Suspicous code in kdelibs-3.5.2
Chris Humphries
chris at unixfu.net
Wed Apr 5 16:03:20 BST 2006
Whatever tool this is, it is awesome.
+------------------------------------------------------------------------------
| On Wednesday, Apr 05, 2006 at 04:26:00PM +0200, Christoph Bartoschek wrote:
|
| To: kde-core-devel at kde.org
| From: Christoph Bartoschek <bartoschek at gmx.de>
| Date: Wed, 5 Apr 2006 16:26:00 +0200
| Subject: Suspicous code in kdelibs-3.5.2
|
| Hi,
|
| here is a list of suspicous lines of code in kdelibs-3.5.2 without khtml. I've
| checked khtml separately.
|
| ------------------------------------------------------------------
| Misc problems:
| ------------------------------------------------------------------
| - libkscreensaver/kscreensaver.cpp:224
|
| block is allocated with operator new[] and not deleted with "delete [] block"
|
| - kdeui/kcolordialog.cpp:429
| - kdeui/kcolordialog.cpp:533
|
| The expression LeftButton is always true. I guess the correct line is:
| if( !(e->state() & LeftButton)) return;
|
| - kdecore/kwinmodule.cpp:227
|
| Here I guess some braces are missing, maybe you meant:
| !(possibleStrutWindows.findIndex( ev->xany.window ) != -1)
| The current code cannot be false, because "!possibleStrutWindows.findIndex(
| ev->xany.window )" is either true(1) or false(0) and cannot be -1.
|
| - kimgio/tga.cpp:196
|
| When the file is broken and size becomes 0 here, you get a lot of problems in
| the following lines.
|
| - kspell2/plugins/ispell/lookup.cpp:310
|
| 1 != 1 is always false
|
| - kdeui/knuminput.cpp:653
| kdeui/knuminput.cpp:821 (similar)
|
| Line 652 returns when referencePoint != 0. In line 653 there is a
| division by 0.
|
| - kdeui/kdockwidget.cpp:3111
|
| The loop does not iterate. Breaks for the first obj.
|
| - kdeui/kdialogbase.cpp:671
|
| If style == ActionStyleMax, then you get accesses beyond array bounds in
| lines 687, 700, 714. Change the second comparison to:
| style >= ActionStyleMAX
|
| - kdeui/kcolordialog.cpp:294
| - kdeui/kcolordialog.cpp:234 (similar with xSize)
|
| If xSize becomes 1 or ySize becomes 1 here you have a division by 0 in
| lines 308 and 320
|
| - kdefx/kpixmap.cpp:62
|
| i+n easily reaches the array bound 16. For example if n == 15 and i ==
| 14, then bm[29][0] is accessed. This is way behind the array bound.
|
| - kdecore/svgicons/ksvgiconpainter.cpp:272
| - kdecore/svgicons/ksvgiconpainter.cpp:928
|
| The type of ArtVpath::code is ArtPathcode. This enum does not have the value
| ART_END2. As far as I know the standard does not guarantee that ART_END2 can
| be
| assigned to this variable.
|
| - kdecore/kiconloader.cpp:1276
|
| The condition is always true because QIconSet::Mode has only 3 values.
|
| - kmdi/kmdichildarea.cpp:520
|
| Maybe it should be asserted that maxWnds > 0. Otherwise numVisible could be 1
| and this has the effect that numToHandle becomes <= 0 and that numToHandle-1
| lies outside of the colstable bounds.
|
| - kate/part/katedocument.cpp:4655
| - kate/part/katedocument.cpp:4657 (similar)
|
| The variable n is not initialized here. It is allocated in line 4595. Then in
| line 4606 a long if else if chain begins, that can reach line 4655 without
| changing n before.
|
| - kate/part/katefont.cpp:63
|
| A memory leak. wa is allocated in function createRow and not deleted here.
|
| - kabc/vcard/Enum.cpp:229
|
| If e >= EntityUnknown, then you access behind the array bounds.The bounds are
| from [0..30]. EntityUnknown has value 32.
