/usr/src/usr.bin/vi/build/../common/delete.c

Bug Summary

File:	src/usr.bin/vi/build/../common/delete.c
Warning:	line 111, column 3 Null pointer passed as 1st argument to memory copy function

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name delete.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/vi/build/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.bin/vi/build -I /usr/src/usr.bin/vi/build/../include -I . -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/vi/build/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/vi/build/../common/delete.c

1/*	$OpenBSD: delete.c,v 1.12 2017/11/26 09:59:41 mestre Exp $	*/
2 
3/*-
4 * Copyright (c) 1992, 1993, 1994
5 *	The Regents of the University of California.  All rights reserved.
6 * Copyright (c) 1992, 1993, 1994, 1995, 1996
7 *	Keith Bostic.  All rights reserved.
8 *
9 * See the LICENSE file for redistribution information.
10 */
11 
12#include "config.h"
13 
14#include <sys/types.h>
15#include <sys/queue.h>
16 
17#include <bitstring.h>
18#include <errno(*__errno()).h>
19#include <stdint.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23 
24#include "common.h"
25 
26/*
27 * del --
28 *	Delete a range of text.
29 *
30 * PUBLIC: int del(SCR *, MARK *, MARK *, int);
31 */
32int
33del(SCR *sp, MARK *fm, MARK *tm, int lmode)
34{
35	recno_t lno;
36	size_t blen, len, nlen, tlen;
37	char *bp, *p;
38	int eof, rval;
39 
40	bp = NULL((void *)0);
41 
42	/* Case 1 -- delete in line mode. */
43	if (lmode) {
1
Assuming 'lmode' is 0→
2
←
Taking false branch→
44		for (lno = tm->lno; lno >= fm->lno; --lno) {
45			if (db_delete(sp, lno))
46				return (1);
47			++sp->rptlines[L_DELETED2];
48			if (lno % INTERRUPT_CHECK100 == 0 && INTERRUPTED(sp)(((((sp)->gp)->flags) & ((0x0004))) || (!v_event_get
((sp), ((void *)0), 0, 0x001) && ((((sp)->gp)->
flags) & ((0x0004))))))
49				break;
50		}
51		goto done;
52	}
53 
54	/*
55	 * Case 2 -- delete to EOF.  This is a special case because it's
56	 * easier to pick it off than try and find it in the other cases.
57 	 */
58	if (db_last(sp, &lno))
3
←
Assuming the condition is false→
4
←
Taking false branch→
59		return (1);
60	if (tm->lno >= lno) {
5
←
Assuming 'lno' is > field 'lno'→
6
←
Taking false branch→
61		if (tm->lno == lno) {
62			if (db_get(sp, lno, DBG_FATAL0x001, &p, &len))
63				return (1);
64			eof = tm->cno != -1 && tm->cno >= len ? 1 : 0;
65		} else
66			eof = 1;
67		if (eof) {
68			for (lno = tm->lno; lno > fm->lno; --lno) {
69				if (db_delete(sp, lno))
70					return (1);
71				++sp->rptlines[L_DELETED2];
72				if (lno %
73				    INTERRUPT_CHECK100 == 0 && INTERRUPTED(sp)(((((sp)->gp)->flags) & ((0x0004))) || (!v_event_get
((sp), ((void *)0), 0, 0x001) && ((((sp)->gp)->
flags) & ((0x0004))))))
74					break;
75			}
76			if (db_get(sp, fm->lno, DBG_FATAL0x001, &p, &len))
77				return (1);
78			GET_SPACE_RET(sp, bp, blen, fm->cno){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp == ((void *)0) || (((L__gp)->flags) & ((0x0100
)))) { (bp) = ((void *)0); (blen) = 0; { void *L__bincp; if (
((fm->cno)) > ((blen))) { if ((L__bincp = binc(((sp)), (
(bp)), &((blen)), ((fm->cno)))) == ((void *)0)) return
 (1); ((bp)) = L__bincp; } }; } else { { void *L__bincp; if (
((fm->cno)) > (L__gp->tmp_blen)) { if ((L__bincp = binc
(((sp)), (L__gp->tmp_bp), &(L__gp->tmp_blen), ((fm->
cno)))) == ((void *)0)) return (1); (L__gp->tmp_bp) = L__bincp
; } }; (bp) = L__gp->tmp_bp; (blen) = L__gp->tmp_blen; (
((L__gp)->flags) |= ((0x0100))); } };
79			memcpy(bp, p, fm->cno);
80			if (db_set(sp, fm->lno, bp, fm->cno))
81				return (1);
82			goto done;
83		}
84	}
85 
86	/* Case 3 -- delete within a single line. */
87	if (tm->lno == fm->lno) {
7
←
Assuming 'tm->lno' is not equal to 'fm->lno'→
8
←
Taking false branch→
88		if (db_get(sp, fm->lno, DBG_FATAL0x001, &p, &len))
89			return (1);
90		if (len != 0) {
91			GET_SPACE_RET(sp, bp, blen, len){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp == ((void *)0) || (((L__gp)->flags) & ((0x0100
)))) { (bp) = ((void *)0); (blen) = 0; { void *L__bincp; if (
((len)) > ((blen))) { if ((L__bincp = binc(((sp)), ((bp)),
 &((blen)), ((len)))) == ((void *)0)) return (1); ((bp)) =
 L__bincp; } }; } else { { void *L__bincp; if (((len)) > (
L__gp->tmp_blen)) { if ((L__bincp = binc(((sp)), (L__gp->
