Bug Summary

File:src/PolyTxt16.c
Location:line 203, column 16
Description:Access to field 'len' results in a dereference of a null pointer (loaded from variable 'elt')

Annotated Source Code

1/*
2
3Copyright 1986, 1998 The Open Group
4
5Permission to use, copy, modify, distribute, and sell this software and its
6documentation for any purpose is hereby granted without fee, provided that
7the above copyright notice appear in all copies and that both that
8copyright notice and this permission notice appear in supporting
9documentation.
10
11The above copyright notice and this permission notice shall be included in
12all copies or substantial portions of the Software.
13
14THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
18AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
21Except as contained in this notice, the name of The Open Group shall not be
22used in advertising or otherwise to promote the sale, use or other dealings
23in this Software without prior written authorization from The Open Group.
24
25*/
26
27#ifdef HAVE_CONFIG_H1
28#include <config.h>
29#endif
30#include "Xlibint.h"
31
32int
33XDrawText16(
34 register Display *dpy,
35 Drawable d,
36 GC gc,
37 int x,
38 int y,
39 XTextItem16 *items,
40 int nitems)
41{
42 register int i;
43 register XTextItem16 *item;
44 int length = 0;
45 register xPolyText16Req *req;
46
47 LockDisplay(dpy)if ((dpy)->lock_fns) (*(dpy)->lock_fns->lock_display
)(dpy)
;
48 FlushGC(dpy, gc)if ((gc)->dirty) _XFlushGCCache((dpy), (gc));
49 GetReq (PolyText16, req)req = (xPolyText16Req *) _XGetRequest(dpy, 75, 16);
50 req->drawable = d;
51 req->gc = gc->gid;
52 req->x = x;
53 req->y = y;
54
55 item = items;
56 for (i=0; i < nitems; i++) {
1
Assuming 'i' is < 'nitems'
2
Loop condition is true. Entering loop body
6
Assuming 'i' is < 'nitems'
7
Loop condition is true. Entering loop body
11
Assuming 'i' is >= 'nitems'
12
Loop condition is false. Execution continues on line 79
57 if (item->font)
3
Taking false branch
8
Taking false branch
58 length += 5; /* a 255 byte, plus size of Font id */
59 if (item->delta)
4
Taking false branch
9
Taking false branch
60 {
61 if (item->delta > 0)
62 {
63 length += SIZEOF(xTextElt)2 * ((item->delta + 126) / 127);
64 }
65 else
66 {
67 length += SIZEOF(xTextElt)2 * ((-item->delta + 127) / 128);
68 }
69 }
70 if (item->nchars > 0)
5
Taking false branch
10
Taking false branch
71 {
72 length += SIZEOF(xTextElt)2 * ((item->nchars + 253) / 254 - 1);
73 if (!item->delta) length += SIZEOF(xTextElt)2;
74 length += item->nchars << 1;
75 }
76 item++;
77 }
78
79 req->length += (length + 3)>>2; /* convert to number of 32-bit words */
80
81
82 /*
83 * If the entire request does not fit into the remaining space in the
84 * buffer, flush the buffer first. If the request does fit into the
85 * empty buffer, then we won't have to flush it at the end to keep
86 * the buffer 32-bit aligned.
87 */
88
89 if (dpy->bufptr + length > dpy->bufmax)
13
Taking false branch
90 _XFlush (dpy);
91
92 item = items;
93 for (i=0; i< nitems; i++) {
14
Loop condition is true. Entering loop body
21
Loop condition is true. Entering loop body
94
95 if (item->font) {
15
Taking false branch
22
Taking false branch
96 /* to mark a font shift, write a 255 byte followed by
97 the 4 bytes of font ID, big-end first */
98 register unsigned char *f;
99 BufAlloc (unsigned char *, f, 5)if (dpy->bufptr + (5) > dpy->bufmax) _XFlush (dpy); f
= (unsigned char *) dpy->bufptr; __builtin___memset_chk (
f, '\0', 5, __builtin_object_size (f, 0)); dpy->bufptr += (
5);
;
100
101 f[0] = 255;
102 f[1] = (item->font & 0xff000000) >> 24;
103 f[2] = (item->font & 0x00ff0000) >> 16;
104 f[3] = (item->font & 0x0000ff00) >> 8;
105 f[4] = item->font & 0x000000ff;
106
107 /* update GC shadow */
108 gc->values.font = item->font;
109 }
110
111 {
112 int nbytes = SIZEOF(xTextElt)2;
113 int PartialNChars = item->nchars;
114 int PartialDelta = item->delta;
115 register xTextElt *elt = NULL((void*)0);
23
'elt' initialized to a null pointer value
116 int FirstTimeThrough = True1;
117 XChar2b *CharacterOffset = item->chars;
118
119 while((PartialDelta < -128) || (PartialDelta > 127))
16
Loop condition is false. Execution continues on line 136
24
Assuming 'PartialDelta' is <= 127
25
Loop condition is false. Execution continues on line 136
120 {
121 int nb = SIZEOF(xTextElt)2;
122
123 BufAlloc (xTextElt *, elt, nb)if (dpy->bufptr + (nb) > dpy->bufmax) _XFlush (dpy);
elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk (elt
, '\0', nb, __builtin_object_size (elt, 0)); dpy->bufptr +=
(nb);
;
124 elt->len = 0;
125 if (PartialDelta > 0 )
126 {
127 elt->delta = 127;
128 PartialDelta = PartialDelta - 127;
129 }
130 else
131 {
132 elt->delta = -128;
133 PartialDelta = PartialDelta + 128;
134 }
135 }
