Bug Summary

File:Xi/queryst.c
Location:line 114, column 20
Description:Call to 'calloc' has an allocation size of 0 bytes

Annotated Source Code

1/*
2
3Copyright 1998, 1998 The Open Group
4
5Permission to use, copy, modify, distribute, and sell this software and its
6documentation for any purpose is hereby granted without fee, provided that
7the above copyright notice appear in all copies and that both that
8copyright notice and this permission notice appear in supporting
9documentation.
10
11The above copyright notice and this permission notice shall be included
12in all copies or substantial portions of the Software.
13
14THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
17IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR
18OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
19ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
20OTHER DEALINGS IN THE SOFTWARE.
21
22Except as contained in this notice, the name of The Open Group shall
23not be used in advertising or otherwise to promote the sale, use or
24other dealings in this Software without prior written authorization
25from The Open Group.
26
27*/
28
29/***********************************************************************
30 *
31 * Request to query the state of an extension input device.
32 *
33 */
34
35#ifdef HAVE_DIX_CONFIG_H1
36#include <dix-config.h>
37#endif
38
39#include "inputstr.h" /* DeviceIntPtr */
40#include "windowstr.h" /* window structure */
41#include <X11/extensions/XI.h>
42#include <X11/extensions/XIproto.h>
43#include "exevents.h"
44#include "exglobals.h"
45#include "xkbsrv.h"
46#include "xkbstr.h"
47
48#include "queryst.h"
49
50/***********************************************************************
51 *
52 * This procedure allows a client to query the state of a device.
53 *
54 */
55
56int
57SProcXQueryDeviceState(ClientPtr client)
58{
59 REQUEST(xQueryDeviceStateReq)xQueryDeviceStateReq *stuff = (xQueryDeviceStateReq *)client->
requestBuffer
;
60 swaps(&stuff->length)do { if (sizeof(*(&stuff->length)) != 2) wrong_size();
if (__builtin_constant_p((uintptr_t)(&stuff->length) &
1) && ((uintptr_t)(&stuff->length) & 1) ==
0) *(&stuff->length) = lswaps(*(&stuff->length
)); else swap_uint16((uint16_t *)(&stuff->length)); } while
(0)
;
61 return (ProcXQueryDeviceState(client));
62}
63
64/***********************************************************************
65 *
66 * This procedure allows frozen events to be routed.
67 *
68 */
69
70int
71ProcXQueryDeviceState(ClientPtr client)
72{
73 int rc, i;
74 int num_classes = 0;
75 int total_length = 0;
1
'total_length' initialized to 0
76 char *buf, *savbuf;
77 KeyClassPtr k;
78 xKeyState *tk;
79 ButtonClassPtr b;
80 xButtonState *tb;
81 ValuatorClassPtr v;
82 xValuatorState *tv;
83 xQueryDeviceStateReply rep;
84 DeviceIntPtr dev;
85 double *values;
86
87 REQUEST(xQueryDeviceStateReq)xQueryDeviceStateReq *stuff = (xQueryDeviceStateReq *)client->
requestBuffer
;
88 REQUEST_SIZE_MATCH(xQueryDeviceStateReq)if ((sizeof(xQueryDeviceStateReq) >> 2) != client->req_len
) return(16)
;
89
90 rc = dixLookupDevice(&dev, stuff->deviceid, client, DixReadAccess(1<<0));
91 if (rc != Success0 && rc != BadAccess10)
2
Assuming 'rc' is equal to 0
92 return rc;
93
94 v = dev->valuator;
95 if (v != NULL((void*)0) && v->motionHintWindow != NULL((void*)0))
3
Assuming 'v' is equal to null
96 MaybeStopDeviceHint(dev, client);
97
98 k = dev->key;
99 if (k != NULL((void*)0)) {
4
Assuming 'k' is equal to null
5
Taking false branch
100 total_length += sizeof(xKeyState);
101 num_classes++;
102 }
103
104 b = dev->button;
105 if (b != NULL((void*)0)) {
6
