Hi,
Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan.
12 new defect(s) introduced to LibreOffice found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by
Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 1462318: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1462318: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_java2uno.cxx: 218 in jni_uno::Bridge::call_uno(const
jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *,
_typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const()
212 {
213 JLocalAutoRef jo_arg(
214 jni, jni->GetObjectArrayElement( jo_args, nPos ) );
215 jni.ensure_no_exception();
216 jvalue java_arg;
217 java_arg.l = jo_arg.get();
CID 1462318: Memory - illegal accesses (USE_AFTER_FREE)
Calling "map_to_uno" dereferences freed pointer "type".
218 map_to_uno(
219 jni, uno_args[ nPos ], java_arg, type, nullptr,
220 false /* no assign */, param.bOut,
221 true /* special wrapped integral types */ );
222 }
223 catch (...)
** CID 1462317: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1462317: Null pointer dereferences (FORWARD_NULL)
/sw/source/core/crsr/crsrsh.cxx: 1235 in SwCursorShell::GetPageNumSeqNonEmpty()()
1229 // page number: first visible page or the one at the cursor
1230 const SwContentFrame* pCFrame = GetCurrFrame(/*bCalcFrame*/true);
1231 const SwPageFrame* pPg = nullptr;
1232
1233 if (!pCFrame )
1234 {
CID 1462317: Null pointer dereferences (FORWARD_NULL)
Passing null pointer "pCFrame" to "FindPageFrame", which dereferences it.
1235 pPg = pCFrame->FindPageFrame();
1236 if( !pPg )
1237 {
1238 pPg = Imp()->GetFirstVisPage(GetOut());
1239 while (pPg && pPg->IsEmptyPage())
1240 pPg = static_cast<const SwPageFrame*>(pPg->GetNext());
** CID 1462316: (USE_AFTER_FREE)
/cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in
Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const
_typelib_TypeDescription *, void *, void **, _uno_Any **)()
________________________________________________________________________________________________________
*** CID 1462316: (USE_AFTER_FREE)
/cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 457 in
Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const
_typelib_TypeDescription *, void *, void **, _uno_Any **)()
451 }
452 uno_Environment_invoke(m_to.get(), s_type_destructData_v, args[nPos],
param.pTypeRef, 0);
453 }
454 }
455 if (ret != pReturn)
456 {
CID 1462316: (USE_AFTER_FREE)
Calling "uno_type_copyAndConvertData" dereferences freed pointer "pReturnTypeRef".
457 uno_type_copyAndConvertData(pReturn,
458 ret,
459 pReturnTypeRef,
460 m_to_from.get());
461
462 uno_Environment_invoke(m_to.get(), s_type_destructData_v, ret, pReturnTypeRef,
0);
/cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in
Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const
_typelib_TypeDescription *, void *, void **, _uno_Any **)()
485
486 // FIXME: need to destruct in m_to
487 uno_any_destruct(exc, nullptr);
488 }
489
490 if (m_probeFun)
CID 1462316: (USE_AFTER_FREE)
Passing freed pointer "pReturnTypeRef" as an argument to "*this->m_probeFun".
491 m_probeFun(false,
492 this,
493 m_pProbeContext,
494 pReturnTypeRef,
495 pParams,
496 nParams,
** CID 1462315: Integer handling issues (DIVIDE_BY_ZERO)
/vcl/unx/gtk3/gtk3gtkinst.cxx: 12791 in <unnamed>::GtkInstanceComboBox::get_popup_height()()
________________________________________________________________________________________________________
*** CID 1462315: Integer handling issues (DIVIDE_BY_ZERO)
/vcl/unx/gtk3/gtk3gtkinst.cxx: 12791 in <unnamed>::GtkInstanceComboBox::get_popup_height()()
12785 if (m_nNonCustomLineHeight != -1)
12786 {
12787 gint nNormalHeight = get_height_rows(m_nNonCustomLineHeight,
nSeparatorHeight, nMaxRows);
12788 if (nHeight > nNormalHeight)
12789 {
12790 gint nRowsOnly = nNormalHeight - get_height_rows(0, nSeparatorHeight,
nMaxRows);
CID 1462315: Integer handling issues (DIVIDE_BY_ZERO)
In expression "(nRowsOnly + (nRowHeight - 1)) / nRowHeight", division by expression
"nRowHeight" which may be zero has undefined behavior.
