Suspicious code in kdebase 3.5.2
Christoph Bartoschek
bartoschek at gmx.de
Sat Apr 8 09:21:16 BST 2006
------------------------------------------------------------------
Misc problems:
------------------------------------------------------------------
- kwin/kcmkwin/kwinrules/main.cpp:123
The loop is never entered because bit < 1 << 31 is always false before the
first iteration is entered. bit starts at 1 and the first check is then
1 < (1 << 31) <==> 1 < (-2147483648) <==> false
Never do bitshifting on signed types :)
- kwin/utils.cpp:313
!(*dot = 0) is always true and therefore unneccessary. Or do you mean
!(*dot ==0)?
- kdialog/kdialog.cpp:135
If this is deleted at line 133 you use a freed this pointer here. Can one be
sure that no virtual table is checked here?
- kdesu/kdesud/lexer.cpp:46
This while(1) loop can be executed at most once.
- konsole/konsole/BlockArray.cpp:214
The buffer allocated at line 209 is leaked. Why do not use std::array<char>
here?
- kioslave/sftp/ksshprocess.cpp:710
Enum SshVersion cannot become -1, or not?
- kcontrol/fonts/kxftconfig.cpp:1137
Dirs is always true and therefore && Dirs is not neccessary. Maybe &
Dirs is meant?
- nsplugins/nspluginloader.cpp:333
A pointer to freed memory is exposed to the ouside world.
- kcontrol/input/logitechmouse.cpp:56
m_usbDeviceHandle is a pointer and therefore 0 cannot be bigger than
m_usbDeviceHandle
- kcontrol/crypto/crypto.cpp:1980
cr is allocated with operator new[] use delete []
- kcontrol/kicker/hidingtab_impl.cpp:243
If (Left == 7) is always true. Why not "if (trigger == Left)".
- kcontrol/kicker/hidingtab_impl.cpp:265
if (Left == Left) ? Why not "if (trigger == Left)"
- kcontrol/kcontrol/modules.cpp:212
The pointer _embedFrame is exposed to the outside world. Maybe someone
will use it?
- khelpcenter/searchengine.cpp:373
The freed pointer mProc is exposed to the outside world.
- kfind/kquery.cpp:138
- kfind/kquery.cpp:160
The freed pointer metaKeyRx is exposed to the outside world.
- kcontrol/icons/icons.cpp:446
If state is not 0, 1 or 2 the access to array mDefaultEffect is outside
of the bounds. Maybe an assertion in a default case of the switch at
line 439 could be useful.
- kcontrol/kfontinst/kio/KioFonts.cpp:2009
- kcontrol/kfontinst/kio/KioFonts.cpp:1961
- kioslave/sftp/process.cpp:216 (similar)
The usage of abs looses precision because the int version is used. To get the
overloaded functions from C++ insert #include <cmath>: The usage of #include
<stdlib.h> in line 38 might also lead to this error. BTW, the whole
project should use the C++ standard header for C++ files and not
<stdlib.h>, <stdio.h> or <math.h>.
- kdmlib/dmctl.cpp:130
This is undefined behaviour because tl is read and written in the same
expression. The standard does not guarantee that t1 = strlen(cmd) is
executed before the second operand of != is evaluated.
- ksysguard/gui/SensorDisplayLib/DancingBars.cc:248
Line 246 indicates that id can have a value up to 99. on 32bit platforms
values higher than 31 do not work in line 248.
- libkonq/konq_operations.cc:652, 655
Does this really call the KonqOperations::slotResult( KIO::Job * job )
in line 704 which deletes this at the end? How can the connect() calls
(651, 661, 663) andthe parent() call in line 658 be safe?
- kdesktop/lock/lockprocess.cc:199
I guess the written value does not matter here, but I would still
initialize tmp.
- libkonq/konq_iconviewwidget.cc:1552
Maybe one should assert that for example nx != 0. This could lead to
an error in line 1589.
- ksysguard/gui/SensorDisplayLib/SensorLogger.cc:128
A pointer to deleted memory is exposed to the outer world. I guess
logfile is not used outside of this function. But why not using a local
variable for it?
- ksysguard/gui/SensorDisplayLib/ProcessList.cc:904
Similar to the above item but now its processPM.
- kwin/clients/redmond/redmond.cpp:164
Useless use of "&& false"
- kwin/sm.cpp:243
Maybe the comment says everything, but is windowType of -2 ever possible?
------------------------------------
Problems involving the NULL pointer:
------------------------------------
- kate/app/katefilelist.cpp:268
If item is NULL as indicated by line 260, then line 268 crashes.
- khelpcenter/kcmhelpcenter.cpp:550
If mProgressDialog is NULL as indicated by line 542, then line 550 will
crash.
- konqueror/keditbookmarks/listview.cpp:586
Line 593 indicates that s_myrenameitem becomes NULL. Then the while loop
in line 577 starts again. Now could it be possible that the else part in
line 583 is called where line 585 crashes?
