Examples of errors detected by the V769 diagnostic

V769. The pointer in the expression equals nullptr. The resulting value is meaningless and should not be used.

Tor

V769 The 'strchr(cp, ':')' pointer in the 'strchr(cp, ':') + 2' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. dns.c 163

static void
evdns_log_cb(int warn, const char *msg)
{
  ....
  const char *err = strchr(cp, ':')+2;
  tor_assert(err);
  ....
}

Aspell

V769 The 'strchr(s, ':')' pointer in the 'strchr(s, ':') + 1' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. posib_err.cpp 52

PosibErrBase & PosibErrBase::set(....)
{
  ....
  s = strchr(s, ':') + 1;
  unsigned int ip = *s - '0' - 1;
  ....
}

Similar errors can be found in some other places:

• V769 The 'begin_' pointer in the 'begin_ + old_size' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. string.cpp 36
• V769 The 'w->data' pointer in the 'w->data + cc' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. typo_editdist.cpp 166
• V769 The '(cur)->str' pointer in the '(cur)->str + pos' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. prezip.c 103
• And 1 additional diagnostic messages.

EFL Core Libraries

V769 The 'ed->file->sound_dir->samples' pointer in the expression could be nullptr. In such case, resulting value of arithmetic operations on this pointer will be senseless and it should not be used. edje_edit.c 1271

EAPI Eina_Bool
edje_edit_sound_sample_add(Evas_Object *obj, const char *name,
                           const char *snd_src)
{
   ....
   ed->file->sound_dir->samples =
     realloc(ed->file->sound_dir->samples,
             sizeof(Edje_Sound_Sample) *
             ed->file->sound_dir->samples_count);

   sound_sample = ed->file->sound_dir->samples +
     ed->file->sound_dir->samples_count - 1;
   sound_sample->name = (char *)eina_stringshare_add(name);
   ....
}

Similar errors can be found in some other places:

• V769 The 'new_txt' pointer in the 'new_txt + outlen' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. eina_str.c 539
• V769 The 'new_txt' pointer in the 'new_txt + outlen' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. eina_str.c 611
• V769 The 'tmp' pointer in the 'tmp ++' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. evas_object_textblock.c 11131
• And 7 additional diagnostic messages.

MySQL

V769 The 'new_buffer' pointer in the 'new_buffer + fixed_header_len' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 74, 73. gcs_message_stage_lz4.cc 74

bool
Gcs_message_stage_lz4::apply(Gcs_packet &packet)
{
  ....
  unsigned char *new_buffer =
    (unsigned char*) malloc(new_capacity);
  unsigned char *new_payload_ptr =
    new_buffer + fixed_header_len + hd_len;

  // compress payload
  compressed_len=
    LZ4_compress_default((const char*)packet.get_payload(),
                         (char*)new_payload_ptr,
                         static_cast<int>(old_payload_len),
                         compress_bound);
  ....
}

V8 JavaScript Engine

V769 CWE-119 The 'copy' pointer in the 'copy + prefix_len' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 394, 393. code-assembler.cc 394

void CodeAssembler::Comment(const char* format, ...) {
  ....
  const int prefix_len = 2;
  int length = builder.position() + 1;
  char* copy = reinterpret_cast<char*>(malloc(length +
                                              prefix_len));
  MemCopy(copy + prefix_len, builder.Finalize(), length);
  copy[0] = ';';
  copy[1] = ' ';
  raw_assembler()->Comment(copy);
}

There is no protection if the malloc function returns a null pointer.

LLVM/Clang

V769 CWE-119 The 'NewTableArray' pointer in the 'NewTableArray + NewSize' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 218, 216. stringmap.cpp 218

unsigned StringMapImpl::RehashTable(unsigned BucketNo) {
  ....
  StringMapEntryBase **NewTableArray =
    (StringMapEntryBase **)calloc(NewSize+1,
      sizeof(StringMapEntryBase *) + sizeof(unsigned));
  unsigned *NewHashArray =
    (unsigned *)(NewTableArray + NewSize + 1);
  NewTableArray[NewSize] = (StringMapEntryBase*)2;
  ....
}

The bug is interesting because if calloc returns NULL, then the program will not necessarily immediately fall. A record occurs not by a null pointer, but by a shift equal to NewSize.

Hunspell

V769 CWE-119 The 'candidate' pointer in the 'candidate + 1' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 864, 863. suggestmgr.cxx 864

int SuggestMgr::twowords(....)
{
  ....
  char* candidate = (char*)malloc(wl + 2);
  strcpy(candidate + 1, word);
  ....
}

There is no protection if the malloc function returns a null pointer.

