Ok, but again the fix should be not there. That function should never be called if value_len == 0.
Just added a second test in the calling function. Em ter, 4 de jun de 2019 às 08:53, Ranier VF <[email protected]> escreveu: > Hi, > I would not be so sure. > If value_len is exactly the size: 2 > > if (data[0] == '\"' && data[value_len - 1] == '\"') > { > data++; > value_len -= 2; > len -= 2; > } > So, when value_len -= 2; is executed, what is the final size? > value_len is zero and "if (*value_max_size < value_len)" fail! > > Best regards, > Ranier Vilela > ________________________________________ > De: Antonio Scuri <[email protected]> > Enviado: terça-feira, 4 de junho de 2019 11:29 > Para: IUP discussion list. > Assunto: Re: [Iup-users] CID 210668 (#1 of 1): Explicit null dereferenced > (FORWARD_NULL) > > If you analyze the calling function that should never fail. > > > > Em ter, 4 de jun de 2019 às 08:24, Ranier VF <[email protected] > <mailto:[email protected]>> escreveu: > Hi, > And what happens if "if (*value_max_size < value_len)" fail and > realloc is not called? > > Best regards, > Ranier Vilela > > ________________________________________ > De: Antonio Scuri <[email protected]<mailto:[email protected] > >> > Enviado: terça-feira, 4 de junho de 2019 11:09 > Para: IUP discussion list. > Assunto: Re: [Iup-users] CID 210668 (#1 of 1): Explicit null dereferenced > (FORWARD_NULL) > > The realloc function does the malloc job. And it will only increase the > size of the value pointer when necessary. > > Best, > Scuri > > > Em seg, 3 de jun de 2019 às 22:29, Ranier VF <[email protected] > <mailto:[email protected]><mailto:[email protected]<mailto: > [email protected]>>> escreveu: > Hi, > Sorry but can't undestand the logic. > iupmatex_clipboard.c > line 505, call function: > > value = iMatrixExStrCopyData(value, &value_max_size, data, value_len); > > iMatrixExStrCopyData, call memcpy with value without malloc? > > static char* iMatrixExStrCopyData(char* value, int *value_max_size, const > char* data, int value_len) > { > if (*value_max_size < value_len) /* if fail, memcpy destroy memory > pointer */ > { > *value_max_size = value_len+10; > value = realloc(value, *value_max_size); > } > memcpy(value, data, value_len); > value[value_len] = 0; > return value; > } > > Best regards, > Ranier Vilela > > _______________________________________________ > Iup-users mailing list > [email protected]<mailto:[email protected] > ><mailto:[email protected]<mailto: > [email protected]>> > https://lists.sourceforge.net/lists/listinfo/iup-users > > > _______________________________________________ > Iup-users mailing list > [email protected]<mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/iup-users > > > _______________________________________________ > Iup-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/iup-users >
_______________________________________________ Iup-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/iup-users