136 if (PartialDelta)
17
Taking false branch
26
Assuming 'PartialDelta' is 0
27
Taking false branch
137 {
138 BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy
); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk (
elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr
+= (nbytes);
;
139 elt->len = 0;
140 elt->delta = PartialDelta;
141 }
142 while(PartialNChars > 254)
18
Loop condition is false. Execution continues on line 176
28
Assuming 'PartialNChars' is <= 254
29
Loop condition is false. Execution continues on line 176
143 {
144 nbytes = 254 * 2;
145 if (FirstTimeThrough)
146 {
147 FirstTimeThrough = False0;
148 if (!item->delta)
149 {
150 nbytes += SIZEOF(xTextElt)2;
151 BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy
); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk (
elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr
+= (nbytes);
;
152 elt->delta = 0;
153 }
154 else
155 {
156 char *DummyChar;
157 BufAlloc(char *, DummyChar, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy
); DummyChar = (char *) dpy->bufptr; __builtin___memset_chk
(DummyChar, '\0', nbytes, __builtin_object_size (DummyChar, 0
)); dpy->bufptr += (nbytes);
;
158#ifdef lint
159 DummyChar = DummyChar;
160#endif
161 }
162 }
163 else
164 {
165 nbytes += SIZEOF(xTextElt)2;
166 BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy
); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk (
elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr
+= (nbytes);
;
167 elt->delta = 0;
168 }
169 elt->len = 254;
170
171 memcpy ((char *) (elt + 1), (char *)CharacterOffset, 254 * 2)__builtin___memcpy_chk ((char *) (elt + 1), (char *)CharacterOffset
, 254 * 2, __builtin_object_size ((char *) (elt + 1), 0))
;
172 PartialNChars = PartialNChars - 254;
173 CharacterOffset += 254;
174
175 }
176 if (PartialNChars)
19
Assuming 'PartialNChars' is 0
20
Taking false branch
30
Assuming 'PartialNChars' is not equal to 0
31
Taking true branch
177 {
178 nbytes = PartialNChars * 2;
179 if (FirstTimeThrough)
32
Taking true branch
180 {
181 FirstTimeThrough = False0;
182 if (!item->delta)
33
Taking false branch
183 {
184 nbytes += SIZEOF(xTextElt)2;
185 BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy
); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk (
elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr
+= (nbytes);
;
186 elt->delta = 0;
187 }
188 else
189 {
190 char *DummyChar;
191 BufAlloc(char *, DummyChar, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy
); DummyChar = (char *) dpy->bufptr; __builtin___memset_chk
(DummyChar, '\0', nbytes, __builtin_object_size (DummyChar, 0
)); dpy->bufptr += (nbytes);
;
192#ifdef lint
193 DummyChar = DummyChar;
194#endif
195 }
196 }
197 else
198 {
199 nbytes += SIZEOF(xTextElt)2;
200 BufAlloc (xTextElt *, elt, nbytes)if (dpy->bufptr + (nbytes) > dpy->bufmax) _XFlush (dpy
); elt = (xTextElt *) dpy->bufptr; __builtin___memset_chk (
elt, '\0', nbytes, __builtin_object_size (elt, 0)); dpy->bufptr
+= (nbytes);
;
201 elt->delta = 0;
202 }
203 elt->len = PartialNChars;
34
Access to field 'len' results in a dereference of a null pointer (loaded from variable 'elt')
204
205 memcpy ((char *) (elt + 1), (char *)CharacterOffset,__builtin___memcpy_chk ((char *) (elt + 1), (char *)CharacterOffset
, PartialNChars *2, __builtin_object_size ((char *) (elt + 1)
, 0))
206 PartialNChars *__builtin___memcpy_chk ((char *) (elt + 1), (char *)CharacterOffset
, PartialNChars *2, __builtin_object_size ((char *) (elt + 1)
, 0))
2072)__builtin___memcpy_chk ((char *) (elt + 1), (char *)CharacterOffset
, PartialNChars *2, __builtin_object_size ((char *) (elt + 1)
, 0))
;
208 }
209 }
210 item++;
211 }
212
213 /* Pad request out to a 32-bit boundary */
214
215 if (length &= 3) {
216 char *pad;
217 /*
218 * BufAlloc is a macro that uses its last argument more than
219 * once, otherwise I'd write "BufAlloc (char *, pad, 4-length)"
220 */
221 length = 4 - length;
222 BufAlloc (char *, pad, length)if (dpy->bufptr + (length) > dpy->bufmax) _XFlush (dpy
); pad = (char *) dpy->bufptr; __builtin___memset_chk (pad
, '\0', length, __builtin_object_size (pad, 0)); dpy->bufptr
+= (length);
;
223 /*
224 * if there are 3 bytes of padding, the first byte MUST be 0
225 * so the pad bytes aren't mistaken for a final xTextElt
226 */
227 *pad = 0;
228 }
229
230 /*
231 * If the buffer pointer is not now pointing to a 32-bit boundary,
232 * we must flush the buffer so that it does point to a 32-bit boundary
233 * at the end of this routine.
234 */
235
236 if ((dpy->bufptr - dpy->buffer) & 3)
237 _XFlush (dpy);
238
239 UnlockDisplay(dpy)if ((dpy)->lock_fns) (*(dpy)->lock_fns->unlock_display
)(dpy)
;
240 SyncHandle()if (dpy->synchandler) (*dpy->synchandler)(dpy);
241 return 1;
242 }
243
244
245