File: | src/PolyTxt16.c |
Location: | line 203, column 16 |
Description: | Access to field 'len' results in a dereference of a null pointer (loaded from variable 'elt') |
1 | /* | |||
2 | ||||
3 | Copyright 1986, 1998 The Open Group | |||
4 | ||||
5 | Permission to use, copy, modify, distribute, and sell this software and its | |||
6 | documentation for any purpose is hereby granted without fee, provided that | |||
7 | the above copyright notice appear in all copies and that both that | |||
8 | copyright notice and this permission notice appear in supporting | |||
9 | documentation. | |||
10 | ||||
11 | The above copyright notice and this permission notice shall be included in | |||
12 | all copies or substantial portions of the Software. | |||
13 | ||||
14 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |||
15 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |||
16 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |||
17 | OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN | |||
18 | AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | |||
19 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |||
20 | ||||
21 | Except as contained in this notice, the name of The Open Group shall not be | |||
22 | used in advertising or otherwise to promote the sale, use or other dealings | |||
23 | in this Software without prior written authorization from The Open Group. | |||
24 | ||||
25 | */ | |||
26 | ||||
27 | #ifdef HAVE_CONFIG_H1 | |||
28 | #include <config.h> | |||
29 | #endif | |||
30 | #include "Xlibint.h" | |||
31 | ||||
32 | int | |||
33 | XDrawText16( | |||
34 | register Display *dpy, | |||
35 | Drawable d, | |||
36 | GC gc, | |||
37 | int x, | |||
38 | int y, | |||
39 | XTextItem16 *items, | |||
40 | int nitems) | |||
41 | { | |||
42 | register int i; | |||
43 | register XTextItem16 *item; | |||
44 | int length = 0; | |||
45 | register xPolyText16Req *req; | |||
46 | ||||
47 | LockDisplay(dpy)if ((dpy)->lock_fns) (*(dpy)->lock_fns->lock_display )(dpy); | |||
48 | FlushGC(dpy, gc)if ((gc)->dirty) _XFlushGCCache((dpy), (gc)); | |||
49 | GetReq (PolyText16, req)req = (xPolyText16Req *) _XGetRequest(dpy, 75, 16); | |||
50 | req->drawable = d; | |||
51 | req->gc = gc->gid; | |||
52 | req->x = x; | |||
53 | req->y = y; | |||
54 | ||||
55 | item = items; | |||
56 | for (i=0; i < nitems; i++) { | |||
| ||||
57 | if (item->font) | |||
58 | length += 5; /* a 255 byte, plus size of Font id */ | |||
59 | if (item->delta) | |||
60 | { | |||
61 | if (item->delta > 0) | |||
62 | { | |||
63 | length += SIZEOF(xTextElt)2 * ((item->delta + 126) / 127); | |||
64 | } | |||
65 | else | |||
66 | { | |||
67 | length += SIZEOF(xTextElt)2 * ((-item->delta + 127) / 128); | |||
68 | } | |||
69 | } | |||
70 | if (item->nchars > 0) | |||
71 | { | |||
72 | length += SIZEOF(xTextElt)2 * ((item->nchars + 253) / 254 - 1); | |||
73 | if (!item->delta) length += SIZEOF(xTextElt)2; | |||
74 | length += item->nchars << 1; | |||
75 | } | |||
76 | item++; | |||
77 | } | |||
78 | ||||
79 | req->length += (length + 3)>>2; /* convert to number of 32-bit words */ | |||
80 | ||||
81 | ||||
82 | /* | |||
83 | * If the entire request does not fit into the remaining space in the | |||
84 | * buffer, flush the buffer first. If the request does fit into the | |||
85 | * empty buffer, then we won't have to flush it at the end to keep | |||
86 | * the buffer 32-bit aligned. | |||
87 | */ | |||
88 | ||||
89 | if (dpy->bufptr + length > dpy->bufmax) | |||
90 | _XFlush (dpy); | |||
91 | ||||
92 | item = items; | |||
93 | for (i=0; i< nitems; i++) { | |||
94 | ||||
95 | if (item->font) { | |||
96 | /* to mark a font shift, write a 255 byte followed by | |||
97 | the 4 bytes of font ID, big-end first */ | |||
98 | register unsigned char *f; | |||
99 | BufAlloc (unsigned char *, f, 5)if (dpy->bufptr + (5) > dpy->bufmax) _XFlush (dpy); f = (unsigned char *) dpy->bufptr; __builtin___memset_chk ( f, '\0', 5, __builtin_object_size (f, 0)); dpy->bufptr += ( 5);; | |||
100 | ||||
101 | f[0] = 255; | |||
102 | f[1] = (item->font & 0xff000000) >> 24; | |||
103 | f[2] = (item->font & 0x00ff0000) >> 16; | |||
104 | f[3] = (item->font & 0x0000ff00) >> 8; | |||
105 | f[4] = item->font & 0x000000ff; | |||
106 | ||||
107 | /* update GC shadow */ | |||
108 | gc->values.font = item->font; | |||
109 | } | |||
110 | ||||
111 | { | |||
112 | int nbytes = SIZEOF(xTextElt)2; | |||
113 | int PartialNChars = item->nchars; | |||
114 | int PartialDelta = item->delta; | |||
115 | register xTextElt *elt = NULL((void*)0); | |||
116 | int FirstTimeThrough = True1; | |||
117 | XChar2b *CharacterOffset = item->chars; | |||
118 | ||||
119 | while((PartialDelta < -128) || (PartialDelta > 127)) | |||
120 | { | |||
121 | int nb = SIZEOF(xTextElt)2; | |||
122 | ||||
123 | BufAlloc (xTextElt *, elt, nb)if (dpy->bufptr + (nb) > dpy->bufmax) _XFlush (dpy); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk (elt , '\0', nb, __builtin_object_size (elt, 0)); dpy->bufptr += (nb);; | |||
124 | elt->len = 0; | |||
125 | if (PartialDelta > 0 ) | |||
126 | { | |||
127 | elt->delta = 127; | |||
128 | PartialDelta = PartialDelta - 127; | |||
129 | } | |||
130 | else | |||
131 | { | |||
132 | elt->delta = -128; | |||
133 | PartialDelta = PartialDelta + 128; | |||
134 | } | |||
135 | } | |||
136 | if (PartialDelta) | |||
137 | { | |||
138 | BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy ); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk ( elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr += (nbytes);; | |||
139 | elt->len = 0; | |||
140 | elt->delta = PartialDelta; | |||
141 | } | |||
142 | while(PartialNChars > 254) | |||
143 | { | |||
144 | nbytes = 254 * 2; | |||
145 | if (FirstTimeThrough) | |||
146 | { | |||
147 | FirstTimeThrough = False0; | |||
148 | if (!item->delta) | |||
149 | { | |||
150 | nbytes += SIZEOF(xTextElt)2; | |||
151 | BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy ); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk ( elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr += (nbytes);; | |||
152 | elt->delta = 0; | |||
153 | } | |||
154 | else | |||
155 | { | |||
156 | char *DummyChar; | |||
157 | BufAlloc(char *, DummyChar, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy ); DummyChar = (char *) dpy->bufptr; __builtin___memset_chk (DummyChar, '\0', nbytes, __builtin_object_size (DummyChar, 0 )); dpy->bufptr += (nbytes);; | |||
158 | #ifdef lint | |||
159 | DummyChar = DummyChar; | |||
160 | #endif | |||
161 | } | |||
162 | } | |||
163 | else | |||
164 | { | |||
165 | nbytes += SIZEOF(xTextElt)2; | |||
166 | BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy ); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk ( elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr += (nbytes);; | |||
167 | elt->delta = 0; | |||
168 | } | |||
169 | elt->len = 254; | |||
170 | ||||