|
| - kio/kio/kservicetypefactory.cpp:283
|
| I guess this error is fatal. Otherwise line 286 crashes.
|
|
|
|
| ------------------------------------
| Problems involving the NULL pointer:
| ------------------------------------
|
| - dcop/dcopserver.cpp:1481
|
| If conn is NULL as indicated by line 1430, line 1481 crashes after the if
| condition.
|
|
| - kio/misc/kwalletd/kwalletd.cpp:430
|
| Line 414 indicates that kpd can be NULL. When the while loop at line 420 is
| entered line 424 crashes.
|
| - kjs/regexp_object.cpp:244
|
| If lastOvector is NULL as indicated by line 237, line 244 crashes.
| - kmdi/kmditoolviewaccessor.cpp:235
|
| If pTargetDock is NULL in line 231, then the if condition is true. When
| additionally the condition in line 233 is true you have a crash in line 235.
|
| - kdeui/kcmodule.cpp:82
|
| If instance is NULL as indicated by line 78, then line 82 crashes.
|
| - kdeui/kiconview.cpp:199
|
| If previousItem is NULL as indicated by line 193, then line 199 crashes.
|
| - kdeui/klistview.cpp:295
|
| Line 279 indicates that pitem could be NULL. If this is true, then pi
| becomes NULL in line 282 and line 295 crashes.
|
| - kdeui/kurllabel.cpp:365
|
| Line 354 indicates that e could be NULL. The dereference in line 365 and
| the following lines lead to a crash.
|
| - kstyles/keramik/keramik.cpp:488
|
| Line 481 indicates that parent could be NULL. Line 488 rashes then.
|
| - kstyles/plastik/plastik.cpp:3096
|
| If the dynamic_cast in line 2991 fails, sw is NULL as indicated by line
| 2996. If control flow reaches line 3096, then it crashes.
|
| - kstyles/highcolor/highcolor.cpp:428
|
| The if condition at line 417 indicates that p could be NULL. Line 428
| crashes in this case.
|
| - kstyles/light/lightstyle-v3.cpp:453
|
| Line 427 indicates that p could be NULL. If control reaches line 453 or
| 468 the program crashes.
|
| - kstyles/light/lightstyle-v2.cpp:320
|
| Line 295 indicates that p could be NULL. If control reaches line 320 or
| 338 the program crashes.
|
| - kioslave/http/kcookiejar/kcookiejar.cpp:718
|
| If this condition is true, then lastCookie stays 0. When additionally
| the while loop at line 773 is entered there are a lot of NULL pointer
| dereferences in the following code. For examle lines 793,799,801, ...
|
| - kio/kio/kdirwatch.cpp:1049
| - kio/kio/kdirwatch.cpp:1020 (similar)
|
| If instance == 0 and newWatching > 0, line 1046 does not exit. Line 1049
| crashes then.
|
| - kio/kio/kdirwatch.cpp:1593
|
| Line 1592 indicates that d can be NULL. Line 1593 crashes then.
|
| - kresources/configpage.cpp:265
|
| If the condition at line 260 becomes true, then line 265 crashes.
|
| - kparts/plugin.cpp:97
|
| The error handling in line 92 should prohibit the crash in line 97.
|
| - kimgio/xcf.cpp:1562
| - kimgio/xcf.cpp:1299 (similar)
|
| If the switch statement in line 1507 chooses the default type (is the xcf data
| format fixed forever?) merge is a NULL function pointer.
|
| - kdeprint/management/kxmlcommanddlg.cpp:620
|
| If opt becomes NULL in line 573 and the switch in line 585 selects the default
| case, then line 620 crashes.
|
| - kjs/nodes.cpp:2878
|
| If _catchs is NULL and _final == 0 line 2878 crashes.
|
| - kjs/date_object.cpp:914
|
| Line 909 indicates that dateString can be NULL here. Then line 914 crashes.
