Inkscape

UNINIT in /inkbugs/inkscape/src/libvpsc/csolve_vpsc.cpp

Bug #614227 reported by Vaughn Spurlin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Inkscape
Fix Released
Medium
Kris
Inkscape 0.91 "0.91"

Bug Description

UNINIT in /inkbugs/inkscape/src/libvpsc/csolve_vpsc.cpp

In genYConstraints():
Reads an uninitialized pointer or its target (CWE-457).

   45int genYConstraints(int n, boxf* bb, Variable** vs, Constraint*** cs) {
Declaring variable "rs" without initializer.
   46 Rectangle* rs[n];
At conditional (1): "i < n" taking the false branch.
   47 for(int i=0;i<n;i++) {
   48 rs[i]=new Rectangle(bb[i].LL.x,bb[i].UR.x,bb[i].LL.y,bb[i].UR.y);
   49 }
Using uninitialized element of array "rs" when calling "vpsc::generateYConstraints(int, vpsc::Rectangle **, vpsc::Variable **, vpsc::Constraint **&)". [show details]
   50 int m = generateYConstraints(n,rs,vs,*cs);

Tags: coverity
Revision history for this message
Vaughn Spurlin (vspurlin) wrote :

fix suggestion 2010-07-25:
   45.1 assert(n > 0);

fix reason:
  insert a line to ensure that rs[n] is created with at least 1 element.
  looked for origin of n's value to ensure that it was >= 1.
  found a chain of assumptions that the value is good, without verification.
  current code is brittle, so add assert() for protection.

Revision history for this message
Kris (kris-degussem) wrote :

Committed in trunk revision 11658.

Changed in inkscape:
status: New → Fix Committed
milestone: none → 0.49
assignee: nobody → Kris (kris-degussem)
Bryce Harrington (bryce)
Changed in inkscape:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.