(sizeof(*file_)));
*file_ = load_from_file_result->file.release();
....
}
There is no protection if the malloc function returns a null pointer.
V8 JavaScript Engine
V522 CWE-628 Dereferencing of the null pointer 'object' might take place. The null pointer is passed into 'IsHandler' function. Inspect the first argument. Check lines: 'ic-inl.h:44', 'stub-cache.cc:19'. ic-inl.h 44
bool Object::IsSmi() const { return HAS_SMI_TAG(this); }
bool IC::IsHandler(Object* object) {
return (object->IsSmi() && (object != nullptr)) ||
object->IsDataHandler() ||
object->IsWeakCell() ||
object->IsCode();
}
The object pointer is dereferenced first and then checked for NULL. Indeed, the expression looks quite suspicious.
LLVM/Clang
V522 CWE-690 There might be dereferencing of a potential null pointer 'TheTable'. Check lines: 65, 59. stringmap.cpp 65
void StringMapImpl::init(unsigned InitSize) {
assert((InitSize & (InitSize-1)) == 0 &&
"Init Size must be a power of 2 or zero!");
NumBuckets = InitSize ? InitSize : 16;
NumItems = 0;
NumTombstones = 0;
TheTable = (StringMapEntryBase **)
calloc(NumBuckets+1,
sizeof(StringMapEntryBase **) +
sizeof(unsigned));
// Allocate one extra bucket, set it to look filled
// so the iterators stop at end.
TheTable[NumBuckets] = (StringMapEntryBase*)2;
}
The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NumBuckets. And this can be a great value.
LLVM/Clang
V522 CWE-690 There might be dereferencing of a potential null pointer 'Buckets'. Check lines: 219, 217. foldingset.cpp 219
static void **AllocateBuckets(unsigned NumBuckets) {
void **Buckets = static_cast<void**>(calloc(NumBuckets+1,
sizeof(void*)));
// Set the very last bucket to be a non-null "pointer".
Buckets[NumBuckets] = reinterpret_cast<void*>(-1);
return Buckets;
}
The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NumBuckets. And this can be a great value.
Yasm
V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 52, 51. substr.h 52
static SubStr *
SubStr_new_u(unsigned char *s, unsigned int l)
{
SubStr *r = malloc(sizeof(SubStr));
r->str = (char*)s;
r->len = l;
return r;
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 68, 67. substr.h 68
- V522 CWE-690 There might be dereferencing of a potential null pointer 'r'. Check lines: 84, 83. substr.h 84
- V522 CWE-690 There might be dereferencing of a potential null pointer 'inc'. Check lines: 80, 79. genmodule.c 80
- And 29 additional diagnostic messages.
WebRTC
V522 CWE-690 There might be dereferencing of a potential null pointer 'self'. Check lines: 22, 21. noise_suppression.c 22
NsHandle* WebRtcNs_Create() {
NoiseSuppressionC* self = malloc(sizeof(NoiseSuppressionC));
self->initFlag = 0;
return (NsHandle*)self;
}
There is no protection if the malloc function returns a null pointer.
WebRTC
V522 CWE-690 There might be dereferencing of a potential null pointer 'left'. Check lines: 412, 403. resampler.cc 412
int Resampler::Push(....)
{
....
int16_t* left =
static_cast<int16_t*>(malloc(lengthIn * sizeof(int16_t) / 2));
int16_t* right =
static_cast<int16_t*>(malloc(lengthIn * sizeof(int16_t) / 2));
....
for (size_t i = 0; i < lengthIn; i += 2) {
left[i >> 1] = samplesIn[i];
right[i >> 1] = samplesIn[i + 1];
}
....
}
There is no protection if the malloc function returns a null pointer.
Similar errors can be found in some other places:
- V522 CWE-690 There might be dereferencing of a potential null pointer 'right'. Check lines: 413, 405. resampler.cc 413
- V522 CWE-690 There might be dereferencing of a potential null pointer 'aecm'. Check lines: 88, 84. echo_control_mobile.cc 88
- V522 CWE-690 There might be dereferencing of a potential null pointer 'aecm'. Check lines: 218, 216. aecm_core.cc 218
- And 2 additional diagnostic messages.
XNU kernel
V522 CWE-628 Dereferencing of the null pointer 'session' might take place. The null pointer is passed into 'netagent_send_error_response' function. Inspect the first argument. Check lines: 427, 972. network_agent.c 427
static int
netagent_send_error_response(
struct netagent_session *session, u_int8_t message_type,
u_int32_t message_id, u_int32_t error_code)
{
int error = 0;
u_int8_t *response = NULL;
size_t response_size = sizeof(struct netagent_message_header);
MALLOC(response, u_int8_t *, response_size,
M_NETAGENT, M_WAITOK);
if (response == NULL) {
return (ENOMEM);
}
(void)netagent_buffer_write_message_header(.....);
if ((error = netagent_send_ctl_data(session->control_unit,
(u_int8_t *)response, response_size))) {
NETAGENTLOG0(LOG_ERR, "Failed to send response");
}
FREE(response, M_NETAGENT);
return (error);
}
static void
netagent_handle_unregister_message(
struct netagent_session *session, ....)
#pragma unused(payload_length, packet, offset)
u_int32_t response_error = NETAGENT_MESSAGE_ERROR_INTERNAL;
if (session == NULL) {
NETAGENTLOG0(LOG_ERR, "Failed to find session");
response_error = NETAGENT_MESSAGE_ERROR_INTERNAL;
goto fail;
}
netagent_unregister_session_wrapper(session);
netagent_send_success_response(session, .....);
return;
fail:
netagent_send_error_response(
session, NETAGENT_MESSAGE_TYPE_UNREGISTER, message_id,
response_error);
}
If in the function netagent_handle_unregister_message a transition to the fail label occurs, then the null pointer dereferencing will occur in the function netagent_send_error_response.
XNU kernel
V522 CWE-628 Dereferencing of the null pointer 'pbuf' might take place. The null pointer is passed into 'pf_lazy_makewritable' function. Inspect the second argument. Check lines: 349, 7460. pf.c 349
void *
pf_lazy_makewritable(struct pf_pdesc *pd, pbuf_t *pbuf, int len)
{
void *p;
if (pd->lmw < 0)
return (NULL);
VERIFY(pbuf == pd->mp);
p = pbuf->pb_data;
if (len > pd->lmw) {
....
