From 340d82d56e6a4304b99350e936e9d77a9f2654a9 Mon Sep 17 00:00:00 2001 From: Jan Pokorný Date: Thu, 1 Oct 2015 21:52:55 +0200 Subject: libxslt: check_valuePopNullDeref MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan Pokorný --- libxslt/check_valuePopNullDeref.v1.cocci | 47 ++++++++++++++++++++++++ libxslt/check_valuePopNullDeref.v2.cocci | 44 +++++++++++++++++++++++ libxslt/check_valuePopNullDeref.vX.cocci | 61 ++++++++++++++++++++++++++++++++ 3 files changed, 152 insertions(+) create mode 100644 libxslt/check_valuePopNullDeref.v1.cocci create mode 100644 libxslt/check_valuePopNullDeref.v2.cocci create mode 100644 libxslt/check_valuePopNullDeref.vX.cocci (limited to 'libxslt') diff --git a/libxslt/check_valuePopNullDeref.v1.cocci b/libxslt/check_valuePopNullDeref.v1.cocci new file mode 100644 index 0000000..df8d379 --- /dev/null +++ b/libxslt/check_valuePopNullDeref.v1.cocci @@ -0,0 +1,47 @@ +// See: https://mail.gnome.org/archives/xslt/2013-December/msg00008.html +// Fix possible NULL deref for valuePop retval +// jpokorny redhat com + +@incl@ +@@ + +#include + +@voidfn depends on incl exists@ +expression E; +identifier fn, f, item; +statement S1, S2; +@@ +void fn (...) { +<... +E = valuePop(...); ++ if (E == NULL) return; +... when != if (E == NULL) S1 else S2 +( +E->item; +| +E->item +) +...> +} + +// for cases the function is non-void (which implicitly supposes +// a pointer as a return value rather than anything else); +// not found helpful in libxslt case presently anyway +//@nonvoidfn depends on incl exists@ +//expression E; +//identifier fn != voidfn.fn, f, item; +//statement S1, S2; +//@@ +//fn (...) { +//<... +//E = valuePop(...); +//+ if (E == NULL) return NULL; +//... when != if (E == NULL) S1 else S2 +//( +//E->item; +//| +//E->item +//) +//...> +//} diff --git a/libxslt/check_valuePopNullDeref.v2.cocci b/libxslt/check_valuePopNullDeref.v2.cocci new file mode 100644 index 0000000..f95a11b --- /dev/null +++ b/libxslt/check_valuePopNullDeref.v2.cocci @@ -0,0 +1,44 @@ +// See: https://mail.gnome.org/archives/xslt/2013-December/msg00011.html +// Fix possible NULL deref for valuePop retval (v2) +// jpokorny redhat com + +@incl@ +@@ + +#include + +@voidfn depends on incl exists@ +expression E; +identifier fn, item; +statement S1, S2; +@@ +void fn (...) { +<... +E = valuePop(...); ++ if (E == NULL) return; +... when != if (<+... E == NULL ...+>) S1 else S2 +( +E->item; +| +E->item +) +...> +} + +//@nonvoidfn depends on incl exists@ +//expression E; +//identifier fn != voidfn.fn, item; +//statement S1, S2; +//@@ +//fn (...) { +//<... +//E = valuePop(...); +//+ if (E == NULL) return NULL; +//... when != if (<+... E == NULL ...+>) S1 else S2 +//( +//E->item; +//| +//E->item +//) +//...> +//} diff --git a/libxslt/check_valuePopNullDeref.vX.cocci b/libxslt/check_valuePopNullDeref.vX.cocci new file mode 100644 index 0000000..2e83091 --- /dev/null +++ b/libxslt/check_valuePopNullDeref.vX.cocci @@ -0,0 +1,61 @@ +// Fix possible NULL deref for valuePop retval (v3) +// jpokorny@redhat.com +//... when != if (<+...E == NULL...+>) S1 +// when != if (<+...E != NULL...+>) S1 +//... when != \(<+...E...+>\|<+...E!=NULL && E1...+>\|<+...E==NULL || E1...+>\) +//... when != \((<+...E->item...+>)\|(<+...E->item...+>)\|(E != NULL) || E1\|(E == NULL) && E1\) +//... when != \((<+...E->item...+>)\|(<+...E=E1...+>)\|(E == NULL) && E1\|(E != NULL) || E1\) + +@incl@ +@@ + +#include + +@voidfn depends on incl exists@ +expression E, E1, E2, E3; +identifier fn, item, item2; +statement S1, S2; +@@ +void fn (...) { +<... +E = valuePop(...); ++ if (E == NULL) return; +... when != if (<+...E...+>) S1 +// when != if (E->item != E1) S1 + when != E->item2 == NULL && <+... E = E1 ...+> +// specialize-> when != if (<+...E->item...+>) S1 +// when != (<+...E=E1...+>) +// when != if (E1) {<+...E=E2...+>} S1 +// when != if (E1) S1 else {<+...E=E2...+>} +( +E->item; +| +E->item +... when != \((E == NULL) && E2\|(E != NULL) || E2\) +) +//... when != \((<+...E->item...+>)\|(E == NULL)\|(E != NULL)\) +//... when != \((<+...E->item...+>)\|(<+...E=E1...+>)\|(E == NULL) && E1\|(E != NULL) || E1\) + +...> +} + +@nonvoidfn depends on incl && !voidfn exists@ +expression E; +identifier fn, item; +statement S1, S2; +@@ +fn (...) { +<... +E = valuePop(...); ++ if (E == NULL) return NULL; +... when != if (<+...E...+>) S1 +// when != if (<+...E->item...+>) S1 +( +E->item; +| +E->item +//... when != \((E == NULL) && E1\|(E != NULL) || E1\) +... when != \((<+...E=E1...+>)\|(E == NULL) || E1\|(E != NULL) && E1\) +) +...> +} -- cgit