Android

V769 CWE-119 The '(uint32_t *) metadata' pointer in the '(uint32_t *) metadata + new_size_int' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 91, 89. radio_metadata.c 91

int check_size(radio_metadata_buffer_t **metadata_ptr, const uint32_t size_int)
{
  ....
  metadata = realloc(metadata,
                     new_size_int * sizeof(uint32_t));
  memmove(
   (uint32_t *)metadata + new_size_int - (metadata->count + 1),
   (uint32_t *)metadata + metadata->size_int -
                           (metadata->count + 1),
   (metadata->count + 1) * sizeof(uint32_t));
  ....
}

Qt

V769 CWE-119 The 'ptr' pointer in the expression equals nullptr. The resulting value of arithmetic operations on this pointer is senseless and it should not be used. qdbusdemarshaller.cpp 299

QVariant QDBusDemarshaller::toVariantInternal()
{
  ....
  default:
    char *ptr = 0;
    ptr += q_dbus_message_iter_get_arg_type(&iterator);
    q_dbus_message_iter_next(&iterator);

    // I hope you never dereference this pointer!
    return QVariant::fromValue<void *>(ptr);
  };
}

FreeRDP

V769 The 'data' pointer in the expression equals nullptr. The resulting value of arithmetic operations on this pointer is senseless and it should not be used. nsc_encode.c 124

static BOOL nsc_encode_argb_to_aycocg(NSC_CONTEXT* context,
                                      const BYTE* data,
                                      UINT32 scanline)
{
  ....
  if (!context || data || (scanline == 0))
    return FALSE;
  ....
  src = data + (context->height - 1 - y) * scanline;
  ....
}

Newton Game Dynamics

V769 The 'result' pointer in the 'result + i' expression equals nullptr. The resulting value is senseless and it should not be used. win32_monitor.c 286

GLFWvidmode* _glfwPlatformGetVideoModes(_GLFWmonitor* monitor, int* count)
{
  GLFWvidmode* result = NULL;
  ....
  for (i = 0;  i < *count;  i++)
    {
    if (_glfwCompareVideoModes(result + i, &mode) == 0)
      break;
    }
}

CSV Parser

V769 The 'buffer.get()' pointer in the 'line_buffer - buffer.get()' expression equals nullptr. The resulting value is senseless and it should not be used. csv.hpp 4957

CSV_INLINE void CSVReader::read_csv(const size_t& bytes) {
  const size_t BUFFER_UPPER_LIMIT = std::min(bytes, (size_t)1000000);
  std::unique_ptr<char[]> buffer(new char[BUFFER_UPPER_LIMIT]);
  auto * HEDLEY_RESTRICT line_buffer = buffer.get();
  line_buffer[0] = '\0';
  ....
  this->feed_state->feed_buffer.push_back(
    std::make_pair<>(std::move(buffer), line_buffer - buffer.get())); // <=
  ....
}

DeepSpeech

V769 The 'middle_begin_' pointer in the 'middle_begin_ + (counts.size() - 2)' expression could be nullptr. In such case, resulting value will be senseless and it should not be used. Check lines: 553, 552. search_trie.cc 553

template <class Quant, class Bhiksha> class TrieSearch {
....
private:
  ....
  Middle *middle_begin_, *middle_end_;
  ....
};

template <class Quant, class Bhiksha>
uint8_t *TrieSearch<Quant, Bhiksha>::SetupMemory(....)
{
  ....
  middle_begin_
    = static_cast<Middle*>(malloc(sizeof(Middle) * (counts.size() - 2)));
  middle_end_ = middle_begin_ + (counts.size() - 2);
  ....
}

Overgrowth

V769 [CERT-EXP08-C] The 'idx_buffer_offset' pointer in the 'idx_buffer_offset += pcmd->ElemCount' expression equals nullptr. The resulting value is senseless and it should not be used. imgui_impl_sdl_gl3.cpp 138

void ImGui_ImplSdlGL3_RenderDrawLists(ImDrawData* draw_data)
{
  const ImDrawIdx* idx_buffer_offset = 0;
  ....
  idx_buffer_offset += pcmd->ElemCount;
  ....
}

Similar errors can be found in some other places:

• V769 [CERT-EXP08-C] The 'cp' pointer in the 'cp ++' expression equals nullptr. The resulting value is senseless and it should not be used. crn_file_utils.cpp 547

GTK

V769 [CWE-119, CERT-EXP08-C] The 'end' pointer in the 'end += strlen(beg)' expression equals nullptr. The resulting value is senseless and it should not be used. position.cpp 36

Offset Offset::init(const char* beg, const char* end)
{
  Offset offset(0, 0);
  if (end == 0) {
    end += strlen(beg);
  }
  offset.add(beg, end);
  return offset;
}

Most likely this is what should be written here: end = beg + strlen(beg);

GZDoom

V769 The 'pp' pointer in the 'pp += 3' expression equals nullptr. The resulting value is senseless and it should not be used. models_voxel.cpp 145

PalettedPixels FVoxelTexture::CreatePalettedPixels(int conversion, int frame)
{
  uint8_t *pp = SourceVox->Palette.Data();

  if (pp != nullptr)
  {
    ....
  }
  else
  {
    for (int i = 0; i < 256; i++, pp+=3)
    {
      bitmap[i] = (uint8_t)i;
      pe[i] = GPalette.BaseColors[i];
      pe[i].a = 255;
    }
  }
}