|
| - kjs/internal.cpp:424
|
| If func is NULL as indicated by line 386 and the type is FunctionCode, line
| 424
| crashes. Maybe an assertion should be here.
|
|
|
|
| -----------------------------------------------------------------
| Lines where the operator preference between & and == leads to an error.
| There are some lines of code that look like this:
| if (variable & 0xF != 0) ...
| The compiler reads:
| if (variable & (0xF != 0)) ...
| and not
| if ((variable & 0xF) != 0) ...
| The result is that the compiler optimizes such code to:
| if (variable & 1) ...
| because (0xF != 0) is true and this is equivalent to 1
| -----------------------------------------------------------------
|
| - kdecore/kglobalaccel_x11.cpp:215
| - kdecore/kextsock.cpp:1250 (The condition is always true)
|
|
|
|
| -----------------------------------------------------------------
| Cases from switch statements that fall through in some cases but
| do not have a fall through comment as in most such cases.
| ------------------------------------------------------------------
|
| - kabc/vcard/Enum.cpp:346
| - kmdi/kmdidockcontainer.cpp:299
| - kstyles/kthemestyle/kthemestyle.cpp:845
| - kstyles/plastik/plastik.cpp:1517
| - kdeprint/management/kmwname.cpp:66
| - kdeprint/kprintprocess.cpp:78
| - kstyles/keramik/keramik.cpp:2312
| - kstyles/keramik/keramik.cpp:2875
| - kdeui/kstdaction.cpp:63
| - kdeui/kseparator.cpp:60
| - kdeui/kcompletionbox.cpp:173
| - kdecore/klocale.cpp:1899
| - kdecore/kglobalaccel_x11.cpp:246
| - kabc/vcard/Enum.cpp:441
| - kabc/addresslineedit.cpp:337
| - kjs/dtoa.cpp:1655
|
| -----------------------------------------------------------------
| Lines where boolean expressions are used in non-boolean contexts:
| -----------------------------------------------------------------
|
| - kate/part/katebuffer.cpp:1213
| - kate/part/katebuffer.cpp:1220
| - kdecore/kxerrorhandler.cpp:108
| - kdecore/kxerrorhandler.cpp:110
| - dnssd/servicebrowser.cpp:208
| - kio/kio/authinfo.cpp:142
| - kio/kio/kdirlister.cpp:947
| - kio/kio/kdirlister.cpp:1524
| - kstyles/light/lightstyle-v3.cpp:955
| - kstyles/light/lightstyle-v2.cpp:832
| - kdeui/kconfigdialog.cpp:197
| - kdeui/kconfigdialog.cpp:187
| - kdeui/kconfigdialog.cpp:238
| - kdeui/kconfigdialog.cpp:228
| - kdeui/kkeydialog.cpp:905
| - kdeui/kkeydialog.cpp:884
| - kdeui/kkeydialog.cpp:768
| - kdeui/kkeydialog.cpp:767
| - kdeui/kwordwrap.cpp:66
| - kdecore/kconfigdialogmanager.cpp:253
| - kdecore/kconfigbackend.cpp:565
| - kdecore/kconfig.cpp:225
| - kdecore/kconfig.cpp:226
| - kjs/dtoa.cpp:732
| - kjs/grammar.cpp:2888
| - kjs/grammar.cpp:2880
| - kio/kfile/kpropertiesdialog.cpp:1564
| - kio/kfile/kpropertiesdialog.cpp:1572
| - kio/misc/kssld/kssld.cpp:740
| - kio/misc/kssld/kssld.cpp:759
| - kio/kio/slaveinterface.cpp:411
| - kio/misc/kfile/fileprops.cpp:140
| - kio/kio/kurifilter.cpp:259
--
Chris Humphries
a programmer with free time, sometimes.
AIM: unixfudotnet, Blogs: http://blogs.unixfu.net/
Email: chris at unixfu.net, IRC: chumphries (freenode)
More information about the kde-core-devel
mailing list