Our website uses cookies to enhance your browsing experience.
Accept
to the top
Home
>
Posts
>
Examples of errors
>
Examples of errors detected by the...

Examples of errors detected by the V769 diagnostic

V769. The pointer in the expression equals nullptr. The resulting value is meaningless and should not be used.

GZDoom

V769 The 'pp' pointer in the 'pp += 3' expression equals nullptr. The resulting value is senseless and it should not be used. models_voxel.cpp 145


PalettedPixels FVoxelTexture::CreatePalettedPixels(int conversion, int frame)
{
  uint8_t *pp = SourceVox->Palette.Data();

  if (pp != nullptr)
  {
    ....
  }
  else
  {
    for (int i = 0; i < 256; i++, pp+=3)
    {
      bitmap[i] = (uint8_t)i;
      pe[i] = GPalette.BaseColors[i];
      pe[i].a = 255;
    }
  }
}

GTK

V769 [CWE-119, CERT-EXP08-C] The 'end' pointer in the 'end += strlen(beg)' expression equals nullptr. The resulting value is senseless and it should not be used. position.cpp 36


Offset Offset::init(const char* beg, const char* end)
{
  Offset offset(0, 0);
  if (end == 0) {
    end += strlen(beg);
  }
  offset.add(beg, end);
  return offset;
}

Most likely this is what should be written here: end = beg + strlen(beg);

Overgrowth

V769 [CERT-EXP08-C] The 'idx_buffer_offset' pointer in the 'idx_buffer_offset += pcmd->ElemCount' expression equals nullptr. The resulting value is senseless and it should not be used. imgui_impl_sdl_gl3.cpp 138


void ImGui_ImplSdlGL3_RenderDrawLists(ImDrawData* draw_data)
{
  const ImDrawIdx* idx_buffer_offset = 0;
  ....
  idx_buffer_offset += pcmd->ElemCount;
  ....
}

Similar errors can be found in some other places:

  • V769 [CERT-EXP08-C] The 'cp' pointer in the 'cp ++' expression equals nullptr. The resulting value is senseless and it should not be used. crn_file_utils.cpp 547

DeepSpeech

V769 The 'middle_begin_' pointer in the 'middle_begin_ + (counts.size() - 2)' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 553, 552. search_trie.cc 553


template <class Quant, class Bhiksha> class TrieSearch {
....
private:
  ....
  Middle *middle_begin_, *middle_end_;
  ....
};

template <class Quant, class Bhiksha>
uint8_t *TrieSearch<Quant, Bhiksha>::SetupMemory(....)
{
  ....
  middle_begin_
    = static_cast<Middle*>(malloc(sizeof(Middle) * (counts.size() - 2)));
  middle_end_ = middle_begin_ + (counts.size() - 2);
  ....
}

CSV Parser

V769 The 'buffer.get()' pointer in the 'line_buffer - buffer.get()' expression equals nullptr. The resulting value is senseless and it should not be used. csv.hpp 4957


CSV_INLINE void CSVReader::read_csv(const size_t& bytes) {
  const size_t BUFFER_UPPER_LIMIT = std::min(bytes, (size_t)1000000);
  std::unique_ptr<char[]> buffer(new char[BUFFER_UPPER_LIMIT]);
  auto * HEDLEY_RESTRICT line_buffer = buffer.get();
  line_buffer[0] = '\0';
  ....
  this->feed_state->feed_buffer.push_back(
    std::make_pair<>(std::move(buffer), line_buffer - buffer.get())); // <=
  ....
}

Newton Game Dynamics

V769 The 'result' pointer in the 'result + i' expression equals nullptr. The resulting value is senseless and it should not be used. win32_monitor.c 286


GLFWvidmode* _glfwPlatformGetVideoModes(_GLFWmonitor* monitor, int* count)
{
  GLFWvidmode* result = NULL;
  ....
  for (i = 0;  i < *count;  i++)
    {
    if (_glfwCompareVideoModes(result + i, &mode) == 0)
      break;
    }
}

FreeRDP

V769 The 'data' pointer in the expression equals nullptr. The resulting value of arithmetic operations on this pointer is senseless and it should not be used. nsc_encode.c 124


static BOOL nsc_encode_argb_to_aycocg(NSC_CONTEXT* context,
                                      const BYTE* data,
                                      UINT32 scanline)
{
  ....
  if (!context || data || (scanline == 0))
    return FALSE;
  ....
  src = data + (context->height - 1 - y) * scanline;
  ....
}

Qt

V769 CWE-119 The 'ptr' pointer in the expression equals nullptr. The resulting value of arithmetic operations on this pointer is senseless and it should not be used. qdbusdemarshaller.cpp 299


QVariant QDBusDemarshaller::toVariantInternal()
{
  ....
  default:
    char *ptr = 0;
    ptr += q_dbus_message_iter_get_arg_type(&iterator);
    q_dbus_message_iter_next(&iterator);

    // I hope you never dereference this pointer!
    return QVariant::fromValue<void *>(ptr);
  };
}