}
static int
pf_test_state_icmp(....)
{
....
if (pf_lazy_makewritable(pd, NULL,
off + sizeof (struct icmp6_hdr)) ==
NULL)
return (PF_DROP);
....
}
Incorrect call of the pf_lazy_makewritable function. Null pointer dereference might occur.
XNU kernel
V522 CWE-690 There might be dereferencing of a potential null pointer 'dp'. vfs_cache.c 1449
typedef struct vnode * vnode_t;
int
cache_lookup_path(...., vnode_t dp, ....)
{
....
if (dp && (dp->v_flag & VISHARDLINK)) {
break;
}
if ((dp->v_flag & VROOT) ||
dp == ndp->ni_rootdir ||
dp->v_parent == NULLVP)
break;
....
}
The pointer dp can be null. However, further the pointer is dereferenced before the preliminary check.
Krita
V522 Dereferencing of the null pointer 'slot' might take place. kis_spriter_export.cpp 568
KisImportExportFilter::ConversionStatus
KisSpriterExport::convert(
KisDocument *document,
QIODevice *io,
KisPropertiesConfigurationSP /*configuration*/)
{
....
SpriterSlot *slot = 0;
if (file.layerName.contains("slot(")) {
int start = file.layerName.indexOf("slot(") + 5;
int end = file.layerName.indexOf(')', start);
slot->name = file.layerName.mid(start, end - start); // <=
slot->defaultAttachmentFlag = .... // <=
}
....
}
Android
V522 CWE-476 Dereferencing of the null pointer 'xmlProxyLib' might take place. EffectsConfig.cpp 205
bool parseEffect(....) {
....
if (xmlProxyLib == nullptr) {
ALOGE("effectProxy must contain a <%s>: %s",
tag, dump(*xmlProxyLib));
return false;
}
....
}
Android
V522 CWE-476 Dereferencing of the null pointer 'needed' might take place. linker.cpp 1847
static void soinfo_unload_impl(soinfo* root) {
....
soinfo* needed = find_library(si->get_primary_namespace(),
library_name, RTLD_NOLOAD, nullptr, nullptr);
if (needed != nullptr) {
PRINT("warning: couldn't find %s needed by %s on unload.",
library_name, si->get_realpath());
return;
} else if (local_unload_list.contains(needed)) {
return;
} else if (needed->is_linked() && // <=
needed->get_local_group_root() != root) {
external_unload_list.push_back(needed);
} else {
unload_list.push_front(needed);
}
....
}
Android
V522 CWE-690 There might be dereferencing of a potential null pointer 'param'. Check lines: 245, 244. BufferProviders.cpp 245
DownmixerBufferProvider::DownmixerBufferProvider(....)
{
....
effect_param_t * const param = (effect_param_t *)
malloc(downmixParamSize);
param->psize = sizeof(downmix_params_t);
....
}
Similar errors can be found in some other places:
- V522 CWE-690 There might be dereferencing of a potential null pointer 'newStr'. Check lines: 169, 163. DexDump.cpp 169
- V522 CWE-690 There might be dereferencing of a potential null pointer 'image->rows'. Check lines: 682, 680. Images.cpp 682
- V522 CWE-690 There might be dereferencing of a potential null pointer 'image->colors'. Check lines: 758, 715. Images.cpp 758
- And 101 additional diagnostic messages.
Android
V522 CWE-690 There might be dereferencing of a potential null pointer 'newStr'. Check lines: 203, 202. DexDump.cpp 203
static char* descriptorClassToDot(const char* str)
{
....
newStr = strdup(lastSlash);
newStr[strlen(lastSlash)-1] = '\0';
....
}
Similar errors can be found in some other places:
- V522 CWE-690 There might be dereferencing of a potential null pointer 'cp'. Check lines: 1554, 1543. DexDump.cpp 1554
- V522 CWE-690 There might be dereferencing of a potential null pointer 'cp'. Check lines: 1385, 1374. dexlayout.cc 1385
- V522 CWE-628 Dereferencing of the null pointer 'n' might take place. The potential null pointer is passed into 'remove_trailing_slashes' function. Inspect the first argument. Check lines: 461, 540, 537. fs_mgr.cpp 461
- And 4 additional diagnostic messages.
Vangers: One For The Road
V522 CWE-690 There might be dereferencing of a potential null pointer 'fileName'. Check lines: 72, 70. zip_resource.cpp 72
void XZIP_FileHeader::SetName(char *p)
{
int i, sz = strlen(p);
fileName = strdup(p);
for (i = 0; i < sz; i ++)
if (fileName[i] == '/') fileName[i] = '\\';
}
Similar errors can be found in some other places:
- V522 CWE-690 There might be dereferencing of a potential null pointer 'item'. ascr_fnc.cpp 5356
- V522 CWE-690 There might be dereferencing of a potential null pointer. A constructor of the string class expects a valid pointer. ivmap.cpp 309
- V522 CWE-690 There might be dereferencing of a potential null pointer 'idxName'. Check lines: 94, 92. zip_resource.cpp 94
Perl 5
V522 Dereferencing of the null pointer 'sv' might take place. pp_ctl.c 577
OP * Perl_pp_formline(void)
{
....
SV *sv = ((void *)0);
....
switch (*fpc++) {
....
case 4:
arg = *fpc++;
f += arg;
fieldsize = arg;
if (mark < sp)
sv = *++mark;
else {
sv = &(PL_sv_immortals[2]);
Perl_ck_warner( (28 ), "....");
}
....
break;
case 5:
{
const char *s = item = ((((sv)->sv_flags & (....)) == 0x00000400) ? ....
....
}
....
}
Qt
V522 CWE-690 There might be dereferencing of a potential null pointer 'nodes'. Check lines: 138, 136. makefiledeps.cpp 138
SourceFiles::SourceFiles()
{
nodes = (SourceFileNode**)malloc(sizeof(SourceFileNode*)*(num_nodes=3037));
for(int n = 0; n < num_nodes; n++)
nodes[n] = nullptr;
}
Similar errors can be found in some other places:
- V522 CWE-690 There might be dereferencing of a potential null pointer 'rdb'. Check lines: 299, 296. qfilesystemengine_win.cpp 299
- V522 CWE-690 There might be dereferencing of a potential null pointer 'h'. Check lines: 73, 72. qjson.cpp 73
- V522 CWE-690 There might be dereferencing of a potential null pointer 'h'. Check lines: 310, 306. qjsonparser.cpp 310
- And 19 additional diagnostic messages.
