Bug Summary

File:src/bin/ksh/c_test.c
Warning:line 118, column 6
Null pointer passed as 1st argument to string comparison function

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name c_test.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/bin/ksh/obj -resource-dir /usr/local/llvm16/lib/clang/16 -D EMACS -D VI -I . -I /usr/src/bin/ksh -I /usr/src/bin/ksh/../../lib/libc/gen -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/bin/ksh/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/bin/ksh/c_test.c
1/* $OpenBSD: c_test.c,v 1.28 2023/06/10 07:24:21 op Exp $ */
2
3/*
4 * test(1); version 7-like -- author Erik Baalbergen
5 * modified by Eric Gisin to be used as built-in.
6 * modified by Arnold Robbins to add SVR3 compatibility
7 * (-x -c -b -p -u -g -k) plus Korn's -L -nt -ot -ef and new -S (socket).
8 * modified by Michael Rendell to add Korn's [[ .. ]] expressions.
9 * modified by J.T. Conklin to add POSIX compatibility.
10 */
11
12#include <sys/stat.h>
13
14#include <string.h>
15#include <unistd.h>
16
17#include "sh.h"
18#include "c_test.h"
19
20/* test(1) accepts the following grammar:
21 oexpr ::= aexpr | aexpr "-o" oexpr ;
22 aexpr ::= nexpr | nexpr "-a" aexpr ;
23 nexpr ::= primary | "!" nexpr ;
24 primary ::= unary-operator operand
25 | operand binary-operator operand
26 | operand
27 | "(" oexpr ")"
28 ;
29
30 unary-operator ::= "-a"|"-r"|"-w"|"-x"|"-e"|"-f"|"-d"|"-c"|"-b"|"-p"|
31 "-u"|"-g"|"-k"|"-s"|"-t"|"-z"|"-n"|"-o"|"-O"|"-G"|
32 "-L"|"-h"|"-S"|"-H";
33
34 binary-operator ::= "="|"=="|"!="|"-eq"|"-ne"|"-ge"|"-gt"|"-le"|"-lt"|
35 "-nt"|"-ot"|"-ef"|"<"|">"
36 ;
37 operand ::= <any thing>
38*/
39
40#define T_ERR_EXIT2 2 /* POSIX says > 1 for errors */
41
42struct t_op {
43 char op_text[4];
44 Test_op op_num;
45};
46static const struct t_op u_ops [] = {
47 {"-a", TO_FILAXST },
48 {"-b", TO_FILBDEV },
49 {"-c", TO_FILCDEV },
50 {"-d", TO_FILID },
51 {"-e", TO_FILEXST },
52 {"-f", TO_FILREG },
53 {"-G", TO_FILGID },
54 {"-g", TO_FILSETG },
55 {"-h", TO_FILSYM },
56 {"-H", TO_FILCDF },
57 {"-k", TO_FILSTCK },
58 {"-L", TO_FILSYM },
59 {"-n", TO_STNZE },
60 {"-O", TO_FILUID },
61 {"-o", TO_OPTION },
62 {"-p", TO_FILFIFO },
63 {"-r", TO_FILRD },
64 {"-s", TO_FILGZ },
65 {"-S", TO_FILSOCK },
66 {"-t", TO_FILTT },
67 {"-u", TO_FILSETU },
68 {"-w", TO_FILWR },
69 {"-x", TO_FILEX },
70 {"-z", TO_STZER },
71 {"", TO_NONOP }
72};
73static const struct t_op b_ops [] = {
74 {"=", TO_STEQL },
75 {"==", TO_STEQL },
76 {"!=", TO_STNEQ },
77 {"<", TO_STLT },
78 {">", TO_STGT },
79 {"-eq", TO_INTEQ },
80 {"-ne", TO_INTNE },
81 {"-gt", TO_INTGT },
82 {"-ge", TO_INTGE },
83 {"-lt", TO_INTLT },
84 {"-le", TO_INTLE },
85 {"-ef", TO_FILEQ },
86 {"-nt", TO_FILNT },
87 {"-ot", TO_FILOT },
88 {"", TO_NONOP }
89};
90
91static int test_eaccess(const char *, int);
92static int test_oexpr(Test_env *, int);
93static int test_aexpr(Test_env *, int);
