On Tue, Sep 06, 2016 at 05:10:39PM +0000, Mark Lumsden wrote:
> Source Joachim Nilsson:
>
> Found by Coverity Scan. The popbuf() function iterated over a list to
> find a wp pointer, then sent it to showbuffer() which immediately went
> ahead and dereferenced it. This patch simply adds a NULL pointer check
> before calling showbuffer(), if NULL then just return NULL to callee.
>
> The missing NULL check is actually referenced in a comment a few lines
> earlier in the code. ok?
>
> -lum
>
I tested the diff and that's OK awolk@ with a slight suggestion to also
grab the for loop with { } since you are already adding it for the
dangling else.
> Index: buffer.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/mg/buffer.c,v
> retrieving revision 1.101
> diff -u -p -u -p -r1.101 buffer.c
> --- buffer.c 31 Aug 2016 12:22:28 -0000 1.101
> +++ buffer.c 6 Sep 2016 17:04:22 -0000
> @@ -713,12 +713,16 @@ popbuf(struct buffer *bp, int flags)
>
> while (wp != NULL && wp == curwp)
> wp = wp->w_wndp;
> - } else
> + } else {
> for (wp = wheadp; wp != NULL; wp = wp->w_wndp)
> if (wp->w_bufp == bp) {
> wp->w_rflag |= WFFULL | WFFRAME;
> return (wp);
> }
> + }
> + if (!wp)
> + return (NULL);
> +
> if (showbuffer(bp, wp, WFFULL) != TRUE)
> return (NULL);
> return (wp);
>
