Examples of errors detected by the V774 diagnostic
V774. Pointer was used after the memory was released.
Augeas
V774 The 'child' pointer was used after the memory was reallocated. augtool.c 151
static char *readline_path_generator(const char *text, int state)
{
....
if (ctx != NULL) {
char *c = realloc(child, strlen(child)-strlen(ctx)+1); // <=
if (c == NULL)
return NULL;
int ctxidx = strlen(ctx);
if (child[ctxidx] == SEP) // <=
ctxidx++;
strcpy(c, &child[ctxidx]); // <=
child = c;
}
....
}
Similar errors can be found in some other places:
- V774 The 'child' pointer was used after the memory was reallocated. augtool.c 153
Bind
V774 The 'res' pointer was used after the memory was released. sample-request.c 225
int
main(int argc, char *argv[]) {
....
struct addrinfo hints, *res;
....
gaierror = getaddrinfo(argv[0], "53", &hints, &res);
....
memmove(&sa.type, res->ai_addr, res->ai_addrlen);
freeaddrinfo(res); // <=
sa.length = (unsigned int)res->ai_addrlen; // <=
....
}
Similar errors can be found in some other places:
- V774 The 'res' pointer was used after the memory was released. sample-update.c 193
- V774 The 'res' pointer was used after the memory was released. sample-update.c 217
MuseScore
V774 The 'slur' pointer was used after the memory was released. importgtp-gp6.cpp 2072
void GuitarPro6::readGpif(QByteArray* data)
{
if (c) {
slur->setTick2(c->tick());
score->addElement(slur);
legatos[slur->track()] = 0;
}
else {
delete slur;
legatos[slur->track()] = 0;
}
}
ICU
V774 CWE-416 The 'mzMappings' pointer was used after the memory was released. zonemeta.cpp 713
UVector*
ZoneMeta::createMetazoneMappings(const UnicodeString &tzid) {
UVector *mzMappings = NULL;
....
if (U_SUCCESS(status)) {
....
if (U_SUCCESS(status)) {
....
while (ures_hasNext(rb)) {
....
if (mzMappings == NULL) {
mzMappings = new UVector(
deleteOlsonToMetaMappingEntry, NULL, status);
if (U_FAILURE(status)) {
delete mzMappings;
uprv_free(entry);
break;
}
}
....
}
....
}
}
ures_close(rb);
return mzMappings;
}
Code is complicated and I find it difficult to say exactly, if there is a bug or not. But it seems to me, it is possible that this function will return a pointer to the memory block being freed.
Qalculate!
V774 The 'cu' pointer was used after the memory was released. Calculator.cc 3595
MathStructure Calculator::convertToBestUnit(....)
{
....
CompositeUnit *cu = new CompositeUnit("", "....");
cu->add(....);
Unit *u = getBestUnit(cu, false, eo.local_currency_conversion);
if(u == cu) {
delete cu; // <=
return mstruct_new;
}
delete cu; // <=
if(eo.approximation == APPROXIMATION_EXACT &&
cu->hasApproximateRelationTo(u, true)) { // <=
if(!u->isRegistered()) delete u;
return mstruct_new;
}
....
}
Haiku Operation System
V774 The 'device' pointer was used after the memory was released. xhci.cpp 1572
void
XHCI::FreeDevice(Device *device)
{
uint8 slot = fPortSlots[device->HubPort()];
TRACE("FreeDevice() port %d slot %d\n", device->HubPort(), slot);
// Delete the device first, so it cleans up its pipes and tells us
// what we need to destroy before we tear down our internal state.
delete device;
DisableSlot(slot);
fDcba->baseAddress[slot] = 0;
fPortSlots[device->HubPort()] = 0;
delete_area(fDevices[slot].trb_area);
delete_area(fDevices[slot].input_ctx_area);
delete_area(fDevices[slot].device_ctx_area);
memset(&fDevices[slot], 0, sizeof(xhci_device));
fDevices[slot].state = XHCI_STATE_DISABLED;
}
Similar errors can be found in some other places:
- V774 The 'self' pointer was used after the memory was released. TranslatorRoster.cpp 884
- V774 The 'string' pointer was used after the memory was released. RemoteView.cpp 1269
- V774 The 'bs' pointer was used after the memory was released. mkntfs.c 4291
- And 2 additional diagnostic messages.
MuseScore
V774 The 'slur' pointer was used after the memory was released. importgtp-gp6.cpp 2592
void GuitarPro6::readGpif(QByteArray* data)
{
....
if (c) {
slur->setTick2(c->tick());
score->addElement(slur);
legatos[slur->track()] = 0;
} else {
delete slur;
legatos[slur->track()] = 0;
}
....
}