Примеры ошибок, обнаруженных с помощью диагностики V774
V774. Pointer was used after the memory was released.
Augeas
V774 The 'child' pointer was used after the memory was reallocated. augtool.c 151
static char *readline_path_generator(const char *text, int state)
{
....
if (ctx != NULL) {
char *c = realloc(child, strlen(child)-strlen(ctx)+1); // <=
if (c == NULL)
return NULL;
int ctxidx = strlen(ctx);
if (child[ctxidx] == SEP) // <=
ctxidx++;
strcpy(c, &child[ctxidx]); // <=
child = c;
}
....
}
Similar errors can be found in some other places:
- V774 The 'child' pointer was used after the memory was reallocated. augtool.c 153
Bind
V774 The 'res' pointer was used after the memory was released. sample-request.c 225
int
main(int argc, char *argv[]) {
....
struct addrinfo hints, *res;
....
gaierror = getaddrinfo(argv[0], "53", &hints, &res);
....
memmove(&sa.type, res->ai_addr, res->ai_addrlen);
freeaddrinfo(res); // <=
sa.length = (unsigned int)res->ai_addrlen; // <=
....
}
Similar errors can be found in some other places:
- V774 The 'res' pointer was used after the memory was released. sample-update.c 193
- V774 The 'res' pointer was used after the memory was released. sample-update.c 217
ICU
V774 CWE-416 The 'mzMappings' pointer was used after the memory was released. zonemeta.cpp 713
UVector*
ZoneMeta::createMetazoneMappings(const UnicodeString &tzid) {
UVector *mzMappings = NULL;
....
if (U_SUCCESS(status)) {
....
if (U_SUCCESS(status)) {
....
while (ures_hasNext(rb)) {
....
if (mzMappings == NULL) {
mzMappings = new UVector(
deleteOlsonToMetaMappingEntry, NULL, status);
if (U_FAILURE(status)) {
delete mzMappings;
uprv_free(entry);
break;
}
}
....
}
....
}
}
ures_close(rb);
return mzMappings;
}
Code is complicated and I find it difficult to say exactly, if there is a bug or not. But it seems to me, it is possible that this function will return a pointer to the memory block being freed.
Qalculate!
V774 The 'cu' pointer was used after the memory was released. Calculator.cc 3595
MathStructure Calculator::convertToBestUnit(....)
{
....
CompositeUnit *cu = new CompositeUnit("", "....");
cu->add(....);
Unit *u = getBestUnit(cu, false, eo.local_currency_conversion);
if(u == cu) {
delete cu; // <=
return mstruct_new;
}
delete cu; // <=
if(eo.approximation == APPROXIMATION_EXACT &&
cu->hasApproximateRelationTo(u, true)) { // <=
if(!u->isRegistered()) delete u;
return mstruct_new;
}
....
}
Haiku Operation System
V774 The 'device' pointer was used after the memory was released. xhci.cpp 1572
void
XHCI::FreeDevice(Device *device)
{
uint8 slot = fPortSlots[device->HubPort()];
TRACE("FreeDevice() port %d slot %d\n", device->HubPort(), slot);
// Delete the device first, so it cleans up its pipes and tells us
// what we need to destroy before we tear down our internal state.
delete device;
DisableSlot(slot);
fDcba->baseAddress[slot] = 0;
fPortSlots[device->HubPort()] = 0;
delete_area(fDevices[slot].trb_area);
delete_area(fDevices[slot].input_ctx_area);
delete_area(fDevices[slot].device_ctx_area);
memset(&fDevices[slot], 0, sizeof(xhci_device));
fDevices[slot].state = XHCI_STATE_DISABLED;
}
Similar errors can be found in some other places:
- V774 The 'self' pointer was used after the memory was released. TranslatorRoster.cpp 884
- V774 The 'string' pointer was used after the memory was released. RemoteView.cpp 1269
- V774 The 'bs' pointer was used after the memory was released. mkntfs.c 4291
- And 2 additional diagnostic messages.
MuseScore
V774 The 'slur' pointer was used after the memory was released. importgtp-gp6.cpp 2592
void GuitarPro6::readGpif(QByteArray* data)
{
....
if (c) {
slur->setTick2(c->tick());
score->addElement(slur);
legatos[slur->track()] = 0;
} else {
delete slur;
legatos[slur->track()] = 0;
}
....
}