/usr/src/lib/libc/stdio/ungetc.c

Bug Summary

File:	src/lib/libc/stdio/ungetc.c
Warning:	line 111, column 6 Dereference of null pointer

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name ungetc.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libc/obj -resource-dir /usr/local/lib/clang/13.0.0 -include namespace.h -I /usr/src/lib/libc/include -I /usr/src/lib/libc/hidden -D __LIBC__ -D APIWARN -D YP -I /usr/src/lib/libc/yp -I /usr/src/lib/libc -I /usr/src/lib/libc/gdtoa -I /usr/src/lib/libc/arch/amd64/gdtoa -D INFNAN_CHECK -D MULTIPLE_THREADS -D NO_FENV_H -D USE_LOCALE -I /usr/src/lib/libc -I /usr/src/lib/libc/citrus -D RESOLVSORT -D FLOATING_POINT -D PRINTF_WIDE_CHAR -D SCANF_WIDE_CHAR -D FUTEX -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libc/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libc/stdio/ungetc.c

1/*	$OpenBSD: ungetc.c,v 1.15 2016/09/21 04:38:56 guenther Exp $ */
2/*-
3 * Copyright (c) 1990, 1993
4 *	The Regents of the University of California.  All rights reserved.
5 *
6 * This code is derived from software contributed to Berkeley by
7 * Chris Torek.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the University nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33 
34#include <stdio.h>
35#include <stdlib.h>
36#include <string.h>
37#include "local.h"
38 
39static int __submore(FILE *);
40/*
41 * Expand the ungetc buffer `in place'.  That is, adjust fp->_p when
42 * the buffer moves, so that it points the same distance from the end,
43 * and move the bytes in the buffer around as necessary so that they
44 * are all at the end (stack-style).
45 */
46static int
47__submore(FILE *fp)
48{
49	int i;
50	unsigned char *p;
51 
52	if (_UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._base == fp->_ubuf) {
53		/*
54		 * Get a new buffer (rather than expanding the old one).
55		 */
56		if ((p = malloc(BUFSIZ1024)) == NULL((void *)0))
57			return (EOF(-1));
58		_UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._base = p;
59		_UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._size = BUFSIZ1024;
60		p += BUFSIZ1024 - sizeof(fp->_ubuf);
61		for (i = sizeof(fp->_ubuf); --i >= 0;)
62			p[i] = fp->_ubuf[i];
63		fp->_p = p;
64		return (0);
65	}
66	i = _UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._size;
67	p = reallocarray(_UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._base, i, 2);
68	if (p == NULL((void *)0))
69		return (EOF(-1));
70	/* no overlap (hence can use memcpy) because we doubled the size */
71	(void)memcpy(p + i, p, i);
72	fp->_p = p + i;
73	_UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._base = p;
74	_UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._size = i * 2;
75	return (0);
76}
77 
78int
79ungetc(int c, FILE *fp)
80{
81	if (c == EOF(-1))
1
Assuming the condition is false→
2
←
Taking false branch→
82		return (EOF(-1));
83	if (!__sdidinit)
3
←
Assuming '__sdidinit' is not equal to 0→
4
←
Taking false branch→
84		__sinit();
85	FLOCKFILE(fp)do { if (_thread_cb.tc_flockfile != ((void *)0)) _thread_cb.tc_flockfile
(fp); } while (0);
5
←
Assuming field 'tc_flockfile' is equal to null→
6
←
Taking false branch→
7
←
Loop condition is false.  Exiting loop→
86	_SET_ORIENTATION(fp, -1)do { struct wchar_io_data *_wcio = (((struct __sfileext *)((fp
)->_ext._base)) ? &(((struct __sfileext *)((fp)->_ext
._base))->_wcio) : (struct wchar_io_data *)0); if (_wcio &&
 _wcio->wcio_mode == 0) _wcio->wcio_mode = (-1);} while
 (0);
8
←
Assuming field '_base' is null→
9
←
'?' condition is false→
10
←
Loop condition is false.  Exiting loop→
87	if ((fp->_flags & __SRD0x0004) == 0) {
11
←
Assuming the condition is false→
12
←
Taking false branch→
88		/*
89		 * Not already reading: no good unless reading-and-writing.
90		 * Otherwise, flush any current write stuff.
91		 */
92		if ((fp->_flags & __SRW0x0010) == 0) {
93error:			FUNLOCKFILE(fp)do { if (_thread_cb.tc_funlockfile != ((void *)0)) _thread_cb
.tc_funlockfile(fp); } while (0);
94			return (EOF(-1));
95		}
96		if (fp->_flags & __SWR0x0008) {
97			if (__sflush(fp))
98				goto error;
99			fp->_flags &= ~__SWR0x0008;
100			fp->_w = 0;
101			fp->_lbfsize = 0;
102		}
103		fp->_flags |= __SRD0x0004;
104	}
105	c = (unsigned char)c;
106 
107	/*
108	 * If we are in the middle of ungetc'ing, just continue.
109	 * This may require expanding the current ungetc buffer.
110	 */
111	if (HASUB(fp)(((struct __sfileext *)((fp)->_ext._base))->_ub._base !=
 ((void *)0))) {
13
←
Dereference of null pointer
112		if (fp->_r >= _UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._size && __submore(fp))
113			goto error;
114		*--fp->_p = c;
115inc_ret:	fp->_r++;
116		FUNLOCKFILE(fp)do { if (_thread_cb.tc_funlockfile != ((void *)0)) _thread_cb
.tc_funlockfile(fp); } while (0);
117		return (c);
118	}
119	fp->_flags &= ~__SEOF0x0020;
120 
121	/*
122	 * If we can handle this by simply backing up, do so,
123	 * but never replace the original character.
124	 * (This makes sscanf() work when scanning `const' data.)
125	 */
126	if (fp->_bf._base != NULL((void *)0) && fp->_p > fp->_bf._base &&
127	    fp->_p[-1] == c) {
128		fp->_p--;
129		goto inc_ret;
130	}
131 
132	/*
133	 * Create an ungetc buffer.
134	 * Initially, we will use the `reserve' buffer.
135	 */
136	fp->_ur = fp->_r;
137	fp->_up = fp->_p;
138	_UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._base = fp->_ubuf;
139	_UB(fp)((struct __sfileext *)((fp)->_ext._base))->_ub._size = sizeof(fp->_ubuf);
140	fp->_ubuf[sizeof(fp->_ubuf) - 1] = c;
141	fp->_p = &fp->_ubuf[sizeof(fp->_ubuf) - 1];
142	fp->_r = 1;
143	FUNLOCKFILE(fp)do { if (_thread_cb.tc_funlockfile != ((void *)0)) _thread_cb
.tc_funlockfile(fp); } while (0);
144	return (c);
145}
146DEF_STRONG(ungetc)__asm__(".global " "ungetc" " ; " "ungetc" " = " "_libc_ungetc"
);