/usr/src/lib/libc/stdio/fread.c

Bug Summary

File:	src/lib/libc/stdio/fread.c
Warning:	line 102, column 9 Null pointer passed as 1st argument to memory copy function

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name fread.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/lib/libc/obj -resource-dir /usr/local/lib/clang/13.0.0 -include namespace.h -I /usr/src/lib/libc/include -I /usr/src/lib/libc/hidden -D __LIBC__ -D APIWARN -D YP -I /usr/src/lib/libc/yp -I /usr/src/lib/libc -I /usr/src/lib/libc/gdtoa -I /usr/src/lib/libc/arch/amd64/gdtoa -D INFNAN_CHECK -D MULTIPLE_THREADS -D NO_FENV_H -D USE_LOCALE -I /usr/src/lib/libc -I /usr/src/lib/libc/citrus -D RESOLVSORT -D FLOATING_POINT -D PRINTF_WIDE_CHAR -D SCANF_WIDE_CHAR -D FUTEX -D PIC -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/lib/libc/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/lib/libc/stdio/fread.c

1/*	$OpenBSD: fread.c,v 1.19 2018/12/16 15:38:29 millert Exp $ */
2/*-
3 * Copyright (c) 1990, 1993
4 *	The Regents of the University of California.  All rights reserved.
5 *
6 * This code is derived from software contributed to Berkeley by
7 * Chris Torek.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the University nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33 
34#include <stdio.h>
35#include <string.h>
36#include <stdint.h>
37#include <errno(*__errno()).h>
38#include "local.h"
39 
40#define MUL_NO_OVERFLOW(1UL << (sizeof(size_t) * 4))	(1UL << (sizeof(size_t) * 4))
41 
42size_t
43fread(void *buf, size_t size, size_t count, FILE *fp)
44{
45	size_t resid;
46	char *p;
47	int r;
48	size_t total;
49 
50	/*
51	 * Extension:  Catch integer overflow
52	 */
53	if ((size >= MUL_NO_OVERFLOW(1UL << (sizeof(size_t) * 4)) || count >= MUL_NO_OVERFLOW(1UL << (sizeof(size_t) * 4))) &&
1
Assuming the condition is false→
2
←
Assuming the condition is false→
54	    size > 0 && SIZE_MAX0xffffffffffffffffUL / size < count) {
55		errno(*__errno()) = EOVERFLOW87;
56		fp->_flags |= __SERR0x0040;
57		return (0);
58	}
59 
60	/*
61	 * ANSI and SUSv2 require a return value of 0 if size or count are 0.
62	 */
63	if ((resid = count * size) == 0)
3
←
Assuming the condition is false→
4
←
Taking false branch→
64		return (0);
65	FLOCKFILE(fp)do { if (_thread_cb.tc_flockfile != ((void *)0)) _thread_cb.tc_flockfile
(fp); } while (0);
5
←
Assuming field 'tc_flockfile' is equal to null→
6
←
Taking false branch→
7
←
Loop condition is false.  Exiting loop→
66	_SET_ORIENTATION(fp, -1)do { struct wchar_io_data *_wcio = (((struct __sfileext *)((fp
)->_ext._base)) ? &(((struct __sfileext *)((fp)->_ext
._base))->_wcio) : (struct wchar_io_data *)0); if (_wcio &&
 _wcio->wcio_mode == 0) _wcio->wcio_mode = (-1);} while
 (0);
8
←
Assuming field '_base' is null→
9
←
'?' condition is false→
10
←
Loop condition is false.  Exiting loop→
67	if (fp->_r < 0)
11
←
Assuming field '_r' is >= 0→
12
←
Taking false branch→
68		fp->_r = 0;
69	total = resid;
70	p = buf;
13
←
Value assigned to 'p'→
71 
72	/*
73	 * If we're unbuffered we know that the buffer in fp is empty so
74	 * we can read directly into buf.  This is much faster than a
75	 * series of one byte reads into fp->_nbuf.
76	 */
77	if ((fp->_flags & __SNBF0x0002) != 0 && buf != NULL((void *)0)) {
14
←
Assuming the condition is true→
15
←
Assuming 'buf' is equal to NULL→
16
←
Taking false branch→
78		while (resid > 0) {
79			/* set up the buffer */
80			fp->_bf._base = fp->_p = p;
81			fp->_bf._size = resid;
82 
83			if (__srefill(fp)) {
84				/* no more input: return partial result */
85				count = (total - resid) / size;
86				break;
87			}
88			p += fp->_r;
89			resid -= fp->_r;
90		}
91 
92		/* restore the old buffer (see __smakebuf) */
93		fp->_bf._base = fp->_p = fp->_nbuf;
94		fp->_bf._size = 1;
95		fp->_r = 0;
96 
97		FUNLOCKFILE(fp)do { if (_thread_cb.tc_funlockfile != ((void *)0)) _thread_cb
.tc_funlockfile(fp); } while (0);
98		return (count);
99	}
100 
101	while (resid > (r = fp->_r)) {
17
←
Assuming the condition is true→
18
←
Loop condition is true.  Entering loop body→
102		(void)memcpy(p, fp->_p, r);
19
←
Null pointer passed as 1st argument to memory copy function
103		fp->_p += r;
104		/* fp->_r = 0 ... done in __srefill */
105		p += r;
106		resid -= r;
107		if (__srefill(fp)) {
108			/* no more input: return partial result */
109			FUNLOCKFILE(fp)do { if (_thread_cb.tc_funlockfile != ((void *)0)) _thread_cb
.tc_funlockfile(fp); } while (0);
110			return ((total - resid) / size);
111		}
112	}
113	(void)memcpy(p, fp->_p, resid);
114	fp->_r -= resid;
115	fp->_p += resid;
116	FUNLOCKFILE(fp)do { if (_thread_cb.tc_funlockfile != ((void *)0)) _thread_cb
.tc_funlockfile(fp); } while (0);
117	return (count);
118}
119DEF_STRONG(fread)__asm__(".global " "fread" " ; " "fread" " = " "_libc_fread");