Suspicious code in kdeedu-3.5.2

Christoph Bartoschek bartoschek at gmx.de
Sat Apr 22 11:59:48 BST 2006


So, the last report for kde 3.5.2:

------------------------------------------------------------------
Misc problems:
------------------------------------------------------------------

- kturtle/src/value.cpp:309
- kturtle/src/value.cpp:299
- kturtle/src/value.cpp:289
- kturtle/src/value.cpp:279

m_bool >= n.Bool()  ???

- kturtle/src/canvas.cpp:508

Could it be that i is 4 here because of lines 489, 495, 501, 507?

- kturtle/src/kturtle.cpp:399
- kturtle/src/kturtle.cpp:356

The loop is executed at most once.

- kverbos/kverbos/kverbosdoc.cpp:698

of is allocated in line 690 and used uninitialized here.

- keduca/libkeduca/fileread.cpp:337
- keduca/libkeduca/fileread.cpp:379
- keduca/libkeduca/fileread.cpp:349
- keduca/libkeduca/fileread.cpp:391
- keduca/libkeduca/fileread.cpp:298
- keduca/libkeduca/fileread.cpp:307
- keduca/libkeduca/fileread.cpp:322
- keduca/libkeduca/fileread.cpp:321
- keduca/libkeduca/fileread.cpp:284
- keduca/libkeduca/fileread.cpp:283
- keduca/libkeduca/fileread.cpp:364
- keduca/libkeduca/fileread.cpp:363
- keduca/libkeduca/fileread.cpp:357
- keduca/libkeduca/fileread.cpp:356
- keduca/libkeduca/fileread.cpp:277
- keduca/libkeduca/fileread.cpp:276
- keduca/libkeduca/fileread.cpp:315
- keduca/libkeduca/fileread.cpp:314


if (_fileBOF = true) is always true. But even if you mean
if (_fileBOF == true) _fileBOF = false this still means:
_fileBOF = false;

- kmplot/kmplot/parser.cpp:265
- kmplot/kmplot/parser.cpp:269
- kmplot/kmplot/parser.cpp:273
- kmplot/kmplot/parser.cpp:277
- kmplot/kmplot/parser.cpp:280
- kmplot/kmplot/parser.cpp:285
- kmplot/kmplot/parser.cpp:289
- kmplot/kmplot/parser.cpp:293
- kmplot/kmplot/parser.cpp:304

When this case is selected the first time the switch in line 245 is
executed then stkptr[-1] is out of bounds.

- kstars/kstars/fitshistogram.cpp:148

If binSize is 0 but buffer is not NULL, then line 144 is not executed
and line 148 has a division by 0.

- kstars/kstars/fitsprocess.cpp:147

Is narray leaking here?  If yes, why not using std::vector?

- kstars/kstars/indi/apmount.cpp:657
- kstars/kstars/indi/apmount.cpp:658

tmtexts and tmtp have only 1 byte allocated, but 4 bytes (32bit
platforms) are assigned here. Why not using std::vector and std::string
for such tasks? Is the memory also leaking in lines 667, 668?

- kstars/kstars/indi/apogee/ApnCamera.cpp:983

If no case is selected in line 967, then RegVal is uninitialized here.

- kstars/kstars/indi/apogee/ApogeeUsbLinuxForKernel.cpp:354

retval is used uninitialized.

- kstars/kstars/indi/apogee/ApogeeUsbLinuxForKernel.cpp:367

Success is not set, if the loop in line 348 is not entered.

- kstars/kstars/indi/v4ldriver.cpp:662

Use delete [] here.  Or better a std::vector<unsigned char>. This way
you prevent the memory leaks in lines 625 and 641.

- kstars/kstars/indi/v4lphilips.cpp:602

The index 5 is out of bounds of this array.

- kstars/kstars/indi/sbigccd.cpp:567
- kstars/kstars/indi/sbigccd.cpp:590
- kstars/kstars/indi/sbigccd.cpp:578
- kstars/kstars/indi/sbigccd.cpp:559 (only fitsData)

fitsData and compressedData are leaking memory here. Why not using
std::vector<unsigned char>?

- kstars/kstars/indi/sbigccd.cpp:602
- kstars/kstars/indi/apogee_ppi.cpp:679 (similar)

After this function finished. imageB.blob points to freed memory. Are
there memory leaks, when the function returns to early in the second
case?

