Re: New Defects reported by Coverity Scan for LibreOffice

Stephan Bergmann <sbergman -AT- redhat.com>
Fri, 7 Aug 2020 08:17:06 +0200

On 06/08/2020 22:33, scan-admin@coverity.com wrote:

** CID 1462318:  Memory - illegal accesses  (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1462318:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_java2uno.cxx: 218 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context 
&, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const 
_typelib_MethodParameter *, _jobjectArray *) const()
212                 {
213                     JLocalAutoRef jo_arg(
214                         jni, jni->GetObjectArrayElement( jo_args, nPos ) );
215                     jni.ensure_no_exception();
216                     jvalue java_arg;
217                     java_arg.l = jo_arg.get();

     CID 1462318:  Memory - illegal accesses  (USE_AFTER_FREE)
     Calling "map_to_uno" dereferences freed pointer "type".

218                     map_to_uno(
219                         jni, uno_args[ nPos ], java_arg, type, nullptr,
220                         false /* no assign */, param.bOut,
221                         true /* special wrapped integral types */ );
222                 }
223                 catch (...)

** CID 1462316:    (USE_AFTER_FREE)
/cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in 
Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const 
_typelib_TypeDescription *, void *, void **, _uno_Any **)()


________________________________________________________________________________________________________
*** CID 1462316:    (USE_AFTER_FREE)
/cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 457 in 
Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const 
_typelib_TypeDescription *, void *, void **, _uno_Any **)()
451                     }
452                     uno_Environment_invoke(m_to.get(), s_type_destructData_v, args[nPos], 
param.pTypeRef, 0);
453                 }
454             }
455             if (ret != pReturn)
456             {

     CID 1462316:    (USE_AFTER_FREE)
     Calling "uno_type_copyAndConvertData" dereferences freed pointer "pReturnTypeRef".

457                 uno_type_copyAndConvertData(pReturn,
458                                             ret,
459                                             pReturnTypeRef,
460                                             m_to_from.get());
461
462                 uno_Environment_invoke(m_to.get(), s_type_destructData_v, ret, pReturnTypeRef, 
0);
/cppu/source/helper/purpenv/helper_purpenv_Proxy.cxx: 491 in 
Proxy::dispatch(_typelib_TypeDescriptionReference *, _typelib_MethodParameter *, int, const 
_typelib_TypeDescription *, void *, void **, _uno_Any **)()
485
486             // FIXME: need to destruct in m_to
487             uno_any_destruct(exc, nullptr);
488         }
489
490         if (m_probeFun)

     CID 1462316:    (USE_AFTER_FREE)
     Passing freed pointer "pReturnTypeRef" as an argument to "*this->m_probeFun".

491             m_probeFun(false,
492                        this,
493                        m_pProbeContext,
494                        pReturnTypeRef,
495                        pParams,
496                        nParams,

** CID 1462314:  Memory - illegal accesses  (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1462314:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/cpp_uno/gcc3_linux_x86-64/cpp2uno.cxx: 78 in 
cpp2uno_call(bridges::cpp_uno::shared::CppInterfaceProxy *, const _typelib_TypeDescription *, 
_typelib_TypeDescriptionReference *, int, _typelib_MethodParameter *, void **, void **, void **, 
unsigned long *)()
72
73         void * pUnoReturn = nullptr;
74         void * pCppReturn = nullptr; // complex return ptr: if != 0 && != pUnoReturn, 
reconversion need
75
76         if ( pReturnTypeDescr )
77         {

     CID 1462314:  Memory - illegal accesses  (USE_AFTER_FREE)
     Calling "return_in_hidden_param" dereferences freed pointer "pReturnTypeRef".

78             if ( x86_64::return_in_hidden_param( pReturnTypeRef ) )
79             {
80                 pCppReturn = *gpreg++;
81                 nr_gpr++;
82
83                 pUnoReturn = ( bridges::cpp_uno::shared::relatesToInterfaceType( 
pReturnTypeDescr )

** CID 1462313:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context 
&, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, 
bool) const()


________________________________________________________________________________________________________
*** CID 1462313:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1047 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context 
&, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, 
bool) const()
1041             case typelib_TypeClass_INTERFACE:
1042             {
1043                 TypeDescr element_td( element_type );
1044                 seq = seq_allocate( nElements, element_td.get()->nSize );
1045
1046                 JNI_type_info const * element_info;

     CID 1462313:  Memory - illegal accesses  (USE_AFTER_FREE)
     Dereferencing freed pointer "element_type".

1047                 if (element_type->eTypeClass == typelib_TypeClass_STRUCT ||
1048                     element_type->eTypeClass == typelib_TypeClass_EXCEPTION ||
1049                     element_type->eTypeClass == typelib_TypeClass_INTERFACE)
1050                 {
1051                     element_info =
1052                         getJniInfo()->get_type_info( jni, element_td.get() );

** CID 1462312:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const jni_uno::JNI_context 
&, jvalue *, const void *, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, 
bool, bool, bool) const()


________________________________________________________________________________________________________
*** CID 1462312:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 2388 in jni_uno::Bridge::map_to_java(const jni_uno::JNI_context 
&, jvalue *, const void *, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, 
bool, bool, bool) const()
2382                     }
2383                 }
2384                 break;
2385             }
2386             default:
2387             {

     CID 1462312:  Memory - illegal accesses  (USE_AFTER_FREE)
     Dereferencing freed pointer "type".

2388                 throw BridgeRuntimeError(
2389                     "[map_to_java():" + OUString::unacquired( &type->pTypeName )
2390                     + "] unsupported element type: "
2391                     + OUString::unacquired( &element_type->pTypeName )
2392                     + jni.get_stack_trace() );
2393             }

** CID 1462311:  Memory - illegal accesses  (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One()


________________________________________________________________________________________________________
*** CID 1462311:  Memory - illegal accesses  (USE_AFTER_FREE)
/cppu/source/uno/sequence.cxx: 805 in uno_type_sequence_reference2One()
799                     &pNew, pSequence->elements,
800                     reinterpret_cast<typelib_IndirectTypeDescription *>(pTypeDescr)->pType,
801                     pSequence->nElements, acquire,
802                     pSequence->nElements ); // alloc nElements
803                 if (ret)
804                 {

     CID 1462311:  Memory - illegal accesses  (USE_AFTER_FREE)
     Passing freed pointer "pType" as an argument to "idestructSequence".

805                     idestructSequence( *ppSequence, pType, pTypeDescr, release );
806                     *ppSequence = pNew;
807                 }
808
809                 TYPELIB_DANGER_RELEASE( pTypeDescr );
810             }

** CID 1462310:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context 
&, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, 
bool) const()


________________________________________________________________________________________________________
*** CID 1462310:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_data.cxx: 1094 in jni_uno::Bridge::map_to_uno(const jni_uno::JNI_context 
&, void *, jvalue, _typelib_TypeDescriptionReference *, const jni_uno::JNI_type_info *, bool, bool, 
bool) const()
1088                     }
1089                 }
1090                 break;
1091             }
1092             default:
1093             {

     CID 1462310:  Memory - illegal accesses  (USE_AFTER_FREE)
     Dereferencing freed pointer "type".

1094                 throw BridgeRuntimeError(
1095                     "[map_to_uno():" + OUString::unacquired( &type->pTypeName )
1096                     + "] unsupported sequence element type: "
1097                     + OUString::unacquired( &element_type->pTypeName )
1098                     + jni.get_stack_trace() );
1099             }

** CID 1462309:  Memory - illegal accesses  (USE_AFTER_FREE)


________________________________________________________________________________________________________
*** CID 1462309:  Memory - illegal accesses  (USE_AFTER_FREE)
/cppu/source/uno/destr.hxx: 139 in cppu::_destructAny(_uno_Any *, void (*)(void *))()
133             break;
134         }
135     #if OSL_DEBUG_LEVEL > 0
136         pAny->pData = reinterpret_cast<void *>(uintptr_t(0xdeadbeef));
137     #endif
138

     CID 1462309:  Memory - illegal accesses  (USE_AFTER_FREE)
     Calling "typelib_typedescriptionreference_release" dereferences freed pointer "pType".

139         ::typelib_typedescriptionreference_release( pType );
140     }
141
142     inline sal_Int32 idestructElements(
143         void * pElements, typelib_TypeDescriptionReference * pElementType,
144         sal_Int32 nStartIndex, sal_Int32 nStopIndex,

** CID 1462308:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context 
&, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const 
_typelib_MethodParameter *, _jobjectArray *) const()


________________________________________________________________________________________________________
*** CID 1462308:  Memory - illegal accesses  (USE_AFTER_FREE)
/bridges/source/jni_uno/jni_java2uno.cxx: 286 in jni_uno::Bridge::call_uno(const jni_uno::JNI_context 
&, _uno_Interface *, _typelib_TypeDescription *, _typelib_TypeDescriptionReference *, int, const 
_typelib_MethodParameter *, _jobjectArray *) const()
280                     type->eTypeClass != typelib_TypeClass_ENUM) // opt
281                 {
282                     uno_type_destructData( uno_args[ nPos ], type, nullptr );
283                 }
284             }
285

     CID 1462308:  Memory - illegal accesses  (USE_AFTER_FREE)
     Dereferencing freed pointer "return_type".

286             if (return_type->eTypeClass != typelib_TypeClass_VOID)
287             {
288                 // convert uno return value
289                 jvalue java_ret;
290                 try
291                 {

The above CIDs 1462308--1462314, 1462316, and 1462318 all appear tocenter on the false assumption that TYPELIB_DANGER_GET(include/typelib/typedescription.h) could destroy its *ppMacroTypeDescrargument (while it will actually only shave off an excess refcount viatypelib_typedescription_release).

Question is whether there is a good way to centrally teach Coverity Scanabout its false assumption there.

Context

New Defects reported by Coverity Scan for LibreOffice · scan-admin
- Re: New Defects reported by Coverity Scan for LibreOffice · Stephan Bergmann
  - Re: New Defects reported by Coverity Scan for LibreOffice · Caolán McNamara

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.