Suspicious code in kdegraphics-3.5.2

Christoph Bartoschek bartoschek at gmx.de
Sat Apr 22 00:36:45 BST 2006 

------------------------------------------------------------------
Misc problems:
------------------------------------------------------------------

- kpdf/part.cpp:642

Very strange: !m_document->currentPage() < 1   is false for the first
page.


- kooka/img_saver.cpp:439

This case is handled in line 431

- kamera/kioslave/kamera.cpp:949
- kamera/kioslave/kamera.cpp:989

Use delete [] here.

- kviewshell/plugins/djvu/libdjvu/DataPool.cpp:1140

The loop is executed at most once.

- kviewshell/plugins/djvu/libdjvu/BSByteStream.cpp:337
- kviewshell/plugins/djvu/libdjvu/BSEncodeByteStream.cpp:890

k starts at 4 here?

- kviewshell/plugins/djvu/libdjvu/XMLParser.cpp:256

If line 254 is not executed, then endpos is not initialized here.

- kolourpaint/kpview.cpp:1608
- kolourpaint/kpview.cpp:1616
- kolourpaint/kpview.cpp:1638

0 && ?

- kolourpaint/tools/kptoolpen.cpp:260

If line 245 is false then renderMode is uninitialized here.

- kolourpaint/tools/kptoolselection.cpp:1095
- kolourpaint/tools/kptoolselection.cpp:1217

&& true ?

- kiconedit/kicongrid.cpp:2141-2149

use delete [] here.

- kiconedit/kicongrid.cpp:2018

There are a lot of out of bounds accesses here. For example when n ==
15, i == 14 and j == 0.

- kghostview/kgvdocument.cpp:668

The open files from and to are leaking here.

- kpovmodeler/pmdockwidget.cpp:2474

The loop breaks quite early.

- kpovmodeler/pmpovrayparser.cpp:6977
- kpovmodeler/pmpovrayparser.cpp:6980
- kpovmodeler/pmpovrayparser.cpp:6983

',' is always true.  

- kpovmodeler/pmspheresweep.cpp:436

i is not initialized here.

- kpovmodeler/pmvariant.cpp:893

success is not set if PMVariant::ThreeState is chosen in line 860 and
line 868 is not executed.

- libkscan/kscanoption.cpp:422

&& 1 ?

- kpdf/xpdf/fofi/FoFiType1.cc:168

line controls the for loops in lines 168 and 142

- kpdf/xpdf/xpdf/Gfx.cc:1919

If i is 255 and j bigger than 256, then there is an out of bounds write
here.

- kpdf/xpdf/xpdf/CharCodeToUnicode.cc:253

If n1 is 0 then the index is out of bounds.

- kpdf/xpdf/xpdf/Function.cc:1280

If i2 is smaller than 0, then the shift amount is invalid here.

- kpdf/xpdf/xpdf/Annot.cc:141

i1 controls the loops in line 139 and 141.

- kpdf/xpdf/xpdf/GfxState.cc:819

nCompsA can be up to 32 according to lines 789/792. If the value is
bigger than 3 then here is an out of bounds access.


- kpdf/xpdf/xpdf/SplashOutputDev.cc:1079

If line 1017 is false, then line 1018 is not executed and tmpBufLen is
not initialized here.

- ksvg/impl/SVGPathElementImpl.cc:726

data.subpathIsClosed or data.subpathEndIndex or data.subpathStartIndex
can be uninitialized here, if the correct paths are not taken in the
code before.

- ksvg/impl/libs/art_support/art_misc.c:220

ART_END2 is not a ArtPathcode and as far as I know it is not guaranteed
that an emum can hold more than its own values.

- ksvg/impl/libs/xrgbrender/gdk-pixbuf-xlibrgb.c:377

If nr is 1 here, there is a division by 0.

- kfile-plugins/gif/gif-info.c:483

outfile is still open here and not closed. This is a file leak.

- kfile-plugins/gif/gif-info.c:290

If line 284 is false, then gct and gct_size are uninitialized here.

- kfile-plugins/raw/parse.c:450
- kfile-plugins/raw/parse.c:456

Is it impossible that this line is reached such that wbi is still -1?
For example when type is directly 0x32 and the model fits?

- kfile-plugins/raw/parse.c:884

Is it impossible that len is 0 here? If no, then the shift amount is
invalid.

- kuickshow/src/defaultswidget.cpp:270

Why not &&?

- kmrml/kmrml/lib/watcher_stub.cpp:50

result is only initialized when line 42 is executed.

- kmrml/kmrml/lib/kmrml_config.cpp

Can one be sure that two same constant strings always have the same address?

- kfax/kfax.cpp:1064

Why not || instead of |?

------------------------------------
Problems involving the NULL pointer:
------------------------------------

- kpdf/core/generator_pdf/generator_pdf.cpp:221

If pdfdoc is NULL as indicated by line 206, then line 221 crashes.

- kpdf/core/generator_pdf/generator_pdf.cpp:803

If destination is NULL as indicated by line 793 but g->getNameDest() is
false, then line 803 crashes.

- kpdf/part.cpp:874 

If page is NULL as indicated by line 839, then line 874 crashes.

- ksvg/core/KSVGLoader.cpp:92

If image is NULL as indicated by line 82, then line 92 crashes.

- ksvg/plugin/backends/libart/LibartCanvasItems.cpp:1433

If fill is NULL, stroke != NULL but stroke->svp is NULL, then line 1433
crashes.

