From 340d82d56e6a4304b99350e936e9d77a9f2654a9 Mon Sep 17 00:00:00 2001
From: Jan Pokorný <jpokorny@redhat.com>
Date: Thu, 1 Oct 2015 21:52:55 +0200
Subject: libxslt: check_valuePopNullDeref
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
---
 libxslt/check_valuePopNullDeref.vX.cocci | 61 ++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 libxslt/check_valuePopNullDeref.vX.cocci

(limited to 'libxslt/check_valuePopNullDeref.vX.cocci')

diff --git a/libxslt/check_valuePopNullDeref.vX.cocci b/libxslt/check_valuePopNullDeref.vX.cocci
new file mode 100644
index 0000000..2e83091
--- /dev/null
+++ b/libxslt/check_valuePopNullDeref.vX.cocci
@@ -0,0 +1,61 @@
+// Fix possible NULL deref for valuePop retval (v3)
+// jpokorny@redhat.com
+//... when != if (<+...E == NULL...+>) S1
+//    when != if (<+...E != NULL...+>) S1
+//... when != \(<+...E...+>\|<+...E!=NULL && E1...+>\|<+...E==NULL || E1...+>\)
+//... when != \((<+...E->item...+>)\|(<+...E->item...+>)\|(E != NULL) || E1\|(E == NULL) && E1\)
+//... when != \((<+...E->item...+>)\|(<+...E=E1...+>)\|(E == NULL) && E1\|(E != NULL) || E1\)
+
+@incl@
+@@
+
+#include <libxml/xpathInternals.h>
+
+@voidfn depends on incl exists@
+expression E, E1, E2, E3;
+identifier fn, item, item2;
+statement S1, S2;
+@@
+void fn (...) {
+<...
+E = valuePop(...);
++ if (E == NULL) return;
+... when != if (<+...E...+>) S1
+//    when != if (E->item != E1) S1
+    when != E->item2 == NULL && <+... E = E1 ...+>
+// specialize->    when != if (<+...E->item...+>) S1
+//    when != (<+...E=E1...+>)
+//    when != if (E1) {<+...E=E2...+>} S1
+//    when != if (E1) S1 else {<+...E=E2...+>}
+(
+E->item;
+|
+E->item
+... when != \((E == NULL) && E2\|(E != NULL) || E2\)
+)
+//... when != \((<+...E->item...+>)\|(E == NULL)\|(E != NULL)\)
+//... when != \((<+...E->item...+>)\|(<+...E=E1...+>)\|(E == NULL) && E1\|(E != NULL) || E1\)
+
+...>
+}
+
+@nonvoidfn depends on incl && !voidfn exists@
+expression E;
+identifier fn, item;
+statement S1, S2;
+@@
+fn (...) {
+<...
+E = valuePop(...);
++ if (E == NULL) return NULL;
+... when != if (<+...E...+>) S1
+//    when != if (<+...E->item...+>) S1
+(
+E->item;
+|
+E->item
+//... when != \((E == NULL) && E1\|(E != NULL) || E1\)
+... when != \((<+...E=E1...+>)\|(E == NULL) || E1\|(E != NULL) && E1\)
+)
+...>
+}
-- 
cgit