94static int test_nexpr(Test_env *, int);
95static int test_primary(Test_env *, int);
96static int ptest_isa(Test_env *, Test_meta);
97static const char *ptest_getopnd(Test_env *, Test_op, int);
98static int ptest_eval(Test_env *, Test_op, const char *,
99 const char *, int);
100static void ptest_error(Test_env *, int, const char *);
101
102int
103c_test(char **wp)
104{
105 int argc;
106 int res;
107 Test_env te;
108
109 te.flags = 0;
110 te.isa = ptest_isa;
111 te.getopnd = ptest_getopnd;
112 te.eval = ptest_eval;
113 te.error = ptest_error;
114
115 for (argc = 0; wp[argc]; argc++)
1
Assuming pointer value is null
2
Loop condition is false. Execution continues on line 118
116 ;
117
118 if (strcmp(wp[0], "[") == 0) {
3
Null pointer passed as 1st argument to string comparison function
119 if (strcmp(wp[--argc], "]") != 0) {
120 bi_errorf("missing ]");
121 return T_ERR_EXIT2;
122 }
123 }
124
125 te.pos.wp = wp + 1;
126 te.wp_end = wp + argc;
127
128 /*
129 * Handle the special cases from POSIX.2, section 4.62.4.
130 * Implementation of all the rules isn't necessary since
131 * our parser does the right thing for the omitted steps.
132 */
133 if (argc <= 5) {
134 char **owp = wp;
135 int invert = 0;
136 Test_op op;
137 const char *opnd1, *opnd2;
138
139 while (--argc >= 0) {
140 if ((*te.isa)(&te, TM_END))
141 return !0;
142 if (argc == 3) {
143 opnd1 = (*te.getopnd)(&te, TO_NONOP, 1);
144 if ((op = (Test_op) (*te.isa)(&te, TM_BINOP))) {
145 opnd2 = (*te.getopnd)(&te, op, 1);
146 res = (*te.eval)(&te, op, opnd1,
147 opnd2, 1);
148 if (te.flags & TEF_ERROR(1<<(0)))
149 return T_ERR_EXIT2;
150 if (invert & 1)
151 res = !res;
152 return !res;
153 }
154 /* back up to opnd1 */
155 te.pos.wp--;
156 }
157 if (argc == 1) {
158 opnd1 = (*te.getopnd)(&te, TO_NONOP, 1);
159 res = (*te.eval)(&te, TO_STNZE, opnd1,
160 NULL((void *)0), 1);
161 if (invert & 1)
162 res = !res;
163 return !res;
164 }
165 if ((*te.isa)(&te, TM_NOT)) {
166 invert++;
167 } else
168 break;
169 }
170 te.pos.wp = owp + 1;
171 }
172
173 return test_parse(&te);
174}
175
176/*
177 * Generic test routines.
178 */
179
180Test_op
181test_isop(Test_env *te, Test_meta meta, const char *s)
182{
183 char sc1;
184 const struct t_op *otab;
185
186 otab = meta == TM_UNOP ? u_ops : b_ops;
187 if (*s) {
188 sc1 = s[1];
189 for (; otab->op_text[0]; otab++)
190 if (sc1 == otab->op_text[1] &&
191 strcmp(s, otab->op_text) == 0)
192 return otab->op_num;
193 }
194 return TO_NONOP;
195}
196
197int
198test_eval(Test_env *te, Test_op op, const char *opnd1, const char *opnd2,
199 int do_eval)
200{
201 int res;
202 int not;
203 struct stat b1, b2;
204
205 if (!do_eval)
206 return 0;
207
208 switch ((int) op) {
209 /*
210 * Unary Operators
211 */
212 case TO_STNZE: /* -n */
213 return *opnd1 != '\0';
214 case TO_STZER: /* -z */
215 return *opnd1 == '\0';
216 case TO_OPTION: /* -o */
217 if ((not = *opnd1 == '!'))
