Hi,
Please find the latest report on new defect(s) introduced to LibreOffice found
with Coverity Scan.
12 new defect(s) introduced to LibreOffice found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 1680369: Integer handling issues (SIGN_EXTENSION)
/sd/source/core/drawdoc2.cxx: 1705 in
SdDrawDocument::populatePagePreviewsGrid()()
_____________________________________________________________________________________________
*** CID 1680369: Integer handling issues (SIGN_EXTENSION)
/sd/source/core/drawdoc2.cxx: 1705 in
SdDrawDocument::populatePagePreviewsGrid()()
1699 ::tools::Long nPreviewWidth;
1700 ::tools::Long nPreviewHeight;
1701 ::tools::Long nTotalGridWidth;
1702 ::tools::Long nTotalGridHeight;
1703 do
1704 {
>>> CID 1680369: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "nGapWidth" with type "sal_uInt16"
>>> (16 bits, unsigned) is promoted in "(nTotalCol - 1) * nGapWidth" to type
>>> "int" (32 bits, signed), then sign-extended to type "long" (64 bits,
>>> signed). If "(nTotalCol - 1) * nGapWidth" is greater than 0x7FFFFFFF, the
>>> upper bits of the result will all be 1.
1705 nTotalGridWidth = (nTotalCol - 1) * nGapWidth;
1706 nTotalGridHeight = (nTotalRow - 1) * nGapHeight;
1707 nPreviewWidth = (nWidth / nFactor);
1708 nPreviewHeight = (nHeight / nFactor);
1709 nTotalGridWidth += nPreviewWidth * nTotalCol;
1710 nTotalGridHeight += nPreviewHeight * nTotalRow;
** CID 1680368: (INTEGER_OVERFLOW)
/sd/source/core/drawdoc2.cxx: 1645 in
SdDrawDocument::GetOrInsertCanvasPage()()
_____________________________________________________________________________________________
*** CID 1680368: (INTEGER_OVERFLOW)
/sd/source/core/drawdoc2.cxx: 1647 in
SdDrawDocument::GetOrInsertCanvasPage()()
1641 if (!pCanvasPage)
1642 return 0xffff;
1643
1644 // move the canvas page to the top
1645 sal_uInt16 nCanvasPageNum = 2 * nCanvasPageIndex + 1;
1646 MovePage(nCanvasPageNum, 1); // Canvas page
>>> CID 1680368: (INTEGER_OVERFLOW)
>>> "nCanvasPageNum + 1", which might have underflowed, is passed to
>>> "this->SdDrawDocument::MovePage(nCanvasPageNum + 1, 2)".
1647 MovePage(nCanvasPageNum + 1, 2); // Canvas notes page
1648
1649 const Size aCanvasSize(500000, 500000);
1650
1651 ResizeCurrentPage(pCanvasPage, aCanvasSize, PageKind::Standard);
1652 pCanvasPage->SetCanvasPage();
/sd/source/core/drawdoc2.cxx: 1645 in
SdDrawDocument::GetOrInsertCanvasPage()()
1639
1640 SdPage* pCanvasPage = GetSdPage(nCanvasPageIndex,
PageKind::Standard);
1641 if (!pCanvasPage)
1642 return 0xffff;
1643
1644 // move the canvas page to the top
>>> CID 1680368: (INTEGER_OVERFLOW)
>>> Expression "nCanvasPageNum", where "2 * nCanvasPageIndex + 1" is known
>>> to be equal to 65535, overflows the type of "nCanvasPageNum", which is type
>>> "sal_uInt16".
