/usr/src/games/quiz/rxp.c

Bug Summary

File:	src/games/quiz/rxp.c
Warning:	line 212, column 38 Dereference of null pointer (loaded from variable 'rp')

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name rxp.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/games/quiz/obj -resource-dir /usr/local/lib/clang/13.0.0 -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/games/quiz/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/games/quiz/rxp.c

1/*	$OpenBSD: rxp.c,v 1.8 2009/10/27 23:59:26 deraadt Exp $	*/
2/*	$NetBSD: rxp.c,v 1.5 1995/04/22 10:17:00 cgd Exp $	*/

4/*-
* Copyright (c) 1991, 1993
*	The Regents of the University of California.  All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* Jim R. Oldroyd at The Instruction Set and Keith Gabryelski at
* Commodore Business Machines.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
*    notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
*    notice, this list of conditions and the following disclaimer in the
*    documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
*    may be used to endorse or promote products derived from this software
*    without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/

37/*
* regular expression parser
*
* external functions and return values are:
* rxp_compile(s)
*	TRUE	success
*	FALSE	parse failure; error message will be in char rxperr[]
* metas are:
*	{...}	optional pattern, equialent to [...|]
*	|	alternate pattern
*	[...]	pattern delimiters
*
* rxp_match(s)
*	TRUE	string s matches compiled pattern
*	FALSE	match failure or regexp error
*
* rxp_expand()
*	char *	reverse-engineered regular expression string
*	NULL	regexp error
*/

58#include <stdio.h>
59#include <ctype.h>
60#include "quiz.h"
			/* regexp tokens,	arg */
62#define	LIT(-1)	(-1)			/* literal character,	char */
63#define	SOT(-2)	(-2)			/* start text anchor,	- */
64#define	EOT(-3)	(-3)			/* end text anchor,	- */
65#define	GRP_S(-4)	(-4)			/* start alternate grp,	ptr_to_end */
66#define	GRP_E(-5)	(-5)			/* end group,		- */
67#define	ALT_S(-6)	(-6)			/* alternate starts,	ptr_to_next */
68#define	ALT_E(-7)	(-7)			/* alternate ends,	- */
69#define	END(-8)	(-8)			/* end of regexp,	- */

71typedef short Rxp_t;			/* type for regexp tokens */

73static Rxp_t rxpbuf[RXP_LINE_SZ8192];	/* compiled regular expression buffer */
74char rxperr[128];			/* parser error message */

76static int	 rxp__compile(const char *, int);
77static char	*rxp__expand(int);
78static int	 rxp__match(const char *, int, Rxp_t *, Rxp_t *, const char *);

80int
81rxp_compile(const char *s)
82{
return (rxp__compile(s, TRUE1));
84}

86static int
87rxp__compile(const char *s, int first)
88{
static Rxp_t *rp;
static const char *sp;
Rxp_t *grp_ptr;
Rxp_t *alt_ptr;
int esc, err;

if (s == NULL((void *)0)) {
(void)snprintf(rxperr, sizeof(rxperr),
    "null string sent to rxp_compile");
return(FALSE0);
}
esc = 0;
if (first) {
rp = rxpbuf;
sp = s;
*rp++ = SOT(-2);	/* auto-anchor: pat is really ^pat$ */
*rp++ = GRP_S(-4);	/* auto-group: ^pat$ is really ^[pat]$ */
*rp++ = 0;
}
*rp++ = ALT_S(-6);
alt_ptr = rp;
*rp++ = 0;
for (; *sp; ++sp) {
if (rp - rxpbuf >= RXP_LINE_SZ8192 - 4) {
	(void)snprintf(rxperr, sizeof(rxperr),
	    "regular expression too long %s", s);
	return (FALSE0);
}
if (*sp == ':' && !esc)
	break;
if (esc) {
	*rp++ = LIT(-1);
	*rp++ = *sp;
	esc = 0;
}
else switch (*sp) {
case '\\':
	esc = 1;
	break;
case '{':
case '[':
	*rp++ = GRP_S(-4);
	grp_ptr = rp;
	*rp++ = 0;
	sp++;
	if ((err = rxp__compile(s, FALSE0)) != TRUE1)
		return (err);
	*rp++ = GRP_E(-5);
	*grp_ptr = rp - rxpbuf;
	break;
case '}':
case ']':
case '|':
	*rp++ = ALT_E(-7);
	*alt_ptr = rp - rxpbuf;
	if (*sp != ']') {
		*rp++ = ALT_S(-6);
		alt_ptr = rp;
		*rp++ = 0;
	}
	if (*sp != '|') {
		if (*sp != ']') {
			*rp++ = ALT_E(-7);
			*alt_ptr = rp - rxpbuf;
		}
		if (first) {
			(void)snprintf(rxperr, sizeof(rxperr),
			    "unmatched alternator in regexp %s",
			     s);
			return (FALSE0);
		}
		return (TRUE1);
	}
	break;
default:
	*rp++ = LIT(-1);
	*rp++ = *sp;
	esc = 0;
	break;
}
}
if (!first) {
(void)snprintf(rxperr, sizeof(rxperr),
    "unmatched alternator in regexp %s", s);
return (FALSE0);
}
*rp++ = ALT_E(-7);
*alt_ptr = rp - rxpbuf;
*rp++ = GRP_E(-5);
*(rxpbuf + 2) = rp - rxpbuf;
*rp++ = EOT(-3);
*rp = END(-8);
return (TRUE1);
182}

