Bug Summary

File:src/mod/xml_int/mod_xml_rpc/../../../../libs/xmlrpc-c/src/xmlrpc_array.c
Location:line 140, column 9
Description:Access to field '_type' results in a dereference of a null pointer (loaded from variable 'arrayP')

Annotated Source Code

1/* Copyright information is at the end of the file */
2
3/*=========================================================================
4** XML-RPC Array Functions
5**=========================================================================
6*/
7
8#include "xmlrpc_config.h"
9
10#include <assert.h>
11#include <stddef.h>
12#include <stdlib.h>
13
14#include "xmlrpc-c/util.h"
15#include "xmlrpc-c/base.h"
16#include "xmlrpc-c/base_int.h"
17
18
19
20void
21xmlrpc_abort_if_array_bad(xmlrpc_value * const arrayP) {
22
23 if (arrayP == NULL((void*)0))
24 abort();
25 else if (arrayP->_type != XMLRPC_TYPE_ARRAY)
26 abort();
27 else {
28 size_t const arraySize =
29 XMLRPC_MEMBLOCK_SIZE(xmlrpc_value*, &arrayP->_block)(xmlrpc_mem_block_size(&arrayP->_block) / sizeof(xmlrpc_value
*))
;
30 xmlrpc_value ** const contents =
31 XMLRPC_MEMBLOCK_CONTENTS(xmlrpc_value*, &arrayP->_block)((xmlrpc_value**) xmlrpc_mem_block_contents(&arrayP->_block
))
;
32
33 if (contents == NULL((void*)0))
34 abort();
35 else {
36 size_t index;
37
38 for (index = 0; index < arraySize; ++index) {
39 xmlrpc_value * const itemP = contents[index];
40 if (itemP == NULL((void*)0))
41 abort();
42 else if (itemP->_refcount < 1)
43 abort();
44 }
45 }
46 }
47}
48
49
50
51void
52xmlrpc_destroyArrayContents(xmlrpc_value * const arrayP) {
53/*----------------------------------------------------------------------------
54 Dispose of the contents of an array (but not the array value itself).
55 The value is not valid after this.
56-----------------------------------------------------------------------------*/
57 size_t const arraySize =
58 XMLRPC_MEMBLOCK_SIZE(xmlrpc_value*, &arrayP->_block)(xmlrpc_mem_block_size(&arrayP->_block) / sizeof(xmlrpc_value
*))
;
59 xmlrpc_value ** const contents =
60 XMLRPC_MEMBLOCK_CONTENTS(xmlrpc_value*, &arrayP->_block)((xmlrpc_value**) xmlrpc_mem_block_contents(&arrayP->_block
))
;
61
62 size_t index;
63
64 XMLRPC_ASSERT_ARRAY_OK(arrayP)xmlrpc_abort_if_array_bad(arrayP);
65
66 /* Release our reference to each item in the array */
67 for (index = 0; index < arraySize; ++index) {
68 xmlrpc_value * const itemP = contents[index];
69 xmlrpc_DECREF(itemP);
70 }
71 XMLRPC_MEMBLOCK_CLEAN(xmlrpc_value *, &arrayP->_block)xmlrpc_mem_block_clean(&arrayP->_block);
72}
73
74
75
76int
77xmlrpc_array_size(xmlrpc_env * const envP,
78 const xmlrpc_value * const arrayP) {
79
80 int retval;
81
82 XMLRPC_ASSERT_ENV_OK(envP)do if (!((envP) != ((void*)0) && (envP->fault_string
== ((void*)0)) && !(envP)->fault_occurred)) xmlrpc_assertion_failed
("../../../../libs/xmlrpc-c/src/xmlrpc_array.c", 82); while (
0)
;
83 XMLRPC_ASSERT_VALUE_OK(arrayP)do if (!((arrayP) != ((void*)0) && (arrayP)->_type
!= XMLRPC_TYPE_DEAD)) xmlrpc_assertion_failed("../../../../libs/xmlrpc-c/src/xmlrpc_array.c"
, 83); while (0)
;
84
85 if (arrayP->_type != XMLRPC_TYPE_ARRAY) {
86 xmlrpc_env_set_fault_formatted(