- kooka/kookaview.cpp:881

If dirKfi  is NULL as indicated by line 864, then line 881 crashes.

- kooka/scanpackager.cpp:1246

If e is NULL as indicated by line 1244, then line 1246 crashes.

- kooka/scanpackager.cpp:443

If item is NULL as indicated by line 421, then line 429 crashes.

- kooka/scanpackager.cpp:255

If kfi is NULL as indicated by line 220, then line 255 crashes.

- kview/modules/presenter/kviewpresenter.cpp:141

If m_pViewer is NULL as indicated by line 68, then line 141 crashes.

- kview/photobook/photobook.cpp

If mViewer is NULL as indicated in line 166 and the for loop in line 156
ends, then line 178 crashes.

- kviewshell/plugins/djvu/libdjvu/BSEncodeByteStream.cpp:990

If data is NULL as indicated by line 980, then memcpy operates in
invalid data regions.

- kviewshell/plugins/djvu/libdjvu/GContainer.cpp:707

If n->next is NULL as line 697 indicates, then line 707 crashes.

- kviewshell/plugins/djvu/libdjvu/DjVuAnno.cpp:270

If the case in line 267 is selected, then to_print is NULL.

- kuickshow/src/kuickshow.cpp:839

If steps == 0, then item is NULL here.

- kuickshow/src/defaultswidget.cpp:179

If imFiltered is NULL as indicated by line 150, then line 179 crashes.

- kolourpaint/tools/kptoolresizescale.cpp:219

If line 213 is true, line 219 crashes.

- kolourpaint/tools/kptoolselection.cpp:1871
- kolourpaint/tools/kptoolselection.cpp:1915 (similar)
- kolourpaint/kpdocument.cpp:1012 (similar)


If m_mainWindow is NULL as indicated by line 1854, then line 1870
crashes.

- kolourpaint/tools/kptoolselection.cpp:1646

If m_mainWindow is NULL as indicated by line 1637, then line 1646
crashes.

- kpovmodeler/pmpovrayparser.cpp:388 
- kpovmodeler/pmpovrayparser.cpp:412

If parent is NULL as indicated by line 205, then line 388 crashes.

- kpovmodeler/pmsorcontrolpoint.cpp:53

If m_pPrev is NULL but m_pNext is not NULL then line 53 crashes.

- kpdf/xpdf/xpdf/SplashOutputDev.cc:1136

If fileName is NULL as indicated by line 1076, then line 1136 crashes.

- kviewshell/plugins/djvu/libdjvu/JB2Image.cpp:489

If pctx is NULL as indicated by line 473, then line 479 crashes.

-----------------------------------------------------------------
Lines where the operator preference between & and == leads to an error.
There are some lines of code that look like this:
if (variable & 0xF != 0)  ...
The compiler reads:
if (variable & (0xF != 0))  ...
and not
if ((variable & 0xF) != 0)  ...
The result is that the compiler optimizes such code to:
if (variable & 1) ...
because (0xF != 0) is true and this is equivalent to 1
-----------------------------------------------------------------

- kviewshell/documentWidget.cpp:600 (LeftButton)

-----------------------------------------------------------------
Cases from switch statements that fall through in some cases but 
do not have a fall through comment as in most such cases.
------------------------------------------------------------------
- kdvi/dviRenderer_prescan.cpp:701
- kdvi/dviRenderer_draw.cpp:425
- kdvi/dviRenderer_draw.cpp:440
- kdvi/dviRenderer_draw.cpp:475
- kdvi/dviRenderer_draw.cpp:495
- kdvi/dviRenderer_prescan.cpp:711
- kdvi/dviRenderer_prescan.cpp:732
- kdvi/dviRenderer_prescan.cpp:743
- kghostview/dscparse.cpp:509
- kpovmodeler/pmfinish.cpp:670
- kpovmodeler/pminterior.cpp:329
- kpovmodeler/pmtreeview.cpp:752
- kpovmodeler/pmtorus.cpp:138
- ksvg/impl/SVGImageElementImpl.cc:171
- ksvg/impl/SVGStylableImpl.cc:1258
- kpdf/xpdf/xpdf/JPXStream.cc:1600
- libkscan/img_canvas.cpp:588,593,598,603
- kpovmodeler/pmpovrayparser.cpp:945
- kpovmodeler/pmpovrayparser.cpp:6940
- kiconedit/kicongrid.cpp:812
- kiconedit/kicongrid.cpp:903
- kviewshell/plugins/djvu/libdjvu/UnicodeByteStream.cpp
- kviewshell/plugins/djvu/libdjvu/JB2Image.cpp:1319
- kfile-plugins/jpeg/exif.cpp:352
- kview/modules/presenter/kviewpresenter.cpp
- kpdf/ui/pageview.cpp:724
- kfax/viewfax.cpp:230

-----------------------------------------------------------------
Lines where boolean expressions are used in non-boolean contexts:

I suspect that at least the lines marked with !!! are bugs
-----------------------------------------------------------------

- ksvg/impl/libs/xrgbrender/gdk-pixbuf-xlib-drawable.c:1043
- kfaxview/libkfaximage/kfaximage.cpp:273
- kpovmodeler/pmpart.cpp:688
- kuickshow/src/kuickshow.cpp:522
- kuickshow/src/kuickshow.cpp:521
- kviewshell/plugins/djvu/libdjvu/DjVuDocEditor.cpp:1935
- kfax/faxinput.cpp:194

More information about the kde-core-devel mailing list