184/*
* match string against compiled regular expression
*/
187int
188rxp_match(const char *s)
189{
return (rxp__match(s, TRUE1, NULL((void *)0), NULL((void *)0), NULL((void *)0)));
1
Calling 'rxp__match'→
191}

193/*
* j_succ : jump here on successful alt match
* j_fail : jump here on failed match
* sp_fail: reset sp to here on failed match
*/
198static int
199rxp__match(const char *s, int first, Rxp_t *j_succ, Rxp_t *j_fail,
         const char *sp_fail)
201{
static Rxp_t *rp;
static const char *sp;
int ch;
Rxp_t *grp_end = NULL((void *)0);
2
←
'grp_end' initialized to a null pointer value→
int err;

if (first2.1
'first' is 1
1
'first' is 0
) {
3
←
Taking true branch→
9
←
Taking false branch→
rp = rxpbuf;
sp = s;
}
while (rp < rxpbuf + RXP_LINE_SZ8192 && *rp != END(-8))
4
←
Assuming the condition is true→
5
←
Loop condition is true.  Entering loop body→
10
←
Assuming the condition is true→
11
←
Loop condition is true.  Entering loop body→
17
←
Dereference of null pointer (loaded from variable 'rp')
switch(*rp) {
6
←
Control jumps to 'case -6:'  at line 238→
12
←
Control jumps to 'case -7:'  at line 244→
case LIT(-1):
	rp++;
	ch = isascii(*rp) && isupper(*rp) ? tolower(*rp) : *rp;
	if (ch != *sp++) {
		rp = j_fail;
		sp = sp_fail;
		return (TRUE1);
	}
	rp++;
	break;
case SOT(-2):
	if (sp != s)
		return (FALSE0);
	rp++;
	break;
case EOT(-3):
	if (*sp != 0)
		return (FALSE0);
	rp++;
	break;
case GRP_S(-4):
	rp++;
	grp_end = rxpbuf + *rp++;
	break;
case ALT_S(-6):
	rp++;
	if ((err = rxp__match(sp,
8
←
Calling 'rxp__match'→
14
←
Returning from 'rxp__match'→
15
←
Taking false branch→
	    FALSE0, grp_end, rxpbuf + *rp++, sp)) != TRUE1)
7
←
Passing null pointer value via 3rd parameter 'j_succ'→
		return (err);
	break;
16
←
 Execution continues on line 212→
case ALT_E(-7):
	rp = j_succ;
13
←
Null pointer value stored to 'rp'→
	return (TRUE1);
case GRP_E(-5):
default:
	return (FALSE0);
}
return (*rp != END(-8) ? FALSE0 : TRUE1);
252}

254/*
* Reverse engineer the regular expression, by picking first of all alternates.
*/
257char *
258rxp_expand(void)
259{
return (rxp__expand(TRUE1));
261}

263static char *
264rxp__expand(int first)
265{
static char buf[RXP_LINE_SZ8192/2];
static Rxp_t *rp;
static char *bp;
Rxp_t *grp_ptr;
char *err;

if (first) {
rp = rxpbuf;
bp = buf;
}
while (rp < rxpbuf + RXP_LINE_SZ8192 && *rp != END(-8))
switch(*rp) {
case LIT(-1):
	rp++;
	*bp++ = *rp++;
	break;
case GRP_S(-4):
	rp++;
	grp_ptr = rxpbuf + *rp;
	rp++;
	if ((err = rxp__expand(FALSE0)) == NULL((void *)0))
		return (err);
	rp = grp_ptr;
	break;
case ALT_E(-7):
	return (buf);
case ALT_S(-6):
	rp++;
	/* FALLTHROUGH */
case SOT(-2):
case EOT(-3):
case GRP_E(-5):
	rp++;
	break;
default:
	return (NULL((void *)0));
}
if (first) {
if (*rp != END(-8))
	return (NULL((void *)0));
*bp = '\0';
}
return (buf);
309}