- kstars/kstars/indidevice.cpp:874
- kstars/kstars/indidevice.cpp:885 (similar)
- kstars/kstars/indidevice.cpp:898 (similar)

In line 872 you delete pp and use it here again.

- kstars/kstars/fitsviewer.cpp:308

If buffer is != NULL here, than the memory is leaking here. std::vector
is beffer for such tasks.

- kstars/kstars/indistd.cpp:492

Use delete [] here or better a std::string or QString for tempPrefix.

- kstars/kstars/kstarsdata.cpp:553

If ok is true but nn != 2, then you delete seg in line 546. But you use
it again in line 553.

- kgeography/src/answer.cpp:101

If line 91 is also false, then widgets[i] is not initialized here.

- blinken/src/blinken.cpp:442

i can become 4 if selected is always false. Then the else part in line
434 is chosen and in line 442 you have an out of bounds access.

- kig/objects/locus_imp.cc:231
- kig/objects/locus_imp.cc:168 (similar)

Why not (mm1 > mm2 && j <= N)?

- kiten/xjdxgen.c:151

fp is closed in line 140.  Here you close it again.

- kstars/kstars/indi/fli/libfli-mem.c:75

Buffer overflow. In line 68 num is set to 2*allocated.total. Then
allocated.pointers gets a buffer for num pointers in line 70. In line 75
you start at  position allocate.total and overwrite num (= 2 *
allocated.total) elements with 0. The last allocated.total elements do
not belong to the buffer.

- kstars/kstars/indi/fli/libfli-filter-focuser.c:467

abs looses precision here. Maybe you want to use labs.

- kstars/kstars/indi/fli_ccd.c:898
- kstars/kstars/indi/fli_ccd.c:908

The memory pointed to by fitsData and compressedData is leaking here.

 - kstars/kstars/indi/temmadriver.c:73
 
 Buffer overflow.  PortT->text has place for 10 chars, but strcpy copies
 11 into it. Note that strcpy adds the \0.

 kstars/kstars/indi/celestronprotocol.c:562
 
The loop is executed at most once.

- ktouch/extras/training-gen/c/ktouchgen.c:131

If strlen(ptr->word) returns 0 in line 100, then or_failed or and_failed
are not initialized.

- ktouch/extras/training-gen/c/ktouchgen.c:179
- ktouch/extras/training-gen/c/ktouchgen.c:197 (similar)
- ktouch/extras/training-gen/c/ktouchgen.c:229 (similar)

If file is NULL and line 167 is entered, then a NULL is passed to fclose.

- kstars/kstars/indi/webcam/v4l2_base.cpp:1116

num_ctrls is leaking here.

------------------------------------
Problems involving the NULL pointer:
------------------------------------

- keduca/keducabuilder/kcontroladdedit.cpp:170
- keduca/keducabuilder/kcontroladdedit.cpp:158 (similar)

If item is NULL as indicated by line 167, then line 170 crashes.

- kstars/kstars/kswizard.cpp:143

If the if condition in line 134 is false, then line 143 crashes.

- kmplot/kmplot/View.cpp:703

it could be NULL here, when line 623 is false.

-----------------------------------------------------------------
Cases from switch statements that fall through in some cases but 
do not have a fall through comment as in most such cases.
------------------------------------------------------------------

- kverbos/kverbos/kerfassen.cpp:281

-----------------------------------------------------------------
Lines where boolean expressions are used in non-boolean contexts:

I suspect that at least the lines marked with !!! are bugs
-----------------------------------------------------------------

- kig/modes/label.cc:291, 330
- kig/modes/popup.cc:878, 874, 870, 214
- kig/modes/construct_mode.cc:213
- kig/misc/kiginputdialog.cc:203
- kig/misc/object_hierarchy.cc:317
- kig/misc/calcpaths.cc:206, 207
- kig/misc/object_constructor.cc:516
- kig/misc/rect.cc:291
- kstars/kstars/kstarsdata.cpp:1663, 1675
- kstars/kstars/indi/apogee/CameraIO_LinuxPPI.cpp:251, 270, 300
- kstars/kstars/indi/apogee/CameraIO_LinuxPCI.cpp:301, 320, 348 
- kstars/kstars/indi/apogee/CameraIO_LinuxISA.cpp:247, 266, 294




More information about the kde-core-devel mailing list