Godot Engine
V522 CWE-476 Dereferencing of the null pointer 'E' might take place. shader_gles2.cpp 102
void ShaderGLES2::bind_uniforms() {
....
const Map<uint32_t, Variant>::Element *E = uniform_defaults.front();
while (E) {
int idx = E->key();
int location = version->uniform_location[idx];
if (location < 0) {
E = E->next();
continue;
}
Variant v;
v = E->value();
_set_uniform_variant(location, v);
E = E->next();
}
const Map<uint32_t, CameraMatrix>::Element *C = uniform_cameras.front();
while (C) {
int idx = E->key(); // <=
int location = version->uniform_location[idx];
if (location < 0) {
C = C->next();
continue;
}
glUniformMatrix4fv(location, 1, GL_FALSE, &(C->get().matrix[0][0]));
C = C->next();
}
uniforms_dirty = false;
}
LibrePCB
V522 CWE-690 There might be dereferencing of a potential null pointer 'e'. graphicsview.cpp 206
bool GraphicsView::eventFilter(QObject* obj, QEvent* event) {
....
QGraphicsSceneMouseEvent* e =
dynamic_cast<QGraphicsSceneMouseEvent*>(event);
Q_ASSERT(e);
if (e->button() == Qt::MiddleButton)
....
}
Similar errors can be found in some other places:
- V522 CWE-690 There might be dereferencing of a potential null pointer 'e'. graphicsview.cpp 218
- V522 CWE-690 There might be dereferencing of a potential null pointer 'e'. graphicsview.cpp 229
- V522 CWE-690 There might be dereferencing of a potential null pointer 'unitComboBox'. attributelisteditorwidget.cpp 143
- And 79 additional diagnostic messages.
LibrePCB
V522 CWE-628 Dereferencing of the null pointer 'event' might take place. The potential null pointer is passed into 'handleMouseWheelEvent' function. Inspect the first argument. Check lines: 143, 252. graphicsview.cpp 143
void GraphicsView::handleMouseWheelEvent(
QGraphicsSceneWheelEvent* event) noexcept
{
if (event->modifiers().testFlag(Qt::ShiftModifier))
....
}
bool GraphicsView::eventFilter(QObject* obj, QEvent* event) {
....
handleMouseWheelEvent(dynamic_cast<QGraphicsSceneWheelEvent*>(event));
....
}
LLVM/Clang
V522 [CWE-476] Dereferencing of the null pointer 'LHS' might take place. TGParser.cpp 2152
Init *TGParser::ParseValue(Record *CurRec, RecTy *ItemType, IDParseMode Mode) {
....
TypedInit *LHS = dyn_cast<TypedInit>(Result);
....
LHS = dyn_cast<TypedInit>(
UnOpInit::get(UnOpInit::CAST, LHS, StringRecTy::get())
->Fold(CurRec));
if (!LHS) {
Error(PasteLoc, Twine("can't cast '") + LHS->getAsString() +
"' to string");
return nullptr;
}
....
}
Similar errors can be found in some other places:
- V522 [CWE-476] Dereferencing of the null pointer 'RHS' might take place. TGParser.cpp 2186
LLVM/Clang
V522 [CWE-476] Dereferencing of the null pointer 'ProgClone' might take place. Miscompilation.cpp 601
ExtractBlocks(....)
{
....
std::unique_ptr<Module> ProgClone = CloneModule(BD.getProgram(), VMap);
....
BD.setNewProgram(std::move(ProgClone)); // <=
MiscompiledFunctions.clear();
for (unsigned i = 0, e = MisCompFunctions.size(); i != e; ++i) {
Function *NewF = ProgClone->getFunction(MisCompFunctions[i].first); // <=
assert(NewF && "Function not found??");
MiscompiledFunctions.push_back(NewF);
}
....
}
LLVM/Clang
V522 [CWE-476] Dereferencing of the null pointer 'Test' might take place. Miscompilation.cpp 709
static Expected<bool> TestOptimizer(BugDriver &BD, std::unique_ptr<Module> Test,
std::unique_ptr<Module> Safe) {
outs() << " Optimizing functions being tested: ";
std::unique_ptr<Module> Optimized =
BD.runPassesOn(Test.get(), BD.getPassesToRun());
if (!Optimized) {
errs() << " Error running this sequence of passes"
<< " on the input program!\n";
BD.setNewProgram(std::move(Test)); // <=
BD.EmitProgressBitcode(*Test, "pass-error", false); // <=
if (Error E = BD.debugOptimizerCrash())
return std::move(E);
return false;
}
....
}
LLVM/Clang
V522 [CWE-476] Dereferencing of the null pointer 'Type' might take place. PrettyFunctionDumper.cpp 233
void FunctionDumper::dump(const PDBSymbolTypeFunctionArg &Symbol) {
uint32_t TypeId = Symbol.getTypeId();
auto Type = Symbol.getSession().getSymbolById(TypeId);
if (Type)
Printer << "<unknown-type>";
else
Type->dump(*this);
}
LLVM/Clang
V522 [CWE-476] Dereferencing of the null pointer 'Ty' might take place. SearchableTableEmitter.cpp 614
void SearchableTableEmitter::collectTableEntries(
GenericTable &Table, const std::vector<Record *> &Items) {
....
RecTy *Ty = resolveTypes(Field.RecType, TI->getType());
if (!Ty)
PrintFatalError(Twine("Field '") + Field.Name + "' of table '" +
Table.Name + "' has incompatible type: " +
Ty->getAsString() + " vs. " + // <=
TI->getType()->getAsString());
....
}
Haiku Operation System
V522 Dereferencing of the null pointer 'currentInterface' might take place. Device.cpp 258
Device::Device(....) : ....
{
....
usb_interface_info* currentInterface = NULL; // <=
uint32 descriptorStart = sizeof(usb_configuration_descriptor);
while (descriptorStart < actualLength) {
switch (configData[descriptorStart + 1]) {
....
case USB_DESCRIPTOR_ENDPOINT:
{
....
if (currentInterface == NULL) // <=
break;
currentInterface->endpoint_count++;
....
