Coverity ID 382008 - NULL pointer derefernce

The pointer dereference is in a memcpy, but I believe that when this happens (pda->base is NULL) then the input data will have been exhausted and so 'len' the bytes to copy will always be zero. While I don't know of any C run-time which will cause an actual problem with this, it seems sensible to avoid it.
author: Ken Sharp <ken.sharp@artifex.com> 2022-11-22 11:36:22 +0000
committer: Ken Sharp <ken.sharp@artifex.com> 2022-11-22 11:36:22 +0000
commit: fec8fa30d2fa70e882f415a9b0eb4b70e4bf452b (patch)
tree: 6d9f4e0fb26bd16cb4ee7d5feef41d75fa1ad667 /psi
parent: aa785c8c7ab620ec9646551196797c930d9a8837 (diff)
download: ghostpdl-fec8fa30d2fa70e882f415a9b0eb4b70e4bf452b.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/psi/iscan.c b/psi/iscan.c
index 3fc14af41..0a5144619 100644
--- a/psi/iscan.c
+++ b/psi/iscan.c
@@ -136,7 +136,13 @@ dynamic_save(da_ptr pda)
 
         if (len > sizeof(pda->buf))
             len = sizeof(pda->buf);
-        memcpy(pda->buf, pda->base, len);
+        /* This can happen if we get a /<CR> at the end of a buffer, and the file is
+         * not at EOF. In this case 'len' will be zero so we don't actually copy any
+         * bytes. So this is safe on current C run-time libraries, but it's probably
+         * best to avoid it. Coverity ID C382008
+         */
+        if (pda->base != NULL)
+            memcpy(pda->buf, pda->base, len);
         pda->next = pda->buf + len;
         pda->base = pda->buf;
     }
author	Ken Sharp <ken.sharp@artifex.com>	2022-11-22 11:36:22 +0000
committer	Ken Sharp <ken.sharp@artifex.com>	2022-11-22 11:36:22 +0000
commit	fec8fa30d2fa70e882f415a9b0eb4b70e4bf452b (patch)
tree	6d9f4e0fb26bd16cb4ee7d5feef41d75fa1ad667 /psi
parent	aa785c8c7ab620ec9646551196797c930d9a8837 (diff)
download	ghostpdl-fec8fa30d2fa70e882f415a9b0eb4b70e4bf452b.tar.gz