Hi all,
I found few memory related issues in elementary package when performed static analysis on it.
These issues include:
Array indices getting out of bounds, freed memory address being passed to a function as parameter, memory not getting cleaned up because of earlier return statement.
Issues details:
1. In elm_widget.c inside function elm_widget_signal_callback_del(), it is possible that freed memory address esd is passed to the sd->callback_del_func(). I think it should be data, not esd.
Moreover what if the callback frees memory for data, then the other problem is that the return value is data from the function elm_widget_signal_callback_del() which in my opinion can be a problem.
2. Inside directory src/edje_externals for files elm_genlist.c, elm_notify.c, elm_list.c, elm_thumb.c and elm_map.c, array indices can go beyound bounary.
sizeof() operator for an array of character pointers will return [number of elements in the array * size of (char*)], basically 4 times the number of elements which has been taken care in assertion inside src/edje_extenarnals
while performing assertion but has been missed in the next statement in the loop condition.
3. In file src/lib/elm_config.c inside function _elm_config_profiles_list, freeing of file iterator has been missed out.
Please review the attached patch and let me know your opinion.
Thanks.
Regards,
Rajeev
git-svn-id: svn+ssh://svn.enlightenment.org/var/svn/e/trunk/elementary@63550
7cbeb6ba-43b4-40fd-8cce-
4c39aea84d33
assert(sizeof(list_horizontal_choices)/sizeof(list_horizontal_choices[0]) == ELM_LIST_LAST + 1);
- for (i = 0; i < sizeof(list_horizontal_choices); i++)
+ for (i = 0; i < ELM_LIST_LAST; i++)
{
if (!strcmp(horizontal_str, list_horizontal_choices[i]))
return i;
#define CHOICE_GET(CHOICES, STR) \
unsigned int i; \
- for (i = 0; i < sizeof(CHOICES); i++) \
+ for (i = 0; i < (sizeof(CHOICES)/sizeof(CHOICES[0])); i++) \
if (strcmp(STR, CHOICES[i]) == 0) \
return i
assert(sizeof(zoom_choices)/sizeof(zoom_choices[0]) ==
ELM_MAP_ZOOM_MODE_LAST + 1);
- for (i = 0; i < sizeof(zoom_choices); i++)
+ for (i = 0; i < ELM_MAP_ZOOM_MODE_LAST; i++)
if (!strcmp(map_src, zoom_choices[i])) return i;
return ELM_MAP_ZOOM_MODE_LAST;
assert(sizeof(orients)/sizeof(orients[0]) ==
ELM_NOTIFY_ORIENT_LAST + 1);
- for (i = 0; i < sizeof(orients); i++)
+ for (i = 0; i < ELM_NOTIFY_ORIENT_LAST; i++)
if (!strcmp(orient, orients[i])) return i;
return ELM_NOTIFY_ORIENT_LAST;
assert(sizeof(choices)/sizeof(choices[0]) == ELM_PHOTOCAM_ZOOM_MODE_LAST + 1);
- for (i = 0; i < sizeof(choices); i++)
+ for (i = 0; i < ELM_PHOTOCAM_ZOOM_MODE_LAST; i++)
{
if (!strcmp(zoom_mode_str, choices[i]))
return i;
assert(sizeof(choices)/sizeof(choices[0]) == ELM_THUMB_ANIMATION_LAST + 1);
- for (i = 0; i < sizeof(choices); i++)
+ for (i = 0; i < ELM_THUMB_ANIMATION_LAST; i++)
{
if (!strcmp(anim_str, choices[i]))
return i;
continue;
}
}
- return flist;
-
eina_iterator_free(file_it);
+ return flist;
list_free:
EINA_LIST_FREE(flist, dir)
break;
}
}
- sd->callback_del_func(obj, emission, source, _edje_signal_callback, esd);
+ sd->callback_del_func(obj, emission, source, _edje_signal_callback, data);
return data;
}
projects / framework / uifw / elementary.git / commitdiff