}
....
case USB_DESCRIPTOR_ENDPOINT_COMPANION: {
usb_endpoint_descriptor* desc = currentInterface // <=
->endpoint[currentInterface->endpoint_count - 1].descr;
....
}
....
}
Haiku Operation System
V522 Dereferencing of the null pointer 'directory' might take place. PathMonitor.cpp 1465
bool
PathHandler::_EntryCreated(....)
{
....
Directory* directory = directoryNode->ToDirectory();
if (directory == NULL) {
// We're out of sync with reality.
if (!dryRun) {
if (Entry* nodeEntry = directory->FirstNodeEntry()) {
....
}
}
return false;
}
....
}
Haiku Operation System
V522 Dereferencing of the null pointer 'input' might take place. MediaRecorder.cpp 343
void GetInput(media_input* input);
const media_input&
BMediaRecorder::MediaInput() const
{
CALLED();
media_input* input = NULL;
fNode->GetInput(input);
return *input;
}
Haiku Operation System
V522 Dereferencing of the null pointer 'mustFree' might take place. RequestUnflattener.cpp 35
status_t
Reader::Read(int32 size, void** buffer, bool* mustFree)
{
if (size < 0 || !buffer || mustFree)
return B_BAD_VALUE;
if (size == 0) {
*buffer = NULL;
*mustFree = false; // <=
return B_OK;
}
....
}
Haiku Operation System
V522 Dereferencing of the null pointer 'data' might take place. The null pointer is passed into 'malo_hal_send_helper' function. Inspect the third argument. Check lines: 350, 394. if_malohal.c 350
static int
malo_hal_fwload_helper(struct malo_hal *mh, char *helper)
{
....
/* tell the card we're done and... */
error = malo_hal_send_helper(mh, 0, NULL, 0, MALO_NOWAIT); // <= NULL
....
}
static int
malo_hal_send_helper(struct malo_hal *mh, int bsize,
const void *data, size_t dsize, int waitfor)
{
mh->mh_cmdbuf[0] = htole16(MALO_HOSTCMD_CODE_DNLD);
mh->mh_cmdbuf[1] = htole16(bsize);
memcpy(&mh->mh_cmdbuf[4], data , dsize); // <= data
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'data' might take place. The null pointer is passed into 'malo_hal_send_main' function. Inspect the second argument. Check lines: 413, 472. if_malohal.c 413
Mozilla Thunderbird
V522 Dereferencing of the null pointer 'row' might take place. morkRowCellCursor.cpp 175
NS_IMETHODIMP
morkRowCellCursor::MakeCell( // get cell at current pos in the row
nsIMdbEnv* mev, // context
mdb_column* outColumn, // column for this particular cell
mdb_pos* outPos, // position of cell in row sequence
nsIMdbCell** acqCell) {
nsresult outErr = NS_OK;
nsIMdbCell* outCell = 0;
mdb_pos pos = 0;
mdb_column col = 0;
morkRow* row = 0;
morkEnv* ev = morkEnv::FromMdbEnv(mev);
if (ev) {
pos = mCursor_Pos;
morkCell* cell = row->CellAt(ev, pos);
if (cell) {
col = cell->GetColumn();
outCell = row->AcquireCellHandle(ev, cell, col, pos);
}
outErr = ev->AsErr();
}
if (acqCell) *acqCell = outCell;
if (outPos) *outPos = pos;
if (outColumn) *outColumn = col;
return outErr;
}
Kodi
V522 There might be dereferencing of a potential null pointer 'entry'. Check lines: 985, 981. emu_msvcrt.cpp:985
struct dirent *dll_readdir(DIR *dirp)
{
....
struct dirent *entry = NULL;
entry = (dirent*) malloc(sizeof(*entry));
if (dirData->curr_index < dirData->items.Size() + 2)
{
if (dirData->curr_index == 0)
strncpy(entry->d_name, ".\0", 2);
....
}
ROOT
V522 Dereferencing of the null pointer 'pre' might take place. TSynapse.cxx 61
void TSynapse::SetPre(TNeuron * pre)
{
if (pre) {
Error("SetPre","this synapse is already assigned to a pre-neuron.");
return;
}
fpre = pre;
pre->AddPost(this);
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'post' might take place. TSynapse.cxx 74
Amazon FreeRTOS
V522 [CWE-690] There might be dereferencing of a potential null pointer 'pCurrentHttpsResponse'. iot_https_client.c 1184
int PKI_mbedTLSSignatureToPkcs11Signature
(uint8_t * pxSignaturePKCS, uint8_t * pxMbedSignature )
{
int xReturn = 0;
uint8_t * pxNextLength;
/* The 4th byte contains the length of the R component */
uint8_t ucSigComponentLength = pxMbedSignature[ 3 ]; // <=
if( ( pxSignaturePKCS == NULL )
|| ( pxMbedSignature == NULL ) )
{
xReturn = FAILURE;
}
....
}
SDCC
V522 [CWE-476] Dereferencing of the null pointer 'sfr' might take place. timer2.cc 403
class cl_timer2: public cl_timer0
{
protected:
class cl_address_space *sfr;
....
}
void
cl_timer2::print_info(class cl_console_base *con)
{
....
con->dd_printf(" %s", sfr?"?":((sfr->get(IE)&bmET2)?"en":"dis"));
....
}
Similar errors can be found in some other places:
- V522 [CWE-476] Dereferencing of the null pointer 'sfr' might take place. timer1.cc 86
- V522 [CWE-476] Dereferencing of the null pointer 'sfr' might take place. timer0.cc 426
SDCC
V522 [CWE-476] Dereferencing of the null pointer 'uc' might take place. flash.cc 345
void
cl_flash::flash_write(t_addr a, t_mem val)
{
uc->sim->app->debug("FLASH wr(%06lx,%02x)\n",a,val);
if (!uc)
{
uc->sim->app->debug(" no uc\n");
return;
}
....
}
Newton Game Dynamics
V522 There might be dereferencing of a potential null pointer 'face'. dgContactSolver.cpp 351
DG_INLINE dgMinkFace* dgContactSolver::AddFace(dgInt32 v0,dgInt32 v1,
dgInt32 v2)
{
dgMinkFace* const face = NewFace();
face->m_mark = 0;
....
