From 5f24a32f0cc4513dfb9825900d561b3a6771b87c Mon Sep 17 00:00:00 2001 From: Ken Sharp Date: Fri, 15 Nov 2019 14:22:04 +0000 Subject: Coverity ID 350216 - prevent dangling pointer The variable pdcs is declared an immediately initialised to be dsc->dcs2. Coverity correctly points out that if dsc->page_count is 1 we enter dsc_alloc_string, which can call dsc_reset() where, if dsc->dcs2 is set, it will be freed and dsc->dcs2 will be set to Null, leaving pdcs dangling. By deferring the assignment of pdcs until it is actuallused we can be certain that it is valid. --- psi/dscparse.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'psi/dscparse.c') diff --git a/psi/dscparse.c b/psi/dscparse.c index e754a82c5..0c34eb143 100644 --- a/psi/dscparse.c +++ b/psi/dscparse.c @@ -3822,7 +3822,7 @@ dsc_dcs2_fixup(CDSC *dsc) DSC_OFFSET *pbegin; DSC_OFFSET *pend; DSC_OFFSET end; - CDCS2 *pdcs = dsc->dcs2; + CDCS2 *pdcs = NULL; /* Now treat the initial EPS file as a single page without * headers or trailer, so page extraction will fetch the * the correct separation. */ @@ -3888,6 +3888,14 @@ dsc_dcs2_fixup(CDSC *dsc) *pbegin = *pend; end = 0; /* end of composite is start of first separation */ + /* we used to do this where the pointer is declared, but Coverity points out + * that dsc_alloc_string can call dsc_reset which can free dsc and dsc->dcs2. + * By deferring the initialisation to here we can ensure we don't have a + * dangling pointer. This makes me suspiciouos that DCS (not DSC!) comments + * have never worked properly. + */ + pdcs = dsc->dcs2; + while (pdcs) { page_number = dsc->page_count; if ((pdcs->begin) && (pdcs->colourname != NULL)) { -- cgit v1.2.1