Bugs item #2655286, was opened at 2009-03-02 20:37
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2655286&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: wrong content
>Status: Closed
>Resolution: Out of Date
Priority: 5
Private: Yes
Submitted By: Ling Meng (lingmeng)
Assigned to: Daniel Stenberg (bagder)
Summary: Coverity Prevent Defect: FORWARD_NULL

Initial Comment:
Our team at IGT uses libcurl version 7.18.1 and we use Coverity Prevent to report potential problems in our codes. Coverify Prevent reports a FORWARD_NULL defect: where a pointer is checked against NULL and then later dereferenced. Dereferencing a NULL pointer will cause a program to crash
on line 695:
Event var_compare_op — A variable is compared to NULL preceding a NULL pointer dereference,
and line 739:
Event var_deref_model — A potentially NULL pointer was passed to a function that dereferences it.
in formdata.c

Please see if they are real bugs and fix accordingly.

Thank you so much.

692 for(form = first_form;
693 form != NULL;
694 form = form->more) {
Event var_compare_op: Added "form->value" due to comparison "form->value != NULL"
At conditional (1): "!(form->value != NULL)" taking true path
At conditional (2): "!(post != NULL)" taking false path
At conditional (3): "form->contentslength != 0U" taking true path
At conditional (4): "(form->flags & 1L) != 0L" taking false path
At conditional (5): "(form->flags & 1L) != 0L" taking false path
At conditional (6): "!(form->buffer != NULL)" taking true path
At conditional (7): "(form->flags & 16L) != 0L" taking false path
At conditional (8): "(form->flags & 2L) != 0L" taking false path
695 if( ((!form->name || !form->value) && !post) ||
696 ( (form->contentslength) &&
697 (form->flags & HTTPPOST_FILENAME) ) ||
698 ( (form->flags & HTTPPOST_FILENAME) &&
699 (form->flags & HTTPPOST_PTRCONTENTS) ) ||
700
701 ( (!form->buffer) &&
702 (form->flags & HTTPPOST_BUFFER) &&
703 (form->flags & HTTPPOST_PTRBUFFER) ) ||
704
705 ( (form->flags & HTTPPOST_READFILE) &&
706 (form->flags & HTTPPOST_PTRCONTENTS) )
707 ) {
708 return_value = CURL_FORMADD_INCOMPLETE;
709 break;
710 }
711 else {
At conditional (9): "(form->flags & 1L) != 0L" taking false path
At conditional (10): "(form->flags & 16L) != 0L" taking false path
712 if( ((form->flags & HTTPPOST_FILENAME) ||
713 (form->flags & HTTPPOST_BUFFER)) &&
714 !form->contenttype ) {
715 /* our contenttype is missing */
716 form->contenttype
717 = strdup(ContentTypeForFilename(form->value, prevtype));
718 if(!form->contenttype) {
719 return_value = CURL_FORMADD_MEMORY;
720 break;
721 }
722 form->contenttype_alloc = TRUE;
723 }
At conditional (11): "!((form->flags & 4L) != 0L)" taking true path
At conditional (12): "form == first_form" taking true path
724 if( !(form->flags & HTTPPOST_PTRNAME) &&
725 (form == first_form) ) {
726 /* copy name (without strdup; possibly contains null characters) */
727 form->name = memdup(form->name, form->namelength);
At conditional (13): "!(form->name != NULL)" taking false path
728 if(!form->name) {
729 return_value = CURL_FORMADD_MEMORY;
730 break;
731 }
732 form->name_alloc = TRUE;
733 }
At conditional (14): "!((form->flags & 1L) != 0L)" taking true path
At conditional (15): "!((form->flags & 2L) != 0L)" taking true path
At conditional (16): "!((form->flags & 8L) != 0L)" taking true path
At conditional (17): "!((form->flags & 32L) != 0L)" taking true path
734 if( !(form->flags & HTTPPOST_FILENAME) &&
735 !(form->flags & HTTPPOST_READFILE) &&
736 !(form->flags & HTTPPOST_PTRCONTENTS) &&
737 !(form->flags & HTTPPOST_PTRBUFFER) ) {
738 /* copy value (without strdup; possibly contains null characters) */
Event var_deref_model: Variable "form->value" tracked as NULL was passed to function "memdup" that dereferences it. [details]
739 form->value = memdup(form->value, form->contentslength);

----------------------------------------------------------------------

>Comment By: Daniel Stenberg (bagder)
Date: 2009-03-02 21:36

Message:
First, 7.18.1 is already old by our standards so I'd ask you to repeat the
bug with the most recent version.

This particular flaw is already fixed.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2655286&group_id=976
Received on 2009-03-02