Source Joachim Nilsson:
Found by Coverity Scan. The popbuf() function iterated over a list to
find a wp pointer, then sent it to showbuffer() which immediately went
ahead and dereferenced it. This patch simply adds a NULL pointer check
before calling showbuffer(), if NULL then just return NULL to callee.
The missing NULL check is actually referenced in a comment a few lines
earlier in the code. ok?
-lum
Index: buffer.c
===================================================================
RCS file: /cvs/src/usr.bin/mg/buffer.c,v
retrieving revision 1.101
diff -u -p -u -p -r1.101 buffer.c
--- buffer.c 31 Aug 2016 12:22:28 -0000 1.101
+++ buffer.c 6 Sep 2016 17:04:22 -0000
@@ -713,12 +713,16 @@ popbuf(struct buffer *bp, int flags)
while (wp != NULL && wp == curwp)
wp = wp->w_wndp;
- } else
+ } else {
for (wp = wheadp; wp != NULL; wp = wp->w_wndp)
if (wp->w_bufp == bp) {
wp->w_rflag |= WFFULL | WFFRAME;
return (wp);
}
+ }
+ if (!wp)
+ return (NULL);
+
if (showbuffer(bp, wp, WFFULL) != TRUE)
return (NULL);
return (wp);