218 opnd1++;
219 if ((res = option(opnd1)) < 0)
220 res = 0;
221 else {
222 res = Flag(res)(shell_flags[(int) (res)]);
223 if (not)
224 res = !res;
225 }
226 return res;
227 case TO_FILRD: /* -r */
228 return test_eaccess(opnd1, R_OK0x04) == 0;
229 case TO_FILWR: /* -w */
230 return test_eaccess(opnd1, W_OK0x02) == 0;
231 case TO_FILEX: /* -x */
232 return test_eaccess(opnd1, X_OK0x01) == 0;
233 case TO_FILAXST: /* -a */
234 return stat(opnd1, &b1) == 0;
235 case TO_FILEXST: /* -e */
236 /* at&t ksh does not appear to do the /dev/fd/ thing for
237 * this (unless the os itself handles it)
238 */
239 return stat(opnd1, &b1) == 0;
240 case TO_FILREG: /* -r */
241 return stat(opnd1, &b1) == 0 && S_ISREG(b1.st_mode)((b1.st_mode & 0170000) == 0100000);
242 case TO_FILID: /* -d */
243 return stat(opnd1, &b1) == 0 && S_ISDIR(b1.st_mode)((b1.st_mode & 0170000) == 0040000);
244 case TO_FILCDEV: /* -c */
245 return stat(opnd1, &b1) == 0 && S_ISCHR(b1.st_mode)((b1.st_mode & 0170000) == 0020000);
246 case TO_FILBDEV: /* -b */
247 return stat(opnd1, &b1) == 0 && S_ISBLK(b1.st_mode)((b1.st_mode & 0170000) == 0060000);
248 case TO_FILFIFO: /* -p */
249 return stat(opnd1, &b1) == 0 && S_ISFIFO(b1.st_mode)((b1.st_mode & 0170000) == 0010000);
250 case TO_FILSYM: /* -h -L */
251 return lstat(opnd1, &b1) == 0 && S_ISLNK(b1.st_mode)((b1.st_mode & 0170000) == 0120000);
252 case TO_FILSOCK: /* -S */
253 return stat(opnd1, &b1) == 0 && S_ISSOCK(b1.st_mode)((b1.st_mode & 0170000) == 0140000);
254 case TO_FILCDF:/* -H HP context dependent files (directories) */
255 return 0;
256 case TO_FILSETU: /* -u */
257 return stat(opnd1, &b1) == 0 &&
258 (b1.st_mode & S_ISUID0004000) == S_ISUID0004000;
259 case TO_FILSETG: /* -g */
260 return stat(opnd1, &b1) == 0 &&
261 (b1.st_mode & S_ISGID0002000) == S_ISGID0002000;
262 case TO_FILSTCK: /* -k */
263 return stat(opnd1, &b1) == 0 &&
264 (b1.st_mode & S_ISVTX0001000) == S_ISVTX0001000;
265 case TO_FILGZ: /* -s */
266 return stat(opnd1, &b1) == 0 && b1.st_size > 0L;
267 case TO_FILTT: /* -t */
268 if (!bi_getn(opnd1, &res)) {
269 te->flags |= TEF_ERROR(1<<(0));
270 return 0;
271 }
272 return isatty(res);
273 case TO_FILUID: /* -O */
274 return stat(opnd1, &b1) == 0 && b1.st_uid == ksheuid;
275 case TO_FILGID: /* -G */
276 return stat(opnd1, &b1) == 0 && b1.st_gid == getegid();
277 /*
278 * Binary Operators
279 */
280 case TO_STEQL: /* = */
281 if (te->flags & TEF_DBRACKET(1<<(1)))
282 return gmatch(opnd1, opnd2, false0);
283 return strcmp(opnd1, opnd2) == 0;
284 case TO_STNEQ: /* != */
285 if (te->flags & TEF_DBRACKET(1<<(1)))
286 return !gmatch(opnd1, opnd2, false0);
287 return strcmp(opnd1, opnd2) != 0;
288 case TO_STLT: /* < */
289 return strcmp(opnd1, opnd2) < 0;
290 case TO_STGT: /* > */
291 return strcmp(opnd1, opnd2) > 0;
292 case TO_INTEQ: /* -eq */
293 case TO_INTNE: /* -ne */
294 case TO_INTGE: /* -ge */
295 case TO_INTGT: /* -gt */
296 case TO_INTLE: /* -le */
297 case TO_INTLT: /* -lt */
298 {
299 int64_t v1, v2;
300
301 if (!evaluate(opnd1, &v1, KSH_RETURN_ERROR0x1, false0) ||
302 !evaluate(opnd2, &v2, KSH_RETURN_ERROR0x1, false0)) {
303 /* error already printed.. */
304 te->flags |= TEF_ERROR(1<<(0));
305 return 1;
306 }
307 switch ((int) op) {
308 case TO_INTEQ:
309 return v1 == v2;
310 case TO_INTNE:
311 return v1 != v2;
312 case TO_INTGE:
313 return v1 >= v2;
314 case TO_INTGT:
315 return v1 > v2;
316 case TO_INTLE:
317 return v1 <= v2;
318 case TO_INTLT:
319 return v1 < v2;
320 }
321 }
322 case TO_FILNT: /* -nt */
323 {
324 int s2;
325 /* ksh88/ksh93 succeed if file2 can't be stated
326 * (subtly different from `does not exist').
327 */
328 return stat(opnd1, &b1) == 0 &&
329 (((s2 = stat(opnd2, &b2)) == 0 &&
330 b1.st_mtimest_mtim.tv_sec > b2.st_mtimest_mtim.tv_sec) || s2 < 0);
331 }
332 case TO_FILOT: /* -ot */
333 {
334 int s1;
335 /* ksh88/ksh93 succeed if file1 can't be stated
336 * (subtly different from `does not exist').
337 */
338 return stat(opnd2, &b2) == 0 &&
339 (((s1 = stat(opnd1, &b1)) == 0 &&
340 b1.st_mtimest_mtim.tv_sec < b2.st_mtimest_mtim.tv_sec) || s1 < 0);
341 }
342 case TO_FILEQ: /* -ef */
343 return stat (opnd1, &b1) == 0 && stat (opnd2, &b2) == 0 &&
344 b1.st_dev == b2.st_dev && b1.st_ino == b2.st_ino;
345 }
346 (*te->error)(te, 0, "internal error: unknown op");
347 return 1;
348}
349
350/* Routine to deal with X_OK on non-directories when running as root.
351 */
352static int
353test_eaccess(const char *path, int amode)
354{
355 int res;
356
357 res = access(path, amode);
358 /*
359 * On most (all?) unixes, access() says everything is executable for
360 * root - avoid this on files by using stat().
361 */
362 if (res == 0 && ksheuid == 0 && (amode & X_OK0x01)) {
363 struct stat statb;
364
365 if (stat(path, &statb) == -1)
366 res = -1;
367 else if (S_ISDIR(statb.st_mode)((statb.st_mode & 0170000) == 0040000))
368 res = 0;
369 else
370 res = (statb.st_mode & (S_IXUSR0000100|S_IXGRP0000010|S_IXOTH0000001)) ?
371 0 : -1;
372 }
373
374 return res;
375}
376
377int
378test_parse(Test_env *te)
379{
380 int res;
381
382 res = test_oexpr(te, 1);
383
384 if (!(te->flags & TEF_ERROR(1<<(0))) && !(*te->isa)(te, TM_END))
385 (*te->error)(te, 0, "unexpected operator/operand");
386
387 return (te->flags & TEF_ERROR(1<<(0))) ? T_ERR_EXIT2 : !res;
388}
389
390static int
391test_oexpr(Test_env *te, int do_eval)
392{
393 int res;
394
395 res = test_aexpr(te, do_eval);
396 if (res)
397 do_eval = 0;
398 if (!(te->flags & TEF_ERROR(1<<(0))) && (*te->isa)(te, TM_OR))
399 return test_oexpr(te, do_eval) || res;
400 return res;
401}
402
403static int
404test_aexpr(Test_env *te, int do_eval)
405{
406 int res;
407
408 res = test_nexpr(te, do_eval);
409 if (!res)
410 do_eval = 0;
411 if (!(te->flags & TEF_ERROR(1<<(0))) && (*te->isa)(te, TM_AND))
412 return test_aexpr(te, do_eval) && res;
413 return res;
414}
415
416static int
417test_nexpr(Test_env *te, int do_eval)
418{
419 if (!(te->flags & TEF_ERROR(1<<(0))) && (*te->isa)(te, TM_NOT))
420 return !test_nexpr(te, do_eval);
421 return test_primary(te, do_eval);
422}
423
424static int
425test_primary(Test_env *te, int do_eval)
426{
427 const char *opnd1, *opnd2;
428 int res;
429 Test_op op;
430
431 if (te->flags & TEF_ERROR(1<<(0)))
432 return 0;
433 if ((*te->isa)(te, TM_OPAREN)) {
434 res = test_oexpr(te, do_eval);
435 if (te->flags & TEF_ERROR(1<<(0)))
436 return 0;
437 if (!(*te->isa)(te, TM_CPAREN)) {
