'Suspicious code in kdenetwork-3.5.2 C Part'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Suspicious code in kdenetwork-3.5.2 C Part
From:       Christoph Bartoschek <bartoschek () gmx ! de>
Date:       2006-04-19 16:50:47
Message-ID: 200604191850.47516.bartoschek () gmx ! de
[Download RAW message or body]

------------------------------------------------------------------
Misc problems:
------------------------------------------------------------------

- krdc/vnc/hextile.c:69
- krdc/vnc/hextile.c:120 (similar)

bg is uninitialized, when line 65 is not executed.

- krfb/libvncserver/fontsel.c:61

When is j < 0?

- krfb/libvncserver/vncauth.c:112
- krdc/vnc/vncauth.c:102 (similar)

passwd is not freed here and not returned either.

- kopete/plugins/statistics/sqlite/build.c:2297
- kopete/plugins/statistics/sqlite/build.c:2249 (similar)
- kopete/plugins/statistics/sqlite/build.c:2252 (similar)

pList might be allocated in line 2293. Then line 2295 sets
pList->nAlloc. But pList->nSrc is uninitialized in line 2297.

- kopete/protocols/gadu/libgadu/libgadu.c:907

The sess->password pointer allocated at line 742 might be leaking here.

- kopete/protocols/gadu/libgadu/events.c:428

The freed pointers e->event.msg.recipients and e->event.msg.formats are
exposed to the outside world.

- kopete/protocols/gadu/libgadu/events.c:309

Is it possible that this line is executed twice in a loop of line 288?
If yes then the old value is overwritten with the new one and it leaks.

- kopete/protocols/gadu/libgadu/events.c:621

Is e->event.notify60[i].descr correctly freed here?

- kopete/protocols/gadu/libgadu/events.c:621

The freed pointer e->event.notify60 is exposed to the outside world.

- ktalkd/ktalkd/print.c:153
- ktalkd/ktalkd/print.c:142 (similar)

According to line 149, answer is out of bounds here when it equals
NANSWERS. A >= in line 149 seems to be better for me.

- kopete/protocols/yahoo/libyahoo2/sample_client.c:1230

Is this a memory leak? Are cr->members and cr->room_name also freed?
They are allocated by strdup.

- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1674
- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1671 (similar)
- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1630 (similar)
- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1706 (similar)

from, url, to might be uninitialized here.

------------------------------------
Problems involving the NULL pointer:
------------------------------------

- kopete/protocols/yahoo/libyahoo2/sample_client.c:1191
- kopete/protocols/yahoo/libyahoo2/sample_client.c:1251 (similar)
- kopete/protocols/yahoo/libyahoo2/sample_client.c:1267 (similar)
- kopete/protocols/yahoo/libyahoo2/sample_client.c:1285 (similar)
- kopete/protocols/yahoo/libyahoo2/sample_client.c:1316 (similar)
- kopete/protocols/yahoo/libyahoo2/sample_client.c:1369 (similar)
- kopete/protocols/yahoo/libyahoo2/sample_client.c:1446 (similar)

copy could be NULL here. copy gets NULL in line 1158. Then line 1179 is
true and line 1184 is again false. Then I would expect cr to be NULL and
copy is NULL in line 1191.

- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1208
- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1214
- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1220
- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1226

Is it impossible that currentmember is still NULL here, because this
variable did not get a member assigned? Maybe an assertion helps.

- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1421-1470

Is it impossible that users is still NULL here? What when this case is
selected when the for loop in line 1397 is first entered?

- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:621

Assume that pos + 1 == len in line 599 and the while loop finishes.
Assume further that x != 0 after the while loop in line 599. After line
605 it then holds that pos - 1 == len. accept gets true because x != 0.
Now line 612 is executed with  value = malloc(len - pos + 1) <=> malloc
(pos - 1 - pos + 1) = malloc(0). The result of malloc(0) is
implementation defined but it is at least invalid to write into value[0]
as it is done in line 621.

- kopete/plugins/statistics/sqlite/where.c:213

If pExpr->pRight is NULL as indicated by line 193, then 213 crashes.

- kopete/plugins/statistics/sqlite/vdbeapi.c:425

If p is NULL as indicated by line 424, then line 425 crashes.

- kopete/plugins/statistics/sqlite/select.c:1704

If p is NULL as indicated by line 1367, then line 1704  crashes.

- kopete/plugins/statistics/sqlite/trigger.c:84

If pName2 is NULL as indicated by line 63, then line 84 crashes.


-----------------------------------------------------------------
Cases from switch statements that fall through in some cases but 
do not have a fall through comment as in most such cases.
------------------------------------------------------------------

- kopete/protocols/yahoo/libyahoo2/libyahoo2.c:1618
- kopete/protocols/gadu/libgadu/dcc.c:848 (there might be a comment)
- kopete/plugins/statistics/sqlite/expr.c:1122

-----------------------------------------------------------------
Lines where boolean expressions are used in non-boolean contexts:

I suspect that at least the lines marked with !!! are bugs
-----------------------------------------------------------------

- kopete/plugins/statistics/sqlite/build.c:2463
- kopete/plugins/statistics/sqlite/btree.c:917
- kopete/plugins/statistics/sqlite/btree.c:795 
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic