CodeSonar : irssi-0.8.14 : Null Pointer Dereference

irssi-0.8.14 : irssi-0.8.14 analysis 2 : Null Pointer Dereference at themes.c:411

Categories:	LANG.MEM.NPD CWE:476
Warning ID:	7328.28421
Procedure:	theme_format_expand_abstract
Trace:	view
Modified:	Thu Nov 26 11:09:39 2009 show details hide details

Priority:	None
State:	None
Finding:	None
Owner:	None
	edit properties

Legend	[ X ]
Warning Location Contributes Parse Error Other Warning Two or More Loop Iterations On Execution Path Comment Macro Preprocessor Include Keyword Preprocessed Away

Legend
Warning Location	Contributes	Parse Error
Other Warning	Two or More Loop Iterations	On Execution Path
Comment	Macro	Preprocessor
Include	Keyword	Preprocessed Away

Source | Language: C

Hide Legend

Problem	Line	Source

			/kat0/fletcher/SATE/2010/irssi-0.8.14/src/fe-common/core/themes.c

			Enter theme_format_expand_abstract

344

static char *theme_format_expand_abstract(THEME_REC *theme,

345

const char **formatp,

346

char default_fg, char default_bg,

int flags)

{

GString *str;

const char *p, *format;

351

char *abstract, *data, *ret;

int len;

format = *formatp;

/* get abstract name first */

357

p = format;

358

while (*p != '\0' && *p != ' ' &&

359

*p != '{' && *p != '}') p++;

360

if (*p == '\0' || p == format)

361

return NULL; /* error */

362

363

len = (int) (p-format);

364

abstract = g_strndup(format, len);

365

366

/* skip the following space, if there's any more spaces they're

367

treated as arguments */

368

if (*p == ' ') {

369

len++;

370

if ((flags & EXPAND_FLAG_IGNORE_EMPTY) && data_is_empty(&p )) {

*formatp = p;

g_free(abstract);

return NULL;

}

}

*formatp = format+len;

377

378

/* get the abstract data */

379

data = g_hash_table_lookup(theme->abstracts, abstract); /* Null Pointer Dereference (ID: 22022.28489) */

380

g_free(abstract);

381

if (data == NULL) {

382

/* unknown abstract, just display the data */

383

data = "$0-";

384

}

385

abstract = g_strdup(data);

386

387

/* we'll need to get the data part. it may contain

388

more abstracts, they are _NOT_ expanded. */

389

data = theme_format_expand_get(theme, formatp );

390

len = strlen(data);

391

392

if (len > 1 && i_isdigit(data[len-1]) && data[len-2] == '$') {

393

/* ends with $<digit> .. this breaks things if next

394

character is digit or '-' */

char digit, *tmp;

tmp = data;

digit = tmp[len-1];

tmp[len-1] = '\0';

data = g_strdup_printf("%s{%c}", tmp, digit);

g_free(tmp);

}

ret = parse_special_string(abstract, NULL, NULL, data, NULL,

true

406

PARSE_FLAG_ONLY_ARGS );

407

g_free(abstract);

408

g_free(data);

409

str = g_string_new(NULL);

p = ret;

while (*p != '\0') { /* Null Pointer Dereference */

Preconditions

&$unknown_560767 >= *formatp
&$unknown_560770 != 0
&$unknown_560774 >= 2
&$unknown_560775 != 0
**formatp != 0
**formatp != 123
**formatp != 125
**formatp != 32
strlen(*formatp) != 0
$unknown_560767 != 0
$unknown_560767 != 123
$unknown_560767 != 125
$unknown_560767 != 32
strlen(&$unknown_560767) != 0
strlen(&$unknown_560767) != 1
((char*)&$unknown_560767)[1] = 32
strlen(&$unknown_560773) != &$unknown_560774 - 2
strlen(&$unknown_560773) = &$unknown_560774
strlen(&$unknown_560773) >= 2

Postconditions

abstract' = 0
strlen(&$unknown_560773)' = &$unknown_560774 - 1
data' = &$unknown_560777
digit' = &$unknown_560776
format' = *formatp
len' = &$unknown_560774
p' = 0
ret' = 0
tmp' = &$unknown_560773

Change Warning 7328.28421 : Null Pointer Dereference

Priority:
State:
Finding:
Owner:
Note: