libxslt: check_valuePopNullDeref

Signed-off-by: Jan Pokorný <jpokorny@redhat.com>

3 files changed, 152 insertions, 0 deletions

diff --git a/libxslt/check_valuePopNullDeref.v1.cocci b/libxslt/check_valuePopNullDeref.v1.cocci
new file mode 100644
index 0000000..df8d379
--- /dev/null
+++ b/libxslt/check_valuePopNullDeref.v1.cocci
@@ -0,0 +1,47 @@
+// See: https://mail.gnome.org/archives/xslt/2013-December/msg00008.html
+// Fix possible NULL deref for valuePop retval
+// jpokorny redhat com
+
+@incl@
+@@
+
+#include <libxml/xpathInternals.h>
+
+@voidfn depends on incl exists@
+expression E;
+identifier fn, f, item;
+statement S1, S2;
+@@
+void fn (...) {
+<...
+E = valuePop(...);
++ if (E == NULL) return;
+... when != if (E == NULL) S1 else S2
+(
+E->item;
+|
+E->item
+)
+...>
+}
+
+// for cases the function is non-void (which implicitly supposes
+// a pointer as a return value rather than anything else);
+// not found helpful in libxslt case presently anyway
+//@nonvoidfn depends on incl exists@
+//expression E;
+//identifier fn != voidfn.fn, f, item;
+//statement S1, S2;
+//@@
+//fn (...) {
+//<...
+//E = valuePop(...);
+//+ if (E == NULL) return NULL;
+//... when != if (E == NULL) S1 else S2
+//(
+//E->item;
+//|
+//E->item
+//)
+//...>
+//}
diff --git a/libxslt/check_valuePopNullDeref.v2.cocci b/libxslt/check_valuePopNullDeref.v2.cocci
new file mode 100644
index 0000000..f95a11b
--- /dev/null
+++ b/libxslt/check_valuePopNullDeref.v2.cocci
@@ -0,0 +1,44 @@
+// See: https://mail.gnome.org/archives/xslt/2013-December/msg00011.html
+// Fix possible NULL deref for valuePop retval (v2)
+// jpokorny redhat com
+
+@incl@
+@@
+
+#include <libxml/xpathInternals.h>
+
+@voidfn depends on incl exists@
+expression E;
+identifier fn, item;
+statement S1, S2;
+@@
+void fn (...) {
+<...
+E = valuePop(...);
++ if (E == NULL) return;
+... when != if (<+... E == NULL ...+>) S1 else S2
+(
+E->item;
+|
+E->item
+)
+...>
+}
+
+//@nonvoidfn depends on incl exists@
+//expression E;
+//identifier fn != voidfn.fn, item;
+//statement S1, S2;
+//@@
+//fn (...) {
+//<...
+//E = valuePop(...);
+//+ if (E == NULL) return NULL;
+//... when != if (<+... E == NULL ...+>) S1 else S2
+//(
+//E->item;
+//|
+//E->item
+//)
+//...>
+//}
diff --git a/libxslt/check_valuePopNullDeref.vX.cocci b/libxslt/check_valuePopNullDeref.vX.cocci
new file mode 100644
index 0000000..2e83091
--- /dev/null
+++ b/libxslt/check_valuePopNullDeref.vX.cocci
@@ -0,0 +1,61 @@
+// Fix possible NULL deref for valuePop retval (v3)
+// jpokorny@redhat.com
+//... when != if (<+...E == NULL...+>) S1
+//    when != if (<+...E != NULL...+>) S1
+//... when != \(<+...E...+>\|<+...E!=NULL && E1...+>\|<+...E==NULL || E1...+>\)
+//... when != \((<+...E->item...+>)\|(<+...E->item...+>)\|(E != NULL) || E1\|(E == NULL) && E1\)
+//... when != \((<+...E->item...+>)\|(<+...E=E1...+>)\|(E == NULL) && E1\|(E != NULL) || E1\)
+
+@incl@
+@@
+
+#include <libxml/xpathInternals.h>
+
+@voidfn depends on incl exists@
+expression E, E1, E2, E3;
+identifier fn, item, item2;
+statement S1, S2;
+@@
+void fn (...) {
+<...
+E = valuePop(...);
++ if (E == NULL) return;
+... when != if (<+...E...+>) S1
+//    when != if (E->item != E1) S1
+    when != E->item2 == NULL && <+... E = E1 ...+>
+// specialize->    when != if (<+...E->item...+>) S1
+//    when != (<+...E=E1...+>)
+//    when != if (E1) {<+...E=E2...+>} S1
+//    when != if (E1) S1 else {<+...E=E2...+>}
+(
+E->item;
+|
+E->item
+... when != \((E == NULL) && E2\|(E != NULL) || E2\)
+)
+//... when != \((<+...E->item...+>)\|(E == NULL)\|(E != NULL)\)
+//... when != \((<+...E->item...+>)\|(<+...E=E1...+>)\|(E == NULL) && E1\|(E != NULL) || E1\)
+
+...>
+}
+
+@nonvoidfn depends on incl && !voidfn exists@
+expression E;
+identifier fn, item;
+statement S1, S2;
+@@
+fn (...) {
+<...
+E = valuePop(...);
++ if (E == NULL) return NULL;
+... when != if (<+...E...+>) S1
+//    when != if (<+...E->item...+>) S1
+(
+E->item;
+|
+E->item
+//... when != \((E == NULL) && E1\|(E != NULL) || E1\)
+... when != \((<+...E=E1...+>)\|(E == NULL) || E1\|(E != NULL) && E1\)
+)
+...>
+}