Closed Bug 505735 Opened 15 years ago Closed 10 years ago

coverity thinks _cairo_truetype_read_font_name can lose track of allocations to font_name/ps_name because they're in a loop

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: coverity, memory-leak, Whiteboard: [CID 221614])

Attachments

(1 file, 1 obsolete file)

updated reviewer
(deleted), patch
jrmuizel
: review-
Details | Diff | Splinter Review 
1324 _cairo_truetype_read_font_name (cairo_scaled_font_t      *scaled_font,

loop_start:
1365     for (i = 0; i < be16_to_cpu(name->num_records); i++) {

1370             if (be16_to_cpu (record->name) == 4) {
1371                 font_name = malloc (be16_to_cpu(record->length) + 1);

1382             if (be16_to_cpu (record->name) == 6) {
1383                 ps_name = malloc (be16_to_cpu(record->length) + 1);

1394             if (font_name && ps_name)
1395                 break;
1396         }
1397     }

logic:

1. enter loop_start 1365, i=0
2. cond 1370 take true path
3. alloc 1371 font_name
4. cond 1382 take false path
5. cond 1394 take false path
6. loop 1397 go to loop_start
7. cond 1370 take true path
8. leak 1371 font_name from step 3
9. alloc 1371 font_name
10. cond 1382 take true path
11. alloc 1383 ps_name
12. cond 1394 take true path exit loop

A similar path can be found where you leak ps_name
other paths are possible including one where an alloc failure for ps_name results in font_name leaking or vice versa.
Attached patch patch (obsolete) (deleted) — Splinter Review 
Assignee: nobody → timeless
Status: NEW → ASSIGNED

        Attachment #390176 -
        Flags: review?(vladimir)

        Attachment #390176 -
        Flags: review?(vladimir) → review?(jmuizelaar)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        updated reviewer (deleted)
        — Splinter Review
      

    


  

        Attachment #390176 -
        Attachment is obsolete: true

        Attachment #391614 -
        Flags: review?(jmuizelaar)

        Attachment #390176 -
        Flags: review?(jmuizelaar)

    
    

    
  
Comment on attachment 391614 [details] [diff] [review]
updated reviewer

Review of attachment 391614 [details] [diff] [review]:
-----------------------------------------------------------------

This seems unlikely to happen in practice and the work should be done upstream if needed. Since it's found with a static checker we can always rediscover this.

        Attachment #391614 -
        Flags: review?(jmuizelaar) → review-
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Whiteboard: [cid 221614]
Whiteboard: [cid 221614] → [CID 221614]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: