GNOME Bugzilla – Bug 705399
Dereferenced after NULL check
Last modified: 2013-08-04 15:32:28 UTC
In file: https://git.gnome.org/browse/libxml2/tree/parserInternals.c Function : xmlParserAddNodeInfo At line : 1985 if ((pos < ctxt->node_seq.length) && (ctxt->node_seq.buffer != NULL) && (ctxt->node_seq.buffer[pos].node == info->node)) { ctxt->node_seq.buffer[pos] = *info; } In above if condition[ ctxt->node_seq.buffer != NULL ] means value ctxt->node_seq.buffer can be NULL. Take this if condition as false Now at line : 1992 In else condition else { if (ctxt->node_seq.length + 1 > ctxt->node_seq.maximum) { ---Some COde -- } take if condition is false. Again at line: 2018 if (pos != ctxt->node_seq.length) { unsigned long i; for (i = ctxt->node_seq.length; i > pos; i--) ctxt->node_seq.buffer[i] = ctxt->node_seq.buffer[i - 1]; } Taking if condition as true ctxt->node_seq.buffer is dereferenced. As, it is NUll so may lead to crash.
Actually if the buffer is NULL, then the maximum ought to be 0 and the test line 1992 must be true in all cases, but to clarify the situation and force the buffer allocation it is better to mate the test explicit. I commited ff76eb28c75451bc56e3b93f44dac155ca29e7f5 to git which should get your static analysis tool to stop complaining :-) Daniel
Thanks for the clarification Daniel.