1645 sal_uInt16 nCanvasPageNum = 2 * nCanvasPageIndex + 1;
1646 MovePage(nCanvasPageNum, 1); // Canvas page
1647 MovePage(nCanvasPageNum + 1, 2); // Canvas notes page
1648
1649 const Size aCanvasSize(500000, 500000);
1650
** CID 1680367: Uninitialized members (UNINIT_CTOR)
/sd/source/filter/eppt/pptx-epptbase.cxx: 142 in
PPTWriterBase::PPTWriterBase(const rtl::Reference<SdXImpressDocument> &, const
com::sun::star::uno::Reference<com::sun::star::task::XStatusIndicator> &)()
_____________________________________________________________________________________________
*** CID 1680367: Uninitialized members (UNINIT_CTOR)
/sd/source/filter/eppt/pptx-epptbase.cxx: 142 in
PPTWriterBase::PPTWriterBase(const rtl::Reference<SdXImpressDocument> &, const
com::sun::star::uno::Reference<com::sun::star::task::XStatusIndicator> &)()
136 , maFraction(1, 576)
137 , maMapModeSrc(MapUnit::Map100thMM)
138 , maMapModeDest(MapUnit::MapInch, Point(), maFraction, maFraction)
139 , meLatestPageType (NORMAL)
140 , mpStyleSheet(nullptr)
141 {
>>> CID 1680367: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "mbHasCanvasPage" is not initialized in this
>>> constructor nor in any functions that it calls.
142 }
143
144 PPTWriterBase::~PPTWriterBase()
145 {
146 // Possibly unnecessary sanity check for mXStatusIndicator.is().
147 // In 3.3 we had a bug report of a crash where it was null,
** CID 1680366: Null pointer dereferences (FORWARD_NULL)
_____________________________________________________________________________________________
*** CID 1680366: Null pointer dereferences (FORWARD_NULL)
/sd/source/ui/view/frmview.cxx: 483 in
sd::FrameView::WriteUserDataSequence(com::sun::star::uno::Sequence<com::sun::star::beans::PropertyValue>
&)()
477 aUserData.emplace_back( sUNO_View_GridSnapWidthXNumerator, Any(
GetSnapGridWidthX().GetNumerator() ) );
478 aUserData.emplace_back( sUNO_View_GridSnapWidthXDenominator, Any(
GetSnapGridWidthX().GetDenominator() ) );
479 aUserData.emplace_back( sUNO_View_GridSnapWidthYNumerator, Any(
GetSnapGridWidthY().GetNumerator() ) );
480 aUserData.emplace_back( sUNO_View_GridSnapWidthYDenominator, Any(
GetSnapGridWidthY().GetDenominator() ) );
481 aUserData.emplace_back( sUNO_View_IsAngleSnapEnabled, Any(
IsAngleSnapEnabled() ) );
482 aUserData.emplace_back( sUNO_View_SnapAngle, Any(
static_cast<sal_Int32>(GetSnapAngle()) ) );
>>> CID 1680366: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "pDrawDocument" to "HasCanvasPage", which
>>> dereferences it.
483 aUserData.emplace_back( sUNO_View_HasCanvasPage, Any(
pDrawDocument->HasCanvasPage() ) );
484
485 const sal_Int32 nOldLength = rValues.getLength();
486 rValues.realloc( nOldLength + aUserData.size() );
487
488 PropertyValue* pValue = &(rValues.getArray()[nOldLength]);
** CID 1680365: Integer handling issues (INTEGER_OVERFLOW)
/sd/source/core/drawdoc2.cxx: 1794 in
SdDrawDocument::connectPagePreviews()()
_____________________________________________________________________________________________
*** CID 1680365: Integer handling issues (INTEGER_OVERFLOW)
/sd/source/core/drawdoc2.cxx: 1794 in
SdDrawDocument::connectPagePreviews()()
1788 pObjList->NbcRemoveObject(pObj->GetOrdNum());
1789 }
1790 else if (pObj->GetObjIdentifier() == SdrObjKind::Page)
1791 {
1792 SdrPageObj* pPageObj = static_cast<SdrPageObj*>(pObj);
1793 SdPage* pPage =
static_cast<SdPage*>(pPageObj->GetReferencedPage());
>>> CID 1680365: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "nIndex", where "(pPage->GetPageNum() - 1) / 2 - 1" is known
>>> to be equal to 65535, overflows the type of "nIndex", which is type
>>> "sal_uInt16".