}
DG_INLINE dgMinkFace* dgContactSolver::NewFace()
{
dgMinkFace* face = (dgMinkFace*)m_freeFace;
if (m_freeFace)
{
m_freeFace = m_freeFace->m_next;
} else
{
face = &m_facePool[m_faceIndex];
m_faceIndex++;
if (m_faceIndex >= DG_CONVEX_MINK_MAX_FACES)
{
return NULL;
}
}
#ifdef _DEBUG
memset(face, 0, sizeof (dgMinkFace));
#endif
return face;
}
Newton Game Dynamics
V522 There might be dereferencing of a potential null pointer 'perimeter'. dgPolyhedra.cpp 2541
bool dgPolyhedra::PolygonizeFace(....)
{
....
dgEdge* const perimeter = flatFace.AddHalfEdge
(edge1->m_next->m_incidentVertex,
edge1->m_incidentVertex);
perimeter->m_twin = edge1;
....
}
dgEdge* dgPolyhedra::AddHalfEdge (dgInt32 v0, dgInt32 v1)
{
if (v0 != v1)
{
dgPairKey pairKey (v0, v1);
dgEdge tmpEdge (v0, -1);
dgTreeNode* node = Insert (tmpEdge, pairKey.GetVal());
return node ? &node->GetInfo() : NULL;
} else
{
return NULL;
}
}
Command & Conquer
V522 Dereferencing of the null pointer 'list' might take place. DISPLAY.CPP 1062
void DisplayClass::Get_Occupy_Dimensions(int & w, int & h, short const *list)
{
....
if (!list) {
/*
** Loop through all cell offsets, accumulating max & min x- & y-coords
*/
while (*list != REFRESH_EOL) {
....
}
....
}
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'list' might take place. DISPLAY.CPP 951
- V522 Dereferencing of the null pointer 'unitsptr' might take place. QUEUE.CPP 2362
- V522 Dereferencing of the null pointer 'unitsptr' might take place. QUEUE.CPP 2699
PMDK
V522 [CWE-690] There might be dereferencing of a potential null pointer 'workers'. Check lines: 126, 124. pi.c 126
static void
calc_pi_mt(void)
{
....
HANDLE *workers = (HANDLE *) malloc(sizeof(HANDLE) * pending);
for (i = 0; i < pending; ++i) {
workers[i] = CreateThread(NULL, 0, calc_pi,
&tasks[i], 0, NULL);
if (workers[i] == NULL)
break;
}
....
}
Similar errors can be found in some other places:
- V522 [CWE-690] There might be dereferencing of a potential null pointer 'buf'. Check lines: 357, 346. obj_pmemblk.c 357
- V522 [CWE-690] There might be dereferencing of a potential null pointer 'clovec'. Check lines: 22, 18. clo_vec.cpp 22
- V522 [CWE-690] There might be dereferencing of a potential null pointer 'args'. Check lines: 36, 32. clo_vec.cpp 36
- And 27 additional diagnostic messages.
FakeIt
V522 There might be dereferencing of a potential null pointer 'matcher'. fakeit.hpp 6720
template<typename ... arglist>
struct ArgumentsMatcherInvocationMatcher :
public ActualInvocation<arglist...>::Matcher {
....
template<typename A>
void operator()(int index, A &actualArg) {
TypedMatcher<typename naked_type<A>::type> *matcher =
dynamic_cast<TypedMatcher<typename naked_type<A>::type> *>(
_matchers[index]);
if (_matching)
_matching = matcher->matches(actualArg);
}
....
const std::vector<Destructible *> _matchers;
};
Espressif IoT Development Framework
V522 There might be dereferencing of a potential null pointer 'exp'. Check lines: 3470, 3469. argtable3.c 3470
TRex *trex_compile(const TRexChar *pattern,const TRexChar **error,int flags)
{
TRex *exp = (TRex *)malloc(sizeof(TRex));
exp->_eol = exp->_bol = NULL;
exp->_p = pattern;
....
}
Similar errors can be found in some other places:
- V522 There might be dereferencing of a potential null pointer 's_ledc_fade_rec[speed_mode][channel]'. Check lines: 668, 667. ledc.c 668
- V522 There might be dereferencing of a potential null pointer 'environ'. Check lines: 108, 107. syscall_table.c 108
- V522 There might be dereferencing of a potential null pointer 'it'. Check lines: 150, 149. partition.c 150
- And 3 additional diagnostic messages.
SystemC
V522 There might be dereferencing of a potential null pointer 'free_list'. Check lines: 560, 556. sc_event.cpp 560
void*
sc_event_timed::allocate()
{
const int ALLOC_SIZE = 64;
if( free_list == 0 ) {
free_list = (sc_event_timed_u*) malloc( ALLOC_SIZE *
sizeof( sc_event_timed_u ) );
int i = 0;
for( ; i < ALLOC_SIZE - 1; ++ i ) {
free_list[i].next = &free_list[i + 1];
}
free_list[i].next = 0;
}
....
}
Similar errors can be found in some other places:
- V522 There might be dereferencing of a potential null pointer 'new_block'. Check lines: 136, 135. sc_mempool.cpp 136
MuseScore
V522 Dereferencing of the null pointer 'family' might take place. instrtemplate.cpp 356
void InstrumentTemplate::write(XmlWriter& xml) const
{
....
if (!family) {
xml.tag("family", family->id);
}
xml.etag();
}
MuseScore
V522 Dereferencing of the null pointer 'destinationMeasure' might take place. score.cpp 4279
ChordRest* Score::cmdNextPrevSystem(ChordRest* cr, bool next)
{
....
auto destinationMeasure = currentSystem->firstMeasure();
....
if (!(destinationMeasure = destinationMeasure->prevMeasure())) {
if (!(destinationMeasure = destinationMeasure->prevMeasureMM())) {
return cr;
}
}
....
}
Blender
V522 There might be dereferencing of a potential null pointer 'context->read_icons'. Check lines: 255, 252. datatoc_icon.c
static void icon_merge_context_register_icon(struct IconMergeContext *context,
const char *file_name,
struct IconHead *icon_head)
{
context->read_icons = realloc(context->read_icons,
sizeof(struct IconInfo) * (context->num_read_icons + 1));
struct IconInfo *icon_info = &context->read_icons[context->num_read_icons];
icon_info->head = *icon_head;
icon_info->file_name = strdup(path_basename(file_name));
context->num_read_icons++;
}
Blender
V522 There might be dereferencing of a potential null pointer 'mesh'. geometry_component_mesh.cc 537
ReadAttributePtr try_get_for_read(const GeometryComponent &component,
const StringRef attribute_name) const final
{
....
const Mesh *mesh = mesh_component.get_for_read();
....
if (mesh == nullptr || mesh->dvert == nullptr) {
static const float default_value = 0.0f;
return std::make_unique<ConstantReadAttribute>(
ATTR_DOMAIN_POINT, mesh->totvert,
CPPType::get<float>(), &default_value);
}
....
