Hi,
we've used static code analyzer on ksh sources and it found following
problems (after obvious false possitives clean up). We've tested latest
version available (20110630), so because it's quite old now, some
problems can be no longer valid or on different possition. Do you plan
to release new (beta) version soon?
Michal
-------------------------------------------------------------
ksh93/bltins/enum.c:
* dereferencing free()d pointer: fp
133: struct Enum *ep = (struct Enum*)fp;
140: free((void*)ep);
141: nv_putv(np, val, flags,fp);
ksh93/bltins/test.c:
* uninitialized value used: statb
646: struct stat statb;
649: return(statb.st_mode);
ksh93/bltins/typeset.c:
* possible wrong malloc size multiplication
913: libattr = (unsigned short*)realloc((void*)liblist,
(maxlib+1)*sizeof(unsigned short*));
sizeof(unsigned short*) instead of sizeof(unsigned short) ?
* possible wrong malloc size multiplication
918: libattr = (unsigned short*)malloc((maxlib+1)*sizeof(unsigned short*));
sizeof(unsigned short*) instead of sizeof(unsigned short) ?
ksh93/edit/emacs.c:
* calling strncpy with a maximum size argument of 80 bytes on
destination array "ep->ed->e_search" of size 80 bytes might leave the
destination string unterminated.
1297: strncpy(lstring,((char*)string)+2,SEARCHSIZE);
ksh93/edit/history.c:
* memory leak: tmpname
474: tmpname = (char*)malloc(strlen(name)+14);
484: (if) tmpname = name; allocated memory lost
499: return hist_ptr = hist_old; but 'tmpname' not free()d
* dereferencing free()d pointer: hp
779: hist_close(hp); // == free(hp)
780: if(!sh_histinit(hp->histshell))
ksh93/edit/vi.c:
* calling strncpy with a maximum size argument of 80 bytes on
destination array "vp->ed->e_search" of size 80 bytes might leave the
destination string unterminated.
2276:strncpy(lsearch, ((char*)virtual)+1, SEARCHSIZE);
ksh93/sh/env.c:
* memory leak: ep
190: if(!(ep = newof((Env_t*)0,Env_t,1,0)))
195: return(0);
ksh93/sh/init.c:
* dereferencing free()d pointer: fp
595: free((void*)fp);
596: nv_putv(np, val, flags, fp);
* uninitialized value used: last
1224: char *last;
1234: if(*last)
* uninitialized value used: shp
1256: Shell_t *shp;
1302: umask(shp->mask=umask(0));
* possible wrong sizeof usage
1772: shgd->stats = (int*)calloc(sizeof(int*),nstat);
casting return value of malloc sizeof(int *) to (int*), sizeof(int*)
instead of sizeof(int) ?
* dereferencing free()d pointer: fp
2180: free((void*)fp);
2183: nv_putv(np,val,flags,fp);
ksh93/sh/io.c:
* freeing memory, that was not allocated, strdup() missing?
265: s = "localhost";
270: free(s);
ksh93/sh/jobs.c:
* dereferencing null variable 'csp'
267: for(csp=job.colist; csp; csp = csp->next)
Comparing "csp" to null implies that "csp" might be null.