87 envP, XMLRPC_TYPE_ERROR(-501), "Value is not an array");
88 retval = -1;
89 } else {
90 size_t const size =
91 XMLRPC_MEMBLOCK_SIZE(xmlrpc_value *, &arrayP->_block)(xmlrpc_mem_block_size(&arrayP->_block) / sizeof(xmlrpc_value
*))
;
92
93 assert((size_t)(int)(size) == size)(((size_t)(int)(size) == size) ? (void) (0) : __assert_fail (
"(size_t)(int)(size) == size", "../../../../libs/xmlrpc-c/src/xmlrpc_array.c"
, 93, __PRETTY_FUNCTION__))
;
94
95 retval = (int)size;
96 }
97 return retval;
98}
99
100
101
102void
103xmlrpc_array_append_item(xmlrpc_env * const envP,
104 xmlrpc_value * const arrayP,
105 xmlrpc_value * const valueP) {
106
107 XMLRPC_ASSERT_ENV_OK(envP)do if (!((envP) != ((void*)0) && (envP->fault_string
== ((void*)0)) && !(envP)->fault_occurred)) xmlrpc_assertion_failed
("../../../../libs/xmlrpc-c/src/xmlrpc_array.c", 107); while (
0)
;
108 XMLRPC_ASSERT_VALUE_OK(arrayP)do if (!((arrayP) != ((void*)0) && (arrayP)->_type
!= XMLRPC_TYPE_DEAD)) xmlrpc_assertion_failed("../../../../libs/xmlrpc-c/src/xmlrpc_array.c"
, 108); while (0)
;
109
110 if (xmlrpc_value_type(arrayP) != XMLRPC_TYPE_ARRAY)
111 xmlrpc_env_set_fault_formatted(
112 envP, XMLRPC_TYPE_ERROR(-501), "Value is not an array");
113 else {
114 size_t const size =
115 XMLRPC_MEMBLOCK_SIZE(xmlrpc_value *, &arrayP->_block)(xmlrpc_mem_block_size(&arrayP->_block) / sizeof(xmlrpc_value
*))
;
116
117 XMLRPC_MEMBLOCK_RESIZE(xmlrpc_value *, envP, &arrayP->_block, size+1)xmlrpc_mem_block_resize(envP, &arrayP->_block, sizeof(
xmlrpc_value *) * (size+1))
;
118
119 if (!envP->fault_occurred) {
120 xmlrpc_value ** const contents =
121 XMLRPC_MEMBLOCK_CONTENTS(xmlrpc_value*, &arrayP->_block)((xmlrpc_value**) xmlrpc_mem_block_contents(&arrayP->_block
))
;
122 xmlrpc_INCREF(valueP);
123 contents[size] = valueP;
124 }
125 }
126}
127
128
129
130void
131xmlrpc_array_read_item(xmlrpc_env * const envP,
132 const xmlrpc_value * const arrayP,
133 unsigned int const index,
134 xmlrpc_value ** const valuePP) {
135
136 XMLRPC_ASSERT_ENV_OK(envP)do if (!((envP) != ((void*)0) && (envP->fault_string
== ((void*)0)) && !(envP)->fault_occurred)) xmlrpc_assertion_failed
("../../../../libs/xmlrpc-c/src/xmlrpc_array.c", 136); while (
0)
;
137 XMLRPC_ASSERT_VALUE_OK(arrayP)do if (!((arrayP) != ((void*)0) && (arrayP)->_type
!= XMLRPC_TYPE_DEAD)) xmlrpc_assertion_failed("../../../../libs/xmlrpc-c/src/xmlrpc_array.c"
, 137); while (0)
;
5
Within the expansion of the macro 'XMLRPC_ASSERT_VALUE_OK':
a
Assuming 'arrayP' is equal to null
138 XMLRPC_ASSERT_PTR_OK(valuePP)do if (!((valuePP) != ((void*)0))) xmlrpc_assertion_failed("../../../../libs/xmlrpc-c/src/xmlrpc_array.c"
, 138); while (0)
;
139
140 if (arrayP->_type != XMLRPC_TYPE_ARRAY)
6
Access to field '_type' results in a dereference of a null pointer (loaded from variable 'arrayP')
141 xmlrpc_env_set_fault_formatted(
142 envP, XMLRPC_TYPE_ERROR(-501), "Attempt to read array item from "
143 "a value that is not an array");
144 else {
145 xmlrpc_value ** const contents =
146 XMLRPC_MEMBLOCK_CONTENTS(xmlrpc_value *, &arrayP->_block)((xmlrpc_value **) xmlrpc_mem_block_contents(&arrayP->
_block))
;
147 size_t const size =