12791 gint nCustomRows = (nRowsOnly + (nRowHeight - 1)) / nRowHeight;
12792 nHeight = get_height_rows(nRowHeight, nSeparatorHeight, nCustomRows);
12793 }
12794 }
12795
12796 return nHeight;
** CID 1462314: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1462314: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/cpp_uno/gcc3_linux_x86-64/cpp2uno.cxx: 78 in
cpp2uno_call(bridges::cpp_uno::shared::CppInterfaceProxy *, const _typelib_TypeDescription *,
_typelib_TypeDescriptionReference *, int, _typelib_MethodParameter *, void **, void **, void **,
unsigned long *)()
72
73 void * pUnoReturn = nullptr;
74 void * pCppReturn = nullptr; // complex return ptr: if != 0 && != pUnoReturn,
reconversion need
75
76 if ( pReturnTypeDescr )
77 {
CID 1462314: Memory - illegal accesses (USE_AFTER_FREE)
Calling "return_in_hidden_param" dereferences freed pointer "pReturnTypeRef".
78 if ( x86_64::return_in_hidden_param( pReturnTypeRef ) )
79 {
80 pCppReturn = *gpreg++;
81 nr_gpr++;
82
83 pUnoReturn = ( bridges::cpp_uno::shared::relatesToInterfaceType(
pReturnTypeDescr )
** CID 1462313: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const
jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const
jni_uno::JNI_type_info *, bool, bool, bool) const()
________________________________________________________________________________________________________
*** CID 1462313: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const
jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const
jni_uno::JNI_type_info *, bool, bool, bool) const()
1041 case typelib_TypeClass_INTERFACE:
1042 {
1043 TypeDescr element_td( element_type );
1044 seq = seq_allocate( nElements, element_td.get()->nSize );
1045
1046 JNI_type_info const * element_info;
CID 1462313: Memory - illegal accesses (USE_AFTER_FREE)
Dereferencing freed pointer "element_type".
1047 if (element_type->eTypeClass == typelib_TypeClass_STRUCT ||
1048 element_type->eTypeClass == typelib_TypeClass_EXCEPTION ||
1049 element_type->eTypeClass == typelib_TypeClass_INTERFACE)
1050 {
1051 element_info =
1052 getJniInfo()->get_type_info( jni, element_td.get() );
** CID 1462312: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const
jni_uno::JNI_context &, jvalue *, const void *, _typelib_TypeDescriptionReference *, const
jni_uno::JNI_type_info *, bool, bool, bool) const()
________________________________________________________________________________________________________
*** CID 1462312: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const
jni_uno::JNI_context &, jvalue *, const void *, _typelib_TypeDescriptionReference *, const
jni_uno::JNI_type_info *, bool, bool, bool) const()
2382 }
2383 }
2384 break;
2385 }
2386 default:
2387 {
CID 1462312: Memory - illegal accesses (USE_AFTER_FREE)
Dereferencing freed pointer "type".
2388 throw BridgeRuntimeError(
2389 "[map_to_java():" + OUString::unacquired( &type->pTypeName )
2390 + "] unsupported element type: "
2391 + OUString::unacquired( &element_type->pTypeName )
2392 + jni.get_stack_trace() );
2393 }
** CID 1462311: Memory - illegal accesses (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One()
________________________________________________________________________________________________________
*** CID 1462311: Memory - illegal accesses (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One()
799 &pNew, pSequence->elements,
800 reinterpret_cast<typelib_IndirectTypeDescription *>(pTypeDescr)->pType,
801 pSequence->nElements, acquire,
802 pSequence->nElements ); // alloc nElements
803 if (ret)
804 {
CID 1462311: Memory - illegal accesses (USE_AFTER_FREE)
Passing freed pointer "pType" as an argument to "idestructSequence".
805 idestructSequence( *ppSequence, pType, pTypeDescr, release );
806 *ppSequence = pNew;
807 }
808
809 TYPELIB_DANGER_RELEASE( pTypeDescr );
810 }
** CID 1462310: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const
jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const
jni_uno::JNI_type_info *, bool, bool, bool) const()
________________________________________________________________________________________________________
*** CID 1462310: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const
jni_uno::JNI_context &, void *, jvalue, _typelib_TypeDescriptionReference *, const
jni_uno::JNI_type_info *, bool, bool, bool) const()
1088 }
1089 }
1090 break;
1091 }
1092 default:
1093 {
CID 1462310: Memory - illegal accesses (USE_AFTER_FREE)
Dereferencing freed pointer "type".
1094 throw BridgeRuntimeError(
1095 "[map_to_uno():" + OUString::unacquired( &type->pTypeName )
1096 + "] unsupported sequence element type: "
1097 + OUString::unacquired( &element_type->pTypeName )
1098 + jni.get_stack_trace() );
1099 }
** CID 1462309: Memory - illegal accesses (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 1462309: Memory - illegal accesses (USE_AFTER_FREE)
/cppu/source/uno/destr.hxx: 139 in cppu::_destructAny(_uno_Any *, void (*)(void *))()
133 break;
134 }
135 #if OSL_DEBUG_LEVEL > 0
136 pAny->pData = reinterpret_cast<void *>(uintptr_t(0xdeadbeef));
137 #endif
138
CID 1462309: Memory - illegal accesses (USE_AFTER_FREE)
Calling "typelib_typedescriptionreference_release" dereferences freed pointer "pType".
139 ::typelib_typedescriptionreference_release( pType );
140 }
141
142 inline sal_Int32 idestructElements(
143 void * pElements, typelib_TypeDescriptionReference * pElementType,
144 sal_Int32 nStartIndex, sal_Int32 nStopIndex,
** CID 1462308: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const
jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *,
_typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const()
________________________________________________________________________________________________________
*** CID 1462308: Memory - illegal accesses (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const
jni_uno::JNI_context &, _uno_Interface *, _typelib_TypeDescription *,
_typelib_TypeDescriptionReference *, int, const _typelib_MethodParameter *, _jobjectArray *) const()
280 type->eTypeClass != typelib_TypeClass_ENUM) // opt
281 {
282 uno_type_destructData( uno_args[ nPos ], type, nullptr );
283 }
284 }
285
CID 1462308: Memory - illegal accesses (USE_AFTER_FREE)
Dereferencing freed pointer "return_type".
286 if (return_type->eTypeClass != typelib_TypeClass_VOID)
287 {
288 // convert uno return value
289 jvalue java_ret;
290 try
291 {
** CID 1401307: Error handling issues (UNCAUGHT_EXCEPT)
/usr/include/c++/8/bits/unique_ptr.h: 270 in std::unique_ptr<ImpSwapFile,
std::default_delete<ImpSwapFile>>::~unique_ptr()()
________________________________________________________________________________________________________
*** CID 1401307: Error handling issues (UNCAUGHT_EXCEPT)
/usr/include/c++/8/bits/unique_ptr.h: 270 in std::unique_ptr<ImpSwapFile,
std::default_delete<ImpSwapFile>>::~unique_ptr()()
264 is_convertible<_Up*, _Tp*>, is_same<_Dp, default_delete<_Tp>>>>
265 unique_ptr(auto_ptr<_Up>&& __u) noexcept;
266 #pragma GCC diagnostic pop
267 #endif
268
269 /// Destructor, invokes the deleter if the stored pointer is not null.
CID 1401307: Error handling issues (UNCAUGHT_EXCEPT)
An exception of type "com::sun::star::uno::DeploymentException" is thrown but the throw
list "noexcept" doesn't allow it to be thrown. This will cause a call to unexpected() which
usually calls terminate().
270 ~unique_ptr() noexcept
271 {
272 auto& __ptr = _M_t._M_ptr();
273 if (__ptr != nullptr)
274 get_deleter()(__ptr);
275 __ptr = pointer();
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklAc1eEA-2F1zfUjH6teExViPHTTReBArhCRZ3BE4kCjKjDqn2Dq3ZyEbAvAs31gRpU3vMPHDnoSx68vDAWjNU-3Dq6Zf_OTq2XUZbbipYjyLSo6GRo-2FpVxQ9OzkDINu9UTS-2FQhSdO0F0jQniitrGlNxDIzPJiWxs1vCErrIoYNhvdSMCQZgtcTF1D1LHrM3BsCXfAnGLgzcESsBiDVBNAzScIJMBKxkjb-2FR4nA3EkYvrk3n8Jn3JSKruVetBKAm4VVL7T9gKyxdchpudUX5yfzsH9q8XL9yh0-2Fozoj-2Fj46ltBXuk8AF60n-2FfLRJ15DL4KQnpvIQnifjmsyCotlUhezAX6JNBi
Context
- New Defects reported by Coverity Scan for LibreOffice · scan-admin
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.