272: sfprintf(shp->strbuf,"%s.%d%c",csp->name,pid&0xff,0);
ksh93/sh/macro.c:
* memory leak: pattern
1764: pattern = strdup(argp);
1978: return(1); but 'pattern' not free()d
* memory leak: id
1494: id = prefix(mp->shp,id); /* id = strdup( ) */
1978: return(1); but 'id' not free()d
ksh93/sh/name.c:
* buf NULLed on failure, but not free()d
137: buf = (char*)realloc(buf,len);
ksh93/sh/nvtree.c:
* result always false regardless of the values of its operands
466: if((attr&NV_NOPRINT|NV_INTEGER)==NV_NOPRINT)
== (attr& (4|8) | 2) == (4 | 8))
ksh93/sh/nvtype.c:
* possible null pointer dereference: np, otherwise it is redundant to
check if np is null
629: if(!np)
631:sfprintf(sfstderr,"%s: no such variable\n",np->nvname);
* memory leak: val
1359: val = strdup(nv_getval(np));
1364: return(0); but 'val' not free()d
ksh93/sh/path.c:
* memory leak: saveargs
190: saveargs = (char**)malloc(n);
205: return(-1); but 'saveargs' not free()d
ksh93/sh/suid_exec.c:
* memory leak: groups
325: groups = (gid_t*)malloc((maxgroups+1)*sizeof(gid_t));
'groups' not free()d
ksh93/sh/xec.c:
* array 'arglist[2]' index 2 out of bounds
3570: char *arglist[2]
3579: arglist[2] = 0;
lib/libast/comp/catopen.c:
* memory leak: cc
108: if (!(cc = newof(0, Cc_t, 1, 0)))
119: return (_ast_nl_catd)(-1); but 'cc' not free()d
lib/libast/comp/getoptl.c:
* memory leak: t
54: t = strdup(optstring);
100: return -1; but 't' not free()d
138: return c; but 't' not free()d
lib/libast/comp/regcmp.c:
* va_end not called for: ap
77: va_start(ap, pattern);
79: return 0;
* va_end not called for: ap
193: va_start(ap, pattern);
195: return 0;
lib/libast/disc/sfdcmore.c:
* memory leak: more
324: if (!(more = (More_t*)malloc(sizeof(More_t) + n)))
368: return 0; but 'more' not free()d
lib/libast/disc/sfkeyprintf.c:
* possible null pointer dereference: a
147: char* a = 0;
190: if (i == ':' && fp->fmt.fmt == 's' && strlen(a) > 4 && !isalnum(*(a
+ 4)))
lib/libast/hash/hashscan.c:
* possible null pointer dereference: pos
91: if (!pos) return(pos->tab->root->last.bucket = 0);
lib/libast/misc/magic.c:
* possible null pointer dereference: ep
2444: register Entry_t* rp = 0;
2490: ep = rp;
2491: ep->value.lab->mask = 1;
lib/libast/misc/optjoin.c:
* va_end not called for: ap
68: va_start(ap, argv);
82: return 0;
89: return 1;
115: return 1;
lib/libast/misc/stk.c:
* memory leak: 'tp'
460: if(!(tp = malloc(off)))
475: return(0); but 'tp' not free()d
lib/libast/port/astconf.c:
* invalid number of character '((', ')' when these macros are defined:
'ATT_UNIV;UNIV_MAX'
747: while (n < univ_max && !streq(value, univ_name[n])
lib/libast/port/astquery.c:
* va_end not called for: ap
54: va_start(ap, format);
56: return 0;
63: return -1;
67: return -1;
98: return -1;
103: return 0;
105: return 1;
lib/libast/port/lcgen.c:
* resource leak 'hf'
300: if (!(hf = fopen(hdr, "w")))
308: return 1; but 'hf' not closed
lib/libast/sfio/sfvscanf.c:
* va_end not called for: oargs
371: va_copy(oargs,args);
lib/libast/sfio/sfvprintf.c:
* va_end not called for: oargs
202: va_copy(oargs,args);
lib/libast/stdio/vfwprintf.c:
* memory leak
40: if (m = malloc(n + 1))
64: return v; but 'm' not free()d
lib/libast/string/tokscan.c:
* va_end not called for: prv_ap
235: va_copy(prv_ap, ap);
lib/libcmd/join.c:
* possible null pointer dereference: cp
260: if (!(cp= *argv) || cp[1]!='.' || (*cp!='1' && *cp!='2'))
262: if (*cp=='0' && cp[1]==0)
lib/libcmd/rev.c:
* memory leak: wp
77: if (!(wp = newof(wp, wchar_t, w, 0)))
91: return -1; but 'wp' not free()d
lib/libcmd/wclib.c:
* result always true regardless of the values of its operand
453: while(mbc(c) && ((c|WC_ERR) || (c&7)==0)) (c|0x40L) is always 1/true
lib/libcmd/tty.c:
* invalid number of character '((', ')))' when these macros are defined:
'_mac_STWLINE'.
94: if (n = ioctl(0, STWLINE, 0)) >= 0)
_______________________________________________
ast-developers mailing list
[email protected]
https://mailman.research.att.com/mailman/listinfo/ast-developers