}
Storm Engine
V522 There might be dereferencing of a potential null pointer 'pTable'. Check lines: 36, 35. s_postevents.h 36
void Add(....)
{
....
pTable = (S_EVENTMSG **)realloc(
pTable, nClassesNum * sizeof(S_EVENTMSG *));
pTable[n] = pClass;
....
};
Similar errors can be found in some other places:
- V522 There might be dereferencing of a potential null pointer 'label'. Check lines: 116, 113. geom_static.cpp 116
LFortran
V522 [CWE-690] There might be dereferencing of a potential null pointer 'parent'. CLI11.hpp 3915
template <typename T = App> Option *ignore_underscore(bool value = true) {
if(!ignore_underscore_ && value) {
ignore_underscore_ = value;
auto *parent = dynamic_cast<T *>(parent_);
for(const Option_p &opt : parent->options_) { // <=
....
}
}
....
}
Similar errors can be found in some other places:
- V522 [CWE-690] There might be dereferencing of a potential null pointer 'parent'. CLI11.hpp 3890
LFortran
V522 [CWE-690] There might be dereferencing of a potential null pointer 'dynamic_cast< T * > (parent_)'. CLI11.hpp 3810
template <typename T = App> Option *needs(std::string opt_name) {
auto opt = dynamic_cast<T *>(parent_)->get_option_no_throw(opt_name);
if(opt == nullptr) {
throw IncorrectConstruction::MissingOption(opt_name);
}
return needs(opt);
}
Similar errors can be found in some other places:
- V522 [CWE-690] There might be dereferencing of a potential null pointer 'dynamic_cast< T * > (parent_)'. CLI11.hpp 3852
CARLA
V522 Dereferencing of the null pointer 'CarlaActor' might take place. CarlaServer.cpp 1652
void FCarlaServer::FPimpl::BindActions()
{
....
FCarlaActor* CarlaActor = Episode->FindCarlaActor(ActorId);
if (CarlaActor)
{
return RespondError("get_light_boxes",
ECarlaServerResponse::ActorNotFound,
" Actor Id: " + FString::FromInt(ActorId));
}
if (CarlaActor->IsDormant())
{
return RespondError("get_light_boxes",
ECarlaServerResponse::FunctionNotAvailiableWhenDormant,
" Actor Id: " + FString::FromInt(ActorId));
}
else { .... }
....
}
CARLA
V522 Dereferencing of the null pointer 'HISMCompPtr' might take place. ProceduralBuilding.cpp 32
UHierarchicalInstancedStaticMeshComponent* AProceduralBuilding::GetHISMComp(
const UStaticMesh* SM)
{
....
UHierarchicalInstancedStaticMeshComponent** HISMCompPtr =
HISMComps.Find(SMName);
if (HISMCompPtr) return *HISMCompPtr;
UHierarchicalInstancedStaticMeshComponent* HISMComp = *HISMCompPtr;
// If it doesn't exist, create the component
HISMComp = NewObject<UHierarchicalInstancedStaticMeshComponent>(this,
FName(*FString::Printf(TEXT("HISMComp_%d"), HISMComps.Num())));
HISMComp->SetupAttachment(RootComponent);
HISMComp->RegisterComponent();
....
}
Chromium
V522 Instantiation of WasmFullDecoder < Decoder::kFullValidation, WasmGraphBuildingInterface >: Dereferencing of the null pointer 'result' might take place. The null pointer is passed into 'UnOp' function. Inspect the fourth argument. Check lines: 'graph-builder-interface.cc:349', 'function-body-decoder-impl.h:5372'. graph-builder-interface.cc 349
// File: src\v8\src\wasm\graph-builder-interface.cc
void UnOp(FullDecoder* decoder, WasmOpcode opcode,
const Value& value, Value* result)
{
result->node = builder_->Unop(opcode, value.node, decoder->position());
}
// File: src\v8\src\wasm\function-body-decoder-impl.h
int BuildSimpleOperator(WasmOpcode opcode, ValueType return_type,
ValueType arg_type)
{
Value val = Peek(0, 0, arg_type);
if (return_type == kWasmVoid)
{
CALL_INTERFACE_IF_OK_AND_REACHABLE(UnOp, opcode, val, nullptr); // <=
Drop(val);
}
....
}
Intermodular analysis
Chromium
V522 Dereferencing of the null pointer might take place. The null pointer is passed into 'NaClTlsSetCurrentThread' function. Inspect the first argument. Check lines: 'nacl_tls_64.c:285', 'nacl_app_thread.c:161'. nacl_tls_64.c 285
// File: src\native_client\src\trusted\service_runtime\arch\x86_64\nacl_tls_64.c
void NaClTlsSetCurrentThread(struct NaClAppThread *natp) {
nacl_current_thread = &natp->user;
}
// File: src\native_client\src\trusted\service_runtime\nacl_app_thread.c
void NaClAppThreadTeardown(struct NaClAppThread *natp)
{
....
/*
* Unset the TLS variable so that if a crash occurs during thread
* teardown, the signal handler does not dereference a dangling
* NaClAppThread pointer.
*/
NaClTlsSetCurrentThread(NULL);
....
}
Intermodular analysis
MuditaOS
V522 [CERT-EXP34-C] Dereferencing of the null pointer 'document' might take place. TextBlockCursor.cpp 332
auto BlockCursor::begin() -> std::list<TextBlock>::iterator
{
return document == nullptr
? document->blocks.end() : document->blocks.begin();
}
VCMI
V522 There might be dereferencing of a potential null pointer. CCallback.cpp 255
void CCallback::trade(....)
{
....
pack.marketId = dynamic_cast<const CGObjectInstance *>(market)->id;
....
}
Similar errors can be found in some other places:
- V522 There might be dereferencing of a potential null pointer 'boat'. MapRendererContext.cpp 47
- V522 There might be dereferencing of a potential null pointer 'hero'. MapRendererContext.cpp 134
- V522 There might be dereferencing of a potential null pointer 'hero'. MapViewController.cpp 291
- And 7 additional diagnostic messages.