tmp_bp), &(L__gp->tmp_blen), ((len)))) == ((void *)0))
 return (1); (L__gp->tmp_bp) = L__bincp; } }; (bp) = L__gp
->tmp_bp; (blen) = L__gp->tmp_blen; (((L__gp)->flags
) |= ((0x0100))); } };
92			if (fm->cno != 0)
93				memcpy(bp, p, fm->cno);
94			memcpy(bp + fm->cno, p + (tm->cno + 1), len - (tm->cno + 1));
95			if (db_set(sp, fm->lno,
96			    bp, len - ((tm->cno - fm->cno) + 1)))
97				goto err;
98			goto done;
99		}
100	}
101 
102	/*
103	 * Case 4 -- delete over multiple lines.
104	 *
105	 * Copy the start partial line into place.
106	 */
107	if ((tlen = fm->cno) != 0) {
9
←
Assuming the condition is true→
10
←
Taking true branch→
108		if (db_get(sp, fm->lno, DBG_FATAL0x001, &p, NULL((void *)0)))
11
←
Assuming the condition is false→
12
←
Taking false branch→
109			return (1);
110		GET_SPACE_RET(sp, bp, blen, tlen + 256){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp == ((void *)0) || (((L__gp)->flags) & ((0x0100
)))) { (bp) = ((void *)0); (blen) = 0; { void *L__bincp; if (
((tlen + 256)) > ((blen))) { if ((L__bincp = binc(((sp)), (
(bp)), &((blen)), ((tlen + 256)))) == ((void *)0)) return
 (1); ((bp)) = L__bincp; } }; } else { { void *L__bincp; if (
((tlen + 256)) > (L__gp->tmp_blen)) { if ((L__bincp = binc
(((sp)), (L__gp->tmp_bp), &(L__gp->tmp_blen), ((tlen
 + 256)))) == ((void *)0)) return (1); (L__gp->tmp_bp) = L__bincp
; } }; (bp) = L__gp->tmp_bp; (blen) = L__gp->tmp_blen; (
((L__gp)->flags) |= ((0x0100))); } };
13
←
Assuming 'sp' is equal to null→
14
←
'?' condition is true→
15
←
Null pointer value stored to 'bp'→
16
←
Assuming the condition is false→
17
←
Taking false branch→
111		memcpy(bp, p, tlen);
18
←
Null pointer passed as 1st argument to memory copy function
112	}
113 
114	/* Copy the end partial line into place. */
115	if (db_get(sp, tm->lno, DBG_FATAL0x001, &p, &len))
116		goto err;
117	if (len != 0 && tm->cno != len - 1) {
118		if (len < tm->cno + 1 || len - (tm->cno + 1) > SIZE_MAX0xffffffffffffffffUL - tlen) {
119			msgq(sp, M_ERR, "Line length overflow");
120			goto err;
121		}
122		nlen = (len - (tm->cno + 1)) + tlen;
123		if (tlen == 0) {
124			GET_SPACE_RET(sp, bp, blen, nlen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp == ((void *)0) || (((L__gp)->flags) & ((0x0100
)))) { (bp) = ((void *)0); (blen) = 0; { void *L__bincp; if (
((nlen)) > ((blen))) { if ((L__bincp = binc(((sp)), ((bp))
, &((blen)), ((nlen)))) == ((void *)0)) return (1); ((bp)
) = L__bincp; } }; } else { { void *L__bincp; if (((nlen)) >
 (L__gp->tmp_blen)) { if ((L__bincp = binc(((sp)), (L__gp->
tmp_bp), &(L__gp->tmp_blen), ((nlen)))) == ((void *)0)
) return (1); (L__gp->tmp_bp) = L__bincp; } }; (bp) = L__gp
->tmp_bp; (blen) = L__gp->tmp_blen; (((L__gp)->flags
) |= ((0x0100))); } };
125		} else
126			ADD_SPACE_RET(sp, bp, blen, nlen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp != ((void *)0) && (bp) == L__gp->tmp_bp
) { (((L__gp)->flags) &= ~((0x0100))); { void *L__bincp
; if (((nlen)) > (L__gp->tmp_blen)) { if ((L__bincp = binc
(((sp)), (L__gp->tmp_bp), &(L__gp->tmp_blen), ((nlen
)))) == ((void *)0)) return (1); (L__gp->tmp_bp) = L__bincp
; } }; (bp) = L__gp->tmp_bp; (blen) = L__gp->tmp_blen; (
((L__gp)->flags) |= ((0x0100))); } else { void *L__bincp; if
 (((nlen)) > ((blen))) { if ((L__bincp = binc(((sp)), ((bp
)), &((blen)), ((nlen)))) == ((void *)0)) return (1); ((bp
)) = L__bincp; } }; };
127 
128		memcpy(bp + tlen, p + (tm->cno + 1), len - (tm->cno + 1));
129		tlen += len - (tm->cno + 1);
130	}
131 
132	/* Set the current line. */
133	if (db_set(sp, fm->lno, bp, tlen))
134		goto err;
135 
136	/* Delete the last and intermediate lines. */
137	for (lno = tm->lno; lno > fm->lno; --lno) {
138		if (db_delete(sp, lno))
139			goto err;
140		++sp->rptlines[L_DELETED2];
141		if (lno % INTERRUPT_CHECK100 == 0 && INTERRUPTED(sp)(((((sp)->gp)->flags) & ((0x0004))) || (!v_event_get
((sp), ((void *)0), 0, 0x001) && ((((sp)->gp)->
flags) & ((0x0004))))))
142			break;
143	}
144 
145done:	rval = 0;
146	if (0)
147err:		rval = 1;
148	if (bp != NULL((void *)0))
149		FREE_SPACE(sp, bp, blen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp != ((void *)0) && (bp) == L__gp->tmp_bp
) (((L__gp)->flags) &= ~((0x0100))); else free(bp); };
150	return (rval);
151}