438 (*te->error)(te, 0, "missing closing paren");
439 return 0;
440 }
441 return res;
442 }
443 /*
444 * Binary should have precedence over unary in this case
445 * so that something like test \( -f = -f \) is accepted
446 */
447 if ((te->flags & TEF_DBRACKET(1<<(1))) || (&te->pos.wp[1] < te->wp_end &&
448 !test_isop(te, TM_BINOP, te->pos.wp[1]))) {
449 if ((op = (Test_op) (*te->isa)(te, TM_UNOP))) {
450 /* unary expression */
451 opnd1 = (*te->getopnd)(te, op, do_eval);
452 if (!opnd1) {
453 (*te->error)(te, -1, "missing argument");
454 return 0;
455 }
456
457 return (*te->eval)(te, op, opnd1, NULL((void *)0),
458 do_eval);
459 }
460 }
461 opnd1 = (*te->getopnd)(te, TO_NONOP, do_eval);
462 if (!opnd1) {
463 (*te->error)(te, 0, "expression expected");
464 return 0;
465 }
466 if ((op = (Test_op) (*te->isa)(te, TM_BINOP))) {
467 /* binary expression */
468 opnd2 = (*te->getopnd)(te, op, do_eval);
469 if (!opnd2) {
470 (*te->error)(te, -1, "missing second argument");
471 return 0;
472 }
473
474 return (*te->eval)(te, op, opnd1, opnd2, do_eval);
475 }
476 if (te->flags & TEF_DBRACKET(1<<(1))) {
477 (*te->error)(te, -1, "missing expression operator");
478 return 0;
479 }
480 return (*te->eval)(te, TO_STNZE, opnd1, NULL((void *)0), do_eval);
481}
482
483/*
484 * Plain test (test and [ .. ]) specific routines.
485 */
486
487/* Test if the current token is a whatever. Accepts the current token if
488 * it is. Returns 0 if it is not, non-zero if it is (in the case of
489 * TM_UNOP and TM_BINOP, the returned value is a Test_op).
490 */
491static int
492ptest_isa(Test_env *te, Test_meta meta)
493{
494 /* Order important - indexed by Test_meta values */
495 static const char *const tokens[] = {
496 "-o", "-a", "!", "(", ")"
497 };
498 int ret;
499
500 if (te->pos.wp >= te->wp_end)
501 return meta == TM_END;
502
503 if (meta == TM_UNOP || meta == TM_BINOP)
504 ret = (int) test_isop(te, meta, *te->pos.wp);
505 else if (meta == TM_END)
506 ret = 0;
507 else
508 ret = strcmp(*te->pos.wp, tokens[(int) meta]) == 0;
509
510 /* Accept the token? */
511 if (ret)
512 te->pos.wp++;
513
514 return ret;
515}
516
517static const char *
518ptest_getopnd(Test_env *te, Test_op op, int do_eval)
519{
520 if (te->pos.wp >= te->wp_end)
521 return NULL((void *)0);
522 return *te->pos.wp++;
523}
524
525static int
526ptest_eval(Test_env *te, Test_op op, const char *opnd1, const char *opnd2,
527 int do_eval)
528{
529 return test_eval(te, op, opnd1, opnd2, do_eval);
530}
531
532static void
533ptest_error(Test_env *te, int offset, const char *msg)
534{
535 const char *op = te->pos.wp + offset >= te->wp_end ?
536 NULL((void *)0) : te->pos.wp[offset];
537
538 te->flags |= TEF_ERROR(1<<(0));
539 if (op)
540 bi_errorf("%s: %s", op, msg);
541 else
542 bi_errorf("%s", msg);
543}