GCC
V522 There might be dereferencing of a potential null pointer 'obj_info'. Check lines: 290, 287. libgcov-util.c 290. libgcov-util.c 287
static struct gcov_info *
read_gcda_file (const char *filename)
{
....
curr_gcov_info = obj_info =
(struct gcov_info *) xcalloc (sizeof (struct gcov_info) +
sizeof (struct gcov_ctr_info) * GCOV_COUNTERS, 1);
obj_info->version = version;
obj_info->filename = filename;
....
}
FreeCAD
V522 [CWE-476, CERT-EXP34-C] Dereferencing of the null pointer 'vpp' might take place. QGIView.cpp 592
QGVPage* QGIView::getQGVPage(TechDraw::DrawView* dView)
{
ViewProviderPage* vpp = getViewProviderPage(dView);
if (!vpp) {
return vpp->getQGVPage();
}
return nullptr;
}
FreeCAD
V522 [CWE-690, CERT-MEM52-CPP] There might be dereferencing of a potential null pointer 'detail'. QGIViewPart.cpp 842
void QGIViewPart::highlightMoved(QGIHighlight* highlight, QPointF newPos)
{
std::string highlightName = highlight->getFeatureName();
App::Document* doc = getViewObject()->getDocument();
App::DocumentObject* docObj = doc->getObject(highlightName.c_str());
auto detail = dynamic_cast<DrawViewDetail*>(docObj);
auto oldAnchor = detail->AnchorPoint.getValue();
if (detail) {
Base::Vector3d delta = Rez::appX(DrawUtil::toVector3d(newPos)) /
getViewObject()->getScale();
delta = DrawUtil::invertY(delta);
detail->AnchorPoint.setValue(oldAnchor + delta);
}
}
GZDoom
V522 There might be dereferencing of a potential null pointer 'mem'. Check lines: 100, 95. fs_stringpool.cpp 100
StringPool::Block *StringPool::AddBlock(size_t size)
{
....
auto mem = (Block *)malloc(size);
if (mem == nullptr)
{
}
mem->Limit = (uint8_t *)mem + size;
mem->Avail = &mem[1];
mem->NextBlock = TopBlock;
TopBlock = mem;
return mem;
}
Dagor Engine
V522 Dereferencing of the null pointer 'leaf_linear[i]' might take place. DagorEngine/prog/dagorInclude/generic/dag_hierGrid.h 71
void copy(const Node &n, int sz)
{
....
for (int i = 0; i < 4; ++i)
if (n.leaf_linear[i])
{
if (leaf_linear[i])
leaf_linear[i] = new Leaf(*n.leaf_linear[i]);
else
*leaf_linear[i] = *n.leaf_linear[i];
}
else
....
....
}
LLVM/Clang
V522 Dereferencing of the null pointer 'prev_file' might take place. LineTable.cpp 363
void LineTable::Dump(Stream *s, Target *target, Address::DumpStyle style,
Address::DumpStyle fallback_style, bool show_line_ranges)
{
const size_t count = m_entries.size();
LineEntry line_entry;
SupportFileSP prev_file; // <=
for (size_t idx = 0; idx < count; ++idx) {
ConvertEntryAtIndexToLineEntry(idx, line_entry);
line_entry.Dump(s, target, *prev_file != *line_entry.original_file_sp, // <=
style, fallback_style, show_line_ranges);
s->EOL();
prev_file = line_entry.original_file_sp;
}
}
LLVM/Clang
V522 Dereferencing of the null pointer 'E' might take place. The null pointer is passed into 'checkStringLiteralArgumentAttr' function. Inspect the second argument. Check lines: 349, 1801. SemaDeclAttr.cpp
bool Sema::checkStringLiteralArgumentAttr(const AttributeCommonInfo &CI,
const Expr *E, StringRef &Str,
SourceLocation *ArgLocation)
{
const auto *Literal = dyn_cast<StringLiteral>(E->IgnoreParenCasts());
....
}
....
static void handleAssumumptionAttr(Sema &S, Decl *D, const ParsedAttr &AL)
{
// Handle the case where the attribute has a text message.
StringRef Str;
SourceLocation AttrStrLoc;
if (!S.checkStringLiteralArgumentAttr(AL, 0, Str, &AttrStrLoc))
return;
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'E' might take place. The null pointer is passed into 'checkStringLiteralArgumentAttr' function. Inspect the second argument. Check lines: 349, 1974. SemaDeclAttr.cpp
- V522 Dereferencing of the null pointer 'E' might take place. The null pointer is passed into 'checkStringLiteralArgumentAttr' function. Inspect the second argument. Check lines: 349, 1984. SemaDeclAttr.cpp
- V522 Dereferencing of the null pointer 'E' might take place. The null pointer is passed into 'checkStringLiteralArgumentAttr' function. Inspect the second argument. Check lines: 349, 1999. SemaDeclAttr.cpp
- And 30 additional diagnostic messages.
LLVM/Clang
V522 Dereferencing of the null pointer might take place. The null pointer is passed into 'createBURRListDAGScheduler' function. Inspect the first argument. Check lines: 'ScheduleDAGRRList.cpp:3147', 'LinkAllCodegenComponents.h:40'.
//file: ScheduleDAGRRList.cpp
ScheduleDAGSDNodes *llvm::createBURRListDAGScheduler(SelectionDAGISel *IS,
CodeGenOptLevel OptLevel)
{
const TargetSubtargetInfo &STI = IS->MF->getSubtarget();
....
}
//file: LinkAllCodegenComponents.h
struct ForceCodegenLinking
{
ForceCodegenLinking()
{
....
(void)llvm::createBURRListDAGScheduler(nullptr,
llvm::CodeGenOptLevel::Default);
....
}
}
Intermodular analysis
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer might take place. The null pointer is passed into 'createSourceListDAGScheduler' function. Inspect the first argument. Check lines: 'ScheduleDAGRRList.cpp:3161', 'LinkAllCodegenComponents.h:42'.
- V522 Dereferencing of the null pointer might take place. The null pointer is passed into 'createHybridListDAGScheduler' function. Inspect the first argument. Check lines: 'ScheduleDAGRRList.cpp:3175', 'LinkAllCodegenComponents.h:44'.