171 | memcpy ((char *) (elt + 1), (char *)CharacterOffset, 254 * 2)__builtin___memcpy_chk ((char *) (elt + 1), (char *)CharacterOffset , 254 * 2, __builtin_object_size ((char *) (elt + 1), 0)); | |||
172 | PartialNChars = PartialNChars - 254; | |||
173 | CharacterOffset += 254; | |||
174 | ||||
175 | } | |||
176 | if (PartialNChars) | |||
177 | { | |||
178 | nbytes = PartialNChars * 2; | |||
179 | if (FirstTimeThrough) | |||
180 | { | |||
181 | FirstTimeThrough = False0; | |||
182 | if (!item->delta) | |||
183 | { | |||
184 | nbytes += SIZEOF(xTextElt)2; | |||
185 | BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy ); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk ( elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr += (nbytes);; | |||
186 | elt->delta = 0; | |||
187 | } | |||
188 | else | |||
189 | { | |||
190 | char *DummyChar; | |||
191 | BufAlloc(char *, DummyChar, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy ); DummyChar = (char *) dpy->bufptr; __builtin___memset_chk (DummyChar, '\0', nbytes, __builtin_object_size (DummyChar, 0 )); dpy->bufptr += (nbytes);; | |||
192 | #ifdef lint | |||
193 | DummyChar = DummyChar; | |||
194 | #endif | |||
195 | } | |||
196 | } | |||
197 | else | |||
198 | { | |||
199 | nbytes += SIZEOF(xTextElt)2; | |||
200 | BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy ); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk ( elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr += (nbytes);; | |||
201 | elt->delta = 0; | |||
202 | } | |||
203 | elt->len = PartialNChars; | |||
| ||||
204 | ||||
205 | memcpy ((char *) (elt + 1), (char *)CharacterOffset,__builtin___memcpy_chk ((char *) (elt + 1), (char *)CharacterOffset , PartialNChars *2, __builtin_object_size ((char *) (elt + 1) , 0)) | |||
206 | PartialNChars *__builtin___memcpy_chk ((char *) (elt + 1), (char *)CharacterOffset , PartialNChars *2, __builtin_object_size ((char *) (elt + 1) , 0)) | |||
207 | 2)__builtin___memcpy_chk ((char *) (elt + 1), (char *)CharacterOffset , PartialNChars *2, __builtin_object_size ((char *) (elt + 1) , 0)); | |||
208 | } | |||
209 | } | |||
210 | item++; | |||
211 | } | |||
212 | ||||
213 | /* Pad request out to a 32-bit boundary */ | |||
214 | ||||
215 | if (length &= 3) { | |||
216 | char *pad; | |||
217 | /* | |||
218 | * BufAlloc is a macro that uses its last argument more than | |||
219 | * once, otherwise I'd write "BufAlloc (char *, pad, 4-length)" | |||
220 | */ | |||
221 | length = 4 - length; | |||
222 | BufAlloc (char *, pad, length)if (dpy->bufptr + (length) > dpy->bufmax) _XFlush (dpy ); pad = (char *) dpy->bufptr; __builtin___memset_chk (pad , '\0', length, __builtin_object_size (pad, 0)); dpy->bufptr += (length);; | |||
223 | /* | |||
224 | * if there are 3 bytes of padding, the first byte MUST be 0 | |||
225 | * so the pad bytes aren't mistaken for a final xTextElt | |||
226 | */ | |||
227 | *pad = 0; | |||
228 | } | |||
229 | ||||
230 | /* | |||
231 | * If the buffer pointer is not now pointing to a 32-bit boundary, | |||
232 | * we must flush the buffer so that it does point to a 32-bit boundary | |||
233 | * at the end of this routine. | |||
234 | */ | |||
235 | ||||
236 | if ((dpy->bufptr - dpy->buffer) & 3) | |||
237 | _XFlush (dpy); | |||
238 | ||||
239 | UnlockDisplay(dpy)if ((dpy)->lock_fns) (*(dpy)->lock_fns->unlock_display )(dpy); | |||
240 | SyncHandle()if (dpy->synchandler) (*dpy->synchandler)(dpy); | |||
241 | return 1; | |||
242 | } | |||
243 | ||||
244 | ||||
245 |