1794 sal_uInt16 nIndex = (pPage->GetPageNum() - 1) / 2 - 1; //
without canvas page
1795 aPageOrder[nIndex] = pPageObj;
1796 }
1797 }
1798
1799 // return if the document has only one non-canvas page
** CID 1680364: (INTEGER_OVERFLOW)
/sd/source/filter/eppt/pptx-epptooxml.cxx: 2021 in
oox::core::PowerPointExport::ImplWriteSlideMaster(unsigned int, const
com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> &)()
/sd/source/filter/eppt/pptx-epptooxml.cxx: 2013 in
oox::core::PowerPointExport::ImplWriteSlideMaster(unsigned int, const
com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> &)()
_____________________________________________________________________________________________
*** CID 1680364: (INTEGER_OVERFLOW)
/sd/source/filter/eppt/pptx-epptooxml.cxx: 2021 in
oox::core::PowerPointExport::ImplWriteSlideMaster(unsigned int, const
com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> &)()
2015 }
2016 if (nPageNum == mnMasterPages - 1)
2017 mPresentationFS->endElementNS(XML_p, XML_sldMasterIdLst);
2018
2019 FSHelperPtr pFS =
2020
openFragmentStreamWithSerializer("ppt/slideMasters/slideMaster" +
>>> CID 1680364: (INTEGER_OVERFLOW)
>>> Expression "nPageNum + 1U", where "nPageNum" is known to be equal to
>>> 4294967295, overflows the type of "nPageNum + 1U", which is type "unsigned
>>> int".
2021 OUString::number(nPageNum +
1) + ".xml",
2022
u"application/vnd.openxmlformats-officedocument.presentationml.slideMaster+xml"_ustr);
2023
2024 SdrPage* pMasterPage = SdPage::getImplementation(mXDrawPage);
2025 model::Theme* pTheme = nullptr;
2026 if (pMasterPage)
/sd/source/filter/eppt/pptx-epptooxml.cxx: 2013 in
oox::core::PowerPointExport::ImplWriteSlideMaster(unsigned int, const
com::sun::star::uno::Reference<com::sun::star::beans::XPropertySet> &)()
2007 XML_id,
OString::number(GetNewSlideMasterId()),
2008 FSNS(XML_r, XML_id), sRelId);
2009
2010 // if canvas master page is the last one, close the list tag
before that
2011 if (mnCanvasMasterIndex == mnMasterPages - 1)
2012 {
>>> CID 1680364: (INTEGER_OVERFLOW)
>>> Expression "this->mnMasterPages - 2U", where "this->mnMasterPages" is
>>> known to be equal to 1, underflows the type of "this->mnMasterPages - 2U",
>>> which is type "unsigned int".
2013 if (nPageNum == mnMasterPages - 2)
2014 mPresentationFS->endElementNS(XML_p, XML_sldMasterIdLst);
2015 }
2016 if (nPageNum == mnMasterPages - 1)
2017 mPresentationFS->endElementNS(XML_p, XML_sldMasterIdLst);
2018
** CID 1680363: Performance inefficiencies (COPY_INSTEAD_OF_MOVE)
/oox/source/drawingml/diagram/diagramhelper.cxx: 211 in
oox::drawingml::AdvancedDiagramHelper::removeDiagramNode(const rtl::OUString
&)()
_____________________________________________________________________________________________
*** CID 1680363: Performance inefficiencies (COPY_INSTEAD_OF_MOVE)
/oox/source/drawingml/diagram/diagramhelper.cxx: 211 in
oox::drawingml::AdvancedDiagramHelper::removeDiagramNode(const rtl::OUString
&)()
205 if(hasDiagramData())
206 {
207 const svx::diagram::DomMapFlags aResult =
mpDiagramPtr->getData()->removeDiagramNode(rNodeId);
208 bRetval = !aResult.empty();
209
210 // reset Dom properties at DiagramData
>>> CID 1680363: Performance inefficiencies (COPY_INSTEAD_OF_MOVE)
>>> "aResult" is passed-by-value as parameter to
>>> "std::vector<svx::diagram::DomMapFlag,
>>> std::allocator<svx::diagram::DomMapFlag>
>>> >::vector(std::vector<svx::diagram::DomMapFlag,
>>> std::allocator<svx::diagram::DomMapFlag> > const &)", when it could be
>>> moved instead.
211 mpDiagramPtr->resetOOXDomValues(aResult);
212
213 // reset temporary buffered ModelData association lists &
rebuild them
214 // and the Diagram DataModel
215 mpDiagramPtr->getData()->buildDiagramDataModel(true);
216
** CID 1680362: Integer handling issues (SIGN_EXTENSION)
/sd/source/core/drawdoc2.cxx: 1706 in
SdDrawDocument::populatePagePreviewsGrid()()
_____________________________________________________________________________________________
*** CID 1680362: Integer handling issues (SIGN_EXTENSION)
/sd/source/core/drawdoc2.cxx: 1706 in
SdDrawDocument::populatePagePreviewsGrid()()
1700 ::tools::Long nPreviewHeight;
1701 ::tools::Long nTotalGridWidth;
1702 ::tools::Long nTotalGridHeight;
1703 do
1704 {
1705 nTotalGridWidth = (nTotalCol - 1) * nGapWidth;
>>> CID 1680362: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "nGapHeight" with type "sal_uInt16"
>>> (16 bits, unsigned) is promoted in "(nTotalRow - 1) * nGapHeight" to type
>>> "int" (32 bits, signed), then sign-extended to type "long" (64 bits,
>>> signed). If "(nTotalRow - 1) * nGapHeight" is greater than 0x7FFFFFFF, the
>>> upper bits of the result will all be 1.
1706 nTotalGridHeight = (nTotalRow - 1) * nGapHeight;
1707 nPreviewWidth = (nWidth / nFactor);
1708 nPreviewHeight = (nHeight / nFactor);
1709 nTotalGridWidth += nPreviewWidth * nTotalCol;
1710 nTotalGridHeight += nPreviewHeight * nTotalRow;
1711 nFactor++;
** CID 1680361: Null pointer dereferences (FORWARD_NULL)
/sd/source/core/drawdoc2.cxx: 522 in
SdDrawDocument::RemovePage(unsigned short)()
_____________________________________________________________________________________________
*** CID 1680361: Null pointer dereferences (FORWARD_NULL)
/sd/source/core/drawdoc2.cxx: 522 in
SdDrawDocument::RemovePage(unsigned short)()
516 auto pSdPage = static_cast<SdPage*>(pPage.get());
517 if (pSdPage->IsCanvasPage())
518 {
519 if (comphelper::LibreOfficeKit::isActive())
520 {
521 DrawViewShell* pDrawViewSh =
dynamic_cast<DrawViewShell*>(mpDocSh->GetViewShell());
>>> CID 1680361: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "pDrawViewSh" to "RememberCanvasPageVisArea",
>>> which dereferences it. (The dereference happens because this is a virtual
>>> function call.)
522
pDrawViewSh->RememberCanvasPageVisArea(::tools::Rectangle());
523 }
524 mpCanvasPage = nullptr;
525 }
526 pSdPage->DisconnectLink();
527 ReplacePageInCustomShows( pSdPage, nullptr );
** CID 1680360: Null pointer dereferences (FORWARD_NULL)
_____________________________________________________________________________________________
*** CID 1680360: Null pointer dereferences (FORWARD_NULL)
/sd/source/ui/func/fusel.cxx: 362 in
sd::FuSelection::MouseButtonDown(const MouseEvent &)()
356 {
357 if (rMEvt.GetClicks() == 2)
358 {
359 SdrPageObj* pPageObj =
static_cast<SdrPageObj*>(pObj);
360 sal_uInt16 nPageNum =
(pPageObj->GetReferencedPage()->GetPageNum() - 1) / 2;
361 DrawViewShell* pDrawViewShell =
dynamic_cast<DrawViewShell*>(&mrViewShell);
>>> CID 1680360: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "pDrawViewShell" to "SwitchPage", which
>>> dereferences it.
