From 18d244eded434e6bc47b351ef00088378883bf1d Mon Sep 17 00:00:00 2001
From: "Justin M. Keyes" <justinkz@gmail.com>
Date: Thu, 11 Jan 2018 01:32:41 +0100
Subject: coverity/169163: decode_string: Null pointer deref

    *** CID 169163:  Null pointer dereferences  (FORWARD_NULL)
    /src/nvim/eval/decode.c: 290 in decode_string()
    284         if (elw_ret == -1) {
    285           tv_clear(&tv);
    286           return (typval_T) { .v_type = VAR_UNKNOWN, .v_lock = VAR_UNLOCKED };
    287         }
    288         return tv;
    289       } else {
    >>>     CID 169163:  Null pointer dereferences  (FORWARD_NULL)
    >>>     Passing null pointer "s" to "xmemdupz", which dereferences it. (The dereference is assumed on the basis of the 'nonnull' parameter attribute.)
    290         return (typval_T) {
    291           .v_type = VAR_STRING,
    292           .v_lock = VAR_UNLOCKED,
    293           .vval = { .v_string = (char_u *)(
    294               s_allocated ? (char *)s : xmemdupz(s, len)) },
    295         };
---
 src/nvim/eval/decode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/nvim/eval/decode.c b/src/nvim/eval/decode.c
index af4e055d23..cd967ed5c5 100644
--- a/src/nvim/eval/decode.c
+++ b/src/nvim/eval/decode.c
@@ -285,7 +285,7 @@ typval_T decode_string(const char *const s, const size_t len,
       .v_type = VAR_STRING,
       .v_lock = VAR_UNLOCKED,
       .vval = { .v_string = (char_u *)(
-          s_allocated ? (char *)s : xmemdupz(s, len)) },
+          (s == NULL || s_allocated) ? (char *)s : xmemdupz(s, len)) },
     };
   }
 }
-- 
cgit 


From 624ac8aede93cc521d7ea27ae406ad4780642fcb Mon Sep 17 00:00:00 2001
From: "Justin M. Keyes" <justinkz@gmail.com>
Date: Thu, 11 Jan 2018 01:36:37 +0100
Subject: coverity/161216: get_user_input: RETURN_LOCAL

    *** CID 161216:  Memory - illegal accesses  (RETURN_LOCAL)
    /src/nvim/eval.c: 11143 in get_user_input()
    11137       rettv->vval.v_string =
    11138         (char_u *)getcmdline_prompt(inputsecret_flag ? NUL : '@', p, echo_attr,
    11139                                     xp_type, xp_arg, input_callback);
    11140       ex_normal_busy = save_ex_normal_busy;
    11141       callback_free(&input_callback);
    11142
    >>>     CID 161216:  Memory - illegal accesses  (RETURN_LOCAL)
    >>>     Using "cancelreturn", which points to an out-of-scope variable "def".
    11143       if (rettv->vval.v_string == NULL && cancelreturn != NULL) {
    11144         rettv->vval.v_string = (char_u *)xstrdup(cancelreturn);
    11145       }
    11146
    11147       xfree(xp_arg);
    11148
---
 src/nvim/eval.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/nvim/eval.c b/src/nvim/eval.c
index 2e8bf18f2d..a642a3c0dd 100644
--- a/src/nvim/eval.c
+++ b/src/nvim/eval.c
@@ -11110,6 +11110,7 @@ void get_user_input(const typval_T *const argvars,
   char defstr_buf[NUMBUFLEN];
   char cancelreturn_buf[NUMBUFLEN];
   char xp_name_buf[NUMBUFLEN];
+  char def[1] = { 0 };
   if (argvars[0].v_type == VAR_DICT) {
     if (argvars[1].v_type != VAR_UNKNOWN) {
       emsgf(_("E5050: {opts} must be the only argument"));
@@ -11124,7 +11125,6 @@ void get_user_input(const typval_T *const argvars,
     if (defstr == NULL) {
       return;
     }
-    char def[1] = { 0 };
     cancelreturn = tv_dict_get_string_buf_chk(dict, S_LEN("cancelreturn"),
                                               cancelreturn_buf, def);
     if (cancelreturn == NULL) {  // error
-- 
cgit