148 XMLRPC_MEMBLOCK_SIZE(xmlrpc_value *, &arrayP->_block)(xmlrpc_mem_block_size(&arrayP->_block) / sizeof(xmlrpc_value
*))
;
149
150 if (index >= size)
151 xmlrpc_env_set_fault_formatted(
152 envP, XMLRPC_INDEX_ERROR(-502), "Array index %u is beyond end "
153 "of %u-item array", index, (unsigned int)size);
154 else {
155 *valuePP = contents[index];
156 xmlrpc_INCREF(*valuePP);
157 }
158 }
159}
160
161
162
163xmlrpc_value *
164xmlrpc_array_get_item(xmlrpc_env * const envP,
165 const xmlrpc_value * const arrayP,
166 int const index) {
167
168 xmlrpc_value * valueP;
169
170 if (index < 0)
1
Assuming 'index' is >= 0
2
Taking false branch
171 xmlrpc_env_set_fault_formatted(
172 envP, XMLRPC_INDEX_ERROR(-502), "Index %d is negative.", index);
173 else {
174 xmlrpc_array_read_item(envP, arrayP, index, &valueP);
3
Passing value via 2nd parameter 'arrayP'
4
Calling 'xmlrpc_array_read_item'
175
176 if (!envP->fault_occurred)
177 xmlrpc_DECREF(valueP);
178 }
179 if (envP->fault_occurred)
180 valueP = NULL((void*)0);
181
182 return valueP;
183}
184
185
186
187xmlrpc_value *
188xmlrpc_array_new(xmlrpc_env * const envP) {
189/*----------------------------------------------------------------------------
190 Create an empty array xmlrpc_value.
191-----------------------------------------------------------------------------*/
192 xmlrpc_value * arrayP;
193
194 xmlrpc_createXmlrpcValue(envP, &arrayP);
195 if (!envP->fault_occurred) {
196 arrayP->_type = XMLRPC_TYPE_ARRAY;
197 XMLRPC_MEMBLOCK_INIT(xmlrpc_value*, envP, &arrayP->_block, 0)xmlrpc_mem_block_init((envP), (&arrayP->_block), sizeof
(xmlrpc_value*) * (0))
;
198 if (envP->fault_occurred)
199 free(arrayP);
200 }
201 return arrayP;
202}
203
204
205
206/* Copyright (C) 2001 by First Peer, Inc. All rights reserved.
207** Copyright (C) 2001 by Eric Kidd. All rights reserved.
208**
209** Redistribution and use in source and binary forms, with or without
210** modification, are permitted provided that the following conditions
211** are met:
212** 1. Redistributions of source code must retain the above copyright
213** notice, this list of conditions and the following disclaimer.
214** 2. Redistributions in binary form must reproduce the above copyright
215** notice, this list of conditions and the following disclaimer in the
216** documentation and/or other materials provided with the distribution.
217** 3. The name of the author may not be used to endorse or promote products
218** derived from this software without specific prior written permission.
219**
220** THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
221** ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
222** IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
223** ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
224** FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
225** DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
226** OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
227** HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
228** LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
229** OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
230** SUCH DAMAGE. */