- kicker/proxy/appletproxy.cpp:310
If _applet is NULL as indicated by line 277, then line 310 could crash.
- kicker/proxy/extensionproxy.cpp:244
If _extension is NULL as indicated by line 217, then line 244 could
crash.
- drkonqi/crashtest.cpp:20
The do_crash() function is reported :)
-----------------------------------------------------------------
Lines where the operator preference between & and == leads to an error.
There are some lines of code that look like this:
if (variable & 0xF != 0) ...
The compiler reads:
if (variable & (0xF != 0)) ...
and not
if ((variable & 0xF) != 0) ...
The result is that the compiler optimizes such code to:
if (variable & 1) ...
because (0xF != 0) is true and this is equivalent to 1
-----------------------------------------------------------------
- kioslave/trash/trashimpl.cpp:771
- kcontrol/randr/randr.cpp:322
- kcontrol/randr/randr.cpp:549
- kcontrol/randr/randr.cpp:550
- kwin/geometry.cpp:1843
- kdm/kfrontend/kdmconfig.cpp:89
- kdm/kfrontend/kdmconfig.cpp:90
- kdm/kfrontend/kdmconfig.cpp:91
- kdm/kfrontend/kdmconfig.cpp:92
- kdm/kfrontend/kdmconfig.cpp:93
-----------------------------------------------------------------
Cases from switch statements that fall through in some cases but
do not have a fall through comment as in most such cases.
------------------------------------------------------------------
- kdm/kfrontend/kgapp.cpp:102
- kwin/useractions.cpp:393
- kdesktop/minicli.cpp:523
- ksysguard/gui/ksysguard.cc:466
- kcontrol/fonts/kxftconfig.cpp:752
- kioslave/sftp/atomicio.cpp:59
- kioslave/man/man2html.cpp:1687
- kioslave/man/man2html.cpp:1762
- kioslave/man/man2html.cpp:2237
- kioslave/man/man2html.cpp:2272
- kioslave/man/man2html.cpp:2432
- kioslave/man/man2html.cpp:3252
- kioslave/man/man2html.cpp:3618
- kioslave/man/man2html.cpp:3936
- kioslave/man/man2html.cpp:3971
- kioslave/man/man2html.cpp:3973
- kioslave/man/man2html.cpp:4040
- kioslave/man/man2html.cpp:4148
- kioslave/man/man2html.cpp:4255
- kioslave/man/man2html.cpp:5041
- kioslave/man/man2html.cpp:5047
- khotkeys/shared/actions.cpp:155
- kwin/clients/default/kdedefault.cpp:811
- kdm/kfrontend/kgverify.cpp:813
-----------------------------------------------------------------
Lines where boolean expressions are used in non-boolean contexts:
I suspect that at least the lines marked with !!! are bugs
-----------------------------------------------------------------
- kpersonalizer/ksysinfo.cpp:123 !!!
- kicker/kicker/core/extensionmanager.cpp:143 !!! (at least strange style)
- kicker/kicker/core/extensionmanager.cpp:262 !!! (at least strange style)
- konqueror/sidebar/trees/dirtree_module/dirtree_item.cpp:91
- kwin/clients/b2/b2client.cpp:533
- konqueror/konq_view.cc:554
- konqueror/konq_factory.cc:108
- konqueror/konq_factory.cc:110
- konqueror/konq_factory.cc:113
- kdesktop/desktop.cc:96
- kdesktop/desktop.cc:110
- kicker/applets/systemtray/systemtrayapplet.cpp:554
- kcontrol/konqhtml/jspolicies.cpp:138
- kcontrol/style/kcmstyle.cpp:493
- kcontrol/style/kcmstyle.cpp:6021
- kcontrol/kio/kproxydlg.cpp:243
- kcontrol/kio/kenvvarproxydlg.cpp:274
- kcontrol/kio/kenvvarproxydlg.cpp:269
- kcontrol/kio/kenvvarproxydlg.cpp:264
- kcontrol/kio/kenvvarproxydlg.cpp:259
- kcontrol/kio/kenvvarproxydlg.cpp:175
- kcontrol/kio/kenvvarproxydlg.cpp:172
- kcontrol/kio/kenvvarproxydlg.cpp:169
- kcontrol/kio/kenvvarproxydlg.cpp:166
- kcontrol/kio/kproxydlg.cpp:245
- kioslave/media/kio_media.cpp:118
- kioslave/sftp/process.cpp:216
- kioslave/sftp/process.cpp:217
- kioslave/sftp/process.cpp:243
- kioslave/sftp/process.cpp:244
- kioslave/sftp/process.cpp:245
- khelpcenter/plugintraverser.cpp:60
- konsole/konsole/TEWidget.cpp:834
- kfind/kquery.cpp:175
- kwin/layers.cpp:103
- kwin/useractions.cpp:474
More information about the kde-core-devel
mailing list