From 1adfb558f52f0d8b24140a992ec8e3368e481229 Mon Sep 17 00:00:00 2001
From: Eliseo Martínez <eliseomarmol@gmail.com>
Date: Thu, 13 Nov 2014 20:27:33 +0100
Subject: Fix warnings: spell.c: getroom(): Np dereference: FP/RI.

Problem    : Dereference of null pointer @ 6089.
Diagnostic : False positive / Real issue.
Rationale  : From the code, it seems the intent is that len parameter
             should never exceed SBLOCKSIZE. But the code checking for
             that does in fact cause a null pointer dereference just
             immediately after.
Resolution : State precondition in doc and assert it at entry.
---
 src/nvim/spell.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/nvim/spell.c b/src/nvim/spell.c
index c3059d6b0b..0e76fc4b92 100644
--- a/src/nvim/spell.c
+++ b/src/nvim/spell.c
@@ -304,6 +304,7 @@
 #include "nvim/ex_cmds2.h"
 #include "nvim/ex_docmd.h"
 #include "nvim/fileio.h"
+#include "nvim/func_attr.h"
 #include "nvim/getchar.h"
 #include "nvim/hashtab.h"
 #include "nvim/mbyte.h"
@@ -6072,14 +6073,17 @@ static int spell_read_wordfile(spellinfo_T *spin, char_u *fname)
 /// track of them).
 /// The memory is cleared to all zeros.
 ///
-/// @param len Length needed.
+/// @param len Length needed (<= SBLOCKSIZE).
 /// @param align Align for pointer.
-/// @return NULL when out of memory.
+/// @return Pointer into block data.
 static void *getroom(spellinfo_T *spin, size_t len, bool align)
+  FUNC_ATTR_NONNULL_RET
 {
   char_u      *p;
   sblock_T    *bl = spin->si_blocks;
 
+  assert(len <= SBLOCKSIZE);
+  
   if (align && bl != NULL)
     // Round size up for alignment.  On some systems structures need to be
     // aligned to the size of a pointer (e.g., SPARC).
@@ -6087,11 +6091,8 @@ static void *getroom(spellinfo_T *spin, size_t len, bool align)
                   & ~(sizeof(char *) - 1);
 
   if (bl == NULL || bl->sb_used + len > SBLOCKSIZE) {
-    if (len >= SBLOCKSIZE)
-      bl = NULL;
-    else
-      // Allocate a block of memory. It is not freed until much later.
-      bl = xcalloc(1, (sizeof(sblock_T) + SBLOCKSIZE));
+    // Allocate a block of memory. It is not freed until much later.
+    bl = xcalloc(1, (sizeof(sblock_T) + SBLOCKSIZE));
     bl->sb_next = spin->si_blocks;
     spin->si_blocks = bl;
     bl->sb_used = 0;
-- 
cgit