Coverity ID 350216 - prevent dangling pointer

The variable pdcs is declared an immediately initialised to be
dsc->dcs2. Coverity correctly points out that if dsc->page_count is 1
we enter dsc_alloc_string, which can call dsc_reset() where,
if dsc->dcs2 is set, it will be freed and dsc->dcs2 will be set to
Null, leaving pdcs dangling.

By deferring the assignment of pdcs until it is actuallused we can
be certain that it is valid.

1 files changed, 9 insertions, 1 deletions

diff --git a/psi/dscparse.c b/psi/dscparse.c
index e754a82c5..0c34eb143 100644
--- a/psi/dscparse.c
+++ b/psi/dscparse.c
@@ -3822,7 +3822,7 @@ dsc_dcs2_fixup(CDSC *dsc)
         DSC_OFFSET *pbegin;
         DSC_OFFSET *pend;
         DSC_OFFSET end;
-        CDCS2 *pdcs = dsc->dcs2;
+        CDCS2 *pdcs = NULL;
         /* Now treat the initial EPS file as a single page without
          * headers or trailer, so page extraction will fetch the
          * the correct separation. */
@@ -3888,6 +3888,14 @@ dsc_dcs2_fixup(CDSC *dsc)
             *pbegin = *pend;
         end = 0;	/* end of composite is start of first separation */
 
+        /* we used to do this where the pointer is declared, but Coverity points out
+         * that dsc_alloc_string can call dsc_reset which can free dsc and dsc->dcs2.
+         * By deferring the initialisation to here we can ensure we don't have a
+         * dangling pointer. This makes me suspiciouos that DCS (not DSC!) comments
+         * have never worked properly.
+         */
+        pdcs = dsc->dcs2;
+
         while (pdcs) {
             page_number = dsc->page_count;
             if ((pdcs->begin) && (pdcs->colourname != NULL)) {