Android

V769 CWE-119 The '(uint32_t *) metadata' pointer in the '(uint32_t *) metadata + new_size_int' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 91, 89. radio_metadata.c 91


int check_size(radio_metadata_buffer_t **metadata_ptr, const uint32_t size_int)
{
  ....
  metadata = realloc(metadata,
                     new_size_int * sizeof(uint32_t));
  memmove(
   (uint32_t *)metadata + new_size_int - (metadata->count + 1),
   (uint32_t *)metadata + metadata->size_int -
                           (metadata->count + 1),
   (metadata->count + 1) * sizeof(uint32_t));
  ....
}

Hunspell

V769 CWE-119 The 'candidate' pointer in the 'candidate + 1' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 864, 863. suggestmgr.cxx 864


int SuggestMgr::twowords(....)
{
  ....
  char* candidate = (char*)malloc(wl + 2);
  strcpy(candidate + 1, word);
  ....
}

There is no protection if the malloc function returns a null pointer.

LLVM/Clang

V769 CWE-119 The 'NewTableArray' pointer in the 'NewTableArray + NewSize' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 218, 216. stringmap.cpp 218


unsigned StringMapImpl::RehashTable(unsigned BucketNo) {
  ....
  StringMapEntryBase **NewTableArray =
    (StringMapEntryBase **)calloc(NewSize+1,
      sizeof(StringMapEntryBase *) + sizeof(unsigned));
  unsigned *NewHashArray =
    (unsigned *)(NewTableArray + NewSize + 1);
  NewTableArray[NewSize] = (StringMapEntryBase*)2;
  ....
}

The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NewSize.

V8 JavaScript Engine

V769 CWE-119 The 'copy' pointer in the 'copy + prefix_len' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 394, 393. code-assembler.cc 394


void CodeAssembler::Comment(const char* format, ...) {
  ....
  const int prefix_len = 2;
  int length = builder.position() + 1;
  char* copy = reinterpret_cast<char*>(malloc(length +
                                              prefix_len));
  MemCopy(copy + prefix_len, builder.Finalize(), length);
  copy[0] = ';';
  copy[1] = ' ';
  raw_assembler()->Comment(copy);
}

There is no protection if the malloc function returns a null pointer.

MySQL

V769 The 'new_buffer' pointer in the 'new_buffer + fixed_header_len' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 74, 73. gcs_message_stage_lz4.cc 74


bool
Gcs_message_stage_lz4::apply(Gcs_packet &packet)
{
  ....
  unsigned char *new_buffer =
    (unsigned char*) malloc(new_capacity);
  unsigned char *new_payload_ptr =
    new_buffer + fixed_header_len + hd_len;

  // compress payload
  compressed_len=
    LZ4_compress_default((const char*)packet.get_payload(),
                         (char*)new_payload_ptr,
                         static_cast<int>(old_payload_len),
                         compress_bound);
  ....
}

EFL Core Libraries

V769 The 'ed->file->sound_dir->samples' pointer in the expression could be nullptr. In such case, resulting value of arithmetic operations on this pointer will be senseless and it should not be used. edje_edit.c 1271


EAPI Eina_Bool
edje_edit_sound_sample_add(Evas_Object *obj, const char *name,
                           const char *snd_src)
{
   ....
   ed->file->sound_dir->samples =
     realloc(ed->file->sound_dir->samples,
             sizeof(Edje_Sound_Sample) *
             ed->file->sound_dir->samples_count);

   sound_sample = ed->file->sound_dir->samples +
     ed->file->sound_dir->samples_count - 1;
   sound_sample->name = (char *)eina_stringshare_add(name);
   ....
}

Similar errors can be found in some other places:

  • V769 The 'new_txt' pointer in the 'new_txt + outlen' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. eina_str.c 539
  • V769 The 'new_txt' pointer in the 'new_txt + outlen' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. eina_str.c 611
  • V769 The 'tmp' pointer in the 'tmp ++' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. evas_object_textblock.c 11131
  • And 7 additional diagnostic messages.

Aspell

V769 The 'strchr(s, ':')' pointer in the 'strchr(s, ':') + 1' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. posib_err.cpp 52


PosibErrBase & PosibErrBase::set(....)
{
  ....
  s = strchr(s, ':') + 1;
  unsigned int ip = *s - '0' - 1;
  ....
}

Similar errors can be found in some other places:

  • V769 The 'begin_' pointer in the 'begin_ + old_size' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. string.cpp 36
  • V769 The 'w->data' pointer in the 'w->data + cc' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. typo_editdist.cpp 166
  • V769 The '(cur)->str' pointer in the '(cur)->str + pos' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. prezip.c 103
  • And 1 additional diagnostic messages.

Tor

V769 The 'strchr(cp, ':')' pointer in the 'strchr(cp, ':') + 2' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. dns.c 163


static void
evdns_log_cb(int warn, const char *msg)
{
  ....
  const char *err = strchr(cp, ':')+2;
  tor_assert(err);
  ....
}