362 pDrawViewShell->SwitchPage(nPageNum);
363 }
364 }
365 }
366
367 // #i71727# replaced else here with two possibilities,
once the original else (!pObj)
** CID 1680359: Performance inefficiencies (COPY_INSTEAD_OF_MOVE)
/oox/source/drawingml/diagram/diagramhelper.cxx: 238 in
oox::drawingml::AdvancedDiagramHelper::TextInformationChange(const
rtl::OUString &, SdrOutliner &)()
_____________________________________________________________________________________________
*** CID 1680359: Performance inefficiencies (COPY_INSTEAD_OF_MOVE)
/oox/source/drawingml/diagram/diagramhelper.cxx: 238 in
oox::drawingml::AdvancedDiagramHelper::TextInformationChange(const
rtl::OUString &, SdrOutliner &)()
232 // try text change for model part in DiagramData
233 const svx::diagram::DomMapFlags
aDomMapFlags(mpDiagramPtr->getData()->TextInformationChange(rDiagramDataModelID,
rOutl));
234
235 if(!aDomMapFlags.empty())
236 {
237 // reset Dom properties at DiagramData
>>> CID 1680359: Performance inefficiencies (COPY_INSTEAD_OF_MOVE)
>>> "aDomMapFlags" is passed-by-value as parameter to
>>> "std::vector<svx::diagram::DomMapFlag,
>>> std::allocator<svx::diagram::DomMapFlag>
>>> >::vector(std::vector<svx::diagram::DomMapFlag,
>>> std::allocator<svx::diagram::DomMapFlag> > const &)", when it could be
>>> moved instead.
238 mpDiagramPtr->resetOOXDomValues(aDomMapFlags);
239
240 // still reset GrabBag at Associated SdrObjGroup object. There
are no "OOX.*"
241 // entries anymore, but others like "mso-rotation-angle" and
others
242
mpAssociatedSdrObjGroup->SetGrabBagItem(uno::Any(uno::Sequence<beans::PropertyValue>()));
243 }
** CID 1680358: Null pointer dereferences (REVERSE_INULL)
/sd/source/ui/view/viewshe3.cxx: 179 in
sd::ViewShell::CreateOrDuplicatePage(SfxRequest &, PageKind, SdPage *, int)()
_____________________________________________________________________________________________
*** CID 1680358: Null pointer dereferences (REVERSE_INULL)
/sd/source/ui/view/viewshe3.cxx: 179 in
sd::ViewShell::CreateOrDuplicatePage(SfxRequest &, PageKind, SdPage *, int)()
173 SdrLayerID aBckgrndObj =
rLayerAdmin.GetLayerID(sUNO_LayerName_background_objects);
174 SdrLayerIDSet aVisibleLayers;
175 // Determine the page from which to copy some values, such as
layers,
176 // size, master page, to the new page. This is usually the given
page.
177 // When the given page is NULL then use the first page of the
document.
178 SdPage* pTemplatePage = pPage;
>>> CID 1680358: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "pTemplatePage" suggests that it may be null, but it has
>>> already been dereferenced on all paths leading to the check.
179 if (pTemplatePage == nullptr)
180 pTemplatePage = pDocument->GetSdPage(0, ePageKind);
181 if (pTemplatePage != nullptr && pTemplatePage->TRG_HasMasterPage())
182 aVisibleLayers =
pTemplatePage->TRG_GetMasterPageVisibleLayers();
183 else
184 aVisibleLayers.SetAll();
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/libreoffice?tab=overview