Assuming 'b' is equal to null
7
Taking false branch
106 total_length += sizeof(xButtonState);
107 num_classes++;
108 }
109
110 if (v != NULL((void*)0)) {
8
Taking false branch
111 total_length += (sizeof(xValuatorState) + (v->numAxes * sizeof(int)));
112 num_classes++;
113 }
114 buf = (char *) calloc(total_length, 1);
9
Call to 'calloc' has an allocation size of 0 bytes
115 if (!buf)
116 return BadAlloc11;
117 savbuf = buf;
118
119 if (k != NULL((void*)0)) {
120 tk = (xKeyState *) buf;
121 tk->class = KeyClass0;
122 tk->length = sizeof(xKeyState);
123 tk->num_keys = k->xkbInfo->desc->max_key_code -
124 k->xkbInfo->desc->min_key_code + 1;
125 if (rc != BadAccess10)
126 for (i = 0; i < 32; i++)
127 tk->keys[i] = k->down[i];
128 buf += sizeof(xKeyState);
129 }
130
131 if (b != NULL((void*)0)) {
132 tb = (xButtonState *) buf;
133 tb->class = ButtonClass1;
134 tb->length = sizeof(xButtonState);
135 tb->num_buttons = b->numButtons;
136 if (rc != BadAccess10)
137 memcpy(tb->buttons, b->down, sizeof(b->down))__builtin___memcpy_chk (tb->buttons, b->down, sizeof(b->
down), __builtin_object_size (tb->buttons, 0))
;
138 buf += sizeof(xButtonState);
139 }
140
141 if (v != NULL((void*)0)) {
142 tv = (xValuatorState *) buf;
143 tv->class = ValuatorClass2;
144 tv->length = sizeof(xValuatorState) + v->numAxes * 4;
145 tv->num_valuators = v->numAxes;
146 tv->mode = valuator_get_mode(dev, 0);
147 tv->mode |= (dev->proximity &&
148 !dev->proximity->in_proximity) ? OutOfProximity(1L << 1) : 0;
149 buf += sizeof(xValuatorState);
150 for (i = 0, values = v->axisVal; i < v->numAxes; i++) {
151 if (rc != BadAccess10)
152 *((int *) buf) = *values;
153 values++;
154 if (client->swapped) {
155 swapl((int *) buf)do { if (sizeof(*((int *) buf)) != 4) wrong_size(); if (__builtin_constant_p
((uintptr_t)((int *) buf) & 3) && ((uintptr_t)((int
*) buf) & 3) == 0) *((int *) buf) = lswapl(*((int *) buf
)); else swap_uint32((uint32_t *)((int *) buf)); } while (0)
;
156 }
157 buf += sizeof(int);
158 }
159 }
160
161 rep = (xQueryDeviceStateReply) {
162 .repType = X_Reply1,
163 .RepType = X_QueryDeviceState30,
164 .sequenceNumber = client->sequence,
165 .length = bytes_to_int32(total_length),
166 .num_classes = num_classes
167 };
168 WriteReplyToClient(client, sizeof(xQueryDeviceStateReply), &rep){ if ((client)->swapped) (*ReplySwapVector[((xReq *)(client
)->requestBuffer)->reqType]) (client, (int)(sizeof(xQueryDeviceStateReply
)), &rep); else WriteToClient(client, (int)(sizeof(xQueryDeviceStateReply
)), (&rep)); }
;
169 if (total_length > 0)
170 WriteToClient(client, total_length, savbuf);
171 free(savbuf);
172 return Success0;
173}
174
175/***********************************************************************
176 *
177 * This procedure writes the reply for the XQueryDeviceState function,
178 * if the client and server have a different byte ordering.
179 *
180 */
181
182void
183SRepXQueryDeviceState(ClientPtr client, int size, xQueryDeviceStateReply * rep)
184{
185 swaps(&rep->sequenceNumber)do { if (sizeof(*(&rep->sequenceNumber)) != 2) wrong_size
(); if (__builtin_constant_p((uintptr_t)(&rep->sequenceNumber
) & 1) && ((uintptr_t)(&rep->sequenceNumber
) & 1) == 0) *(&rep->sequenceNumber) = lswaps(*(&
rep->sequenceNumber)); else swap_uint16((uint16_t *)(&
rep->sequenceNumber)); } while (0)
;
186 swapl(&rep->length)do { if (sizeof(*(&rep->length)) != 4) wrong_size(); if
(__builtin_constant_p((uintptr_t)(&rep->length) &
3) && ((uintptr_t)(&rep->length) & 3) == 0
) *(&rep->length) = lswapl(*(&rep->length)); else
swap_uint32((uint32_t *)(&rep->length)); } while (0)
;
187 WriteToClient(client, size, rep);
188}