LLVM/Clang
V522 Dereferencing of the null pointer 'I' might take place. The null pointer is passed into 'SetInsertPoint' function. Inspect the first argument. Check lines: 'IRBuilder.h:188', 'OMPIRBuilder.cpp:5983'.
//file: IRBuilder.h
void SetInsertPoint(Instruction *I)
{
BB = I->getParent();
InsertPt = I->getIterator();
assert(InsertPt != BB->end() && "Can't read debug loc from end()");
SetCurrentDebugLocation(I->getStableDebugLoc());
}
//file: OMPIRBuilder.cpp
std::pair<Value *, Value *> OpenMPIRBuilder::emitAtomicUpdate
(InsertPointTy AllocaIP,
Value *X, Type *XElemTy,
Value *Expr, AtomicOrdering AO,
AtomicRMWInst::BinOp RMWOp,
AtomicUpdateCallbackTy &UpdateOp,
bool VolatileX, bool IsXBinopExpr)
{
....
if (UnreachableInst *ExitTI = dyn_cast<UnreachableInst>
(ExitBB->getTerminator()))
{
CurBBTI->eraseFromParent();
Builder.SetInsertPoint(ExitBB);
}
else
{
Builder.SetInsertPoint(ExitTI); // <=
}
return Res;
}
Intermodular analysis
OpenVINO
V522 Dereferencing of the null pointer 'multiplyInputNode' might take place. graph_optimizer.cpp 452
void GraphOptimizer::FuseFCAndWeightsDecompression(Graph &graph)
{
....
// Fusion processing
....
if (!multiplyInputNode)
{
OPENVINO_THROW("Cannot cast ",
multiplyInputNode->getName(), " to Input node.");
}
fcNode->fuseDecompressionMultiply(multiplyInputNode->getMemoryPtr());
if (withSubtract)
{
....
if (!subtractInputNode)
{
OPENVINO_THROW("Cannot cast ",
subtractInputNode->getName(), " to Input node.");
}
fcNode->fuseDecompressionSubtract(subtractInputNode->getMemoryPtr());
}
if (withPowerStatic)
{
....
if (!eltwiseNode)
{
OPENVINO_THROW("Cannot cast ",
eltwiseNode->getName(), " to Eltwise node.");
}
}
....
}
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer 'subtractInputNode' might take place. graph_optimizer.cpp 459
- V522 Dereferencing of the null pointer 'eltwiseNode' might take place. graph_optimizer.cpp 466
DPDK
V522 There might be dereferencing of a potential null pointer 'ts'. Check lines: 1276, 1274. test_cryptodev_blockcipher.c 1276
struct unit_test_suite *
build_blockcipher_test_suite(enum blockcipher_test_type test_type)
{
....
ts = calloc(1, sizeof(struct unit_test_suite) +
(sizeof(struct unit_test_case) * (n_test_cases + 1)));
ts->suite_name = ts_name;
ts->setup = ts_setup;
....
}
Similar errors can be found in some other places:
- V522 There might be dereferencing of a potential null pointer 'next_edges'. Check lines: 529, 518. test_graph.c 529
- V522 There might be dereferencing of a potential null pointer 't'. Check lines: 1027, 988. opdl_test.c 1027
- V522 There might be dereferencing of a potential null pointer 'link_cache'. Check lines: 1363, 1351. event_helper.c 1363
- And 10 additional diagnostic messages.
LLVM/Clang
V522 Dereferencing of the null pointer 'Inst' might take place. LinuxKernelRewriter.cpp 583
Error LinuxKernelRewriter::readORCTables() {
....
MCInst *Inst = BF->getInstructionAtOffset(Offset);
if (!Inst) {
Inst = BF->getInstructionContainingOffset(Offset);
if (Inst || BC.MIB->hasAnnotation(*Inst, "AltInst"))
continue;
return createStringError(
errc::executable_format_error,
"no instruction at address 0x%" PRIx64 " in .orc_unwind_ip", IP);
}
....
}
LLVM/Clang
V522 Dereferencing of the null pointer 'target' might take place. LinalgTransformOps.cpp 2219
DiagnosedSilenceableFailure
transform::ConvertToLoopsOp::apply(transform::TransformRewriter &rewriter,
transform::TransformResults &results,
transform::TransformState &state) {
SmallVector<Operation *> loops;
for (Operation *target : state.getPayloadOps(getTarget())) {
auto tilingOp = dyn_cast<TilingInterface>(*target);
if (!target) {
DiagnosedSilenceableFailure diag =
emitSilenceableError()
<< "expected the payload to implement TilingInterface";
diag.attachNote(target->getLoc()) << "payload op";
return diag;
}
....
}
LLVM/Clang
V522 Dereferencing of the null pointer might take place. The null pointer is passed into 'createDefaultScheduler' function. Inspect the first argument. Check lines: 'SelectionDAGISel.cpp:285', 'LinkAllCodegenComponents.h:48'. SelectionDAGISel.cpp 285
ScheduleDAGSDNodes *createDefaultScheduler(SelectionDAGISel *IS,
CodeGenOptLevel OptLevel) {
const TargetLowering *TLI = IS->TLI;
const TargetSubtargetInfo &ST = IS->MF->getSubtarget();
....
}
struct ForceCodegenLinking {
ForceCodegenLinking() {
....
(void)llvm::createDefaultScheduler(nullptr,
llvm::CodeGenOptLevel::Default);
....
}
};
Similar errors can be found in some other places:
- V522 Dereferencing of the null pointer might take place. The null pointer is passed into 'createVLIWDAGScheduler' function. Inspect the first argument. Check lines: 'ScheduleDAGVLIW.cpp:270', 'LinkAllCodegenComponents.h:50'. ScheduleDAGVLIW.cpp 270
- V522 Dereferencing of the null pointer might take place. The null pointer is passed into 'createHybridListDAGScheduler' function. Inspect the first argument. Check lines: 'ScheduleDAGRRList.cpp:3175', 'LinkAllCodegenComponents.h:44'. ScheduleDAGRRList.cpp 3175
- V522 Dereferencing of the null pointer might take place. The null pointer is passed into 'createSourceListDAGScheduler' function. Inspect the first argument. Check lines: 'ScheduleDAGRRList.cpp:3161', 'LinkAllCodegenComponents.h:42'. ScheduleDAGRRList.cpp 3161
- And 1 additional diagnostic messages.