From dc88935877bffb44846f847d4605eef3143289ae Mon Sep 17 00:00:00 2001 From: Elaine Wang Date: Thu, 27 Dec 2012 15:18:15 +0800 Subject: [PATCH] klockwork: Fix libva klocwork scaning issues Fix NULL pointer dereference risk issues and uninitialized variables Signed-off-by: Elaine Wang Change-Id: I839a9def7b08c41c1f075e4cd1cc06e8bb0c8c9e --- va/va.c | 13 +++++++++---- va/va_fool.c | 30 +++++++++++++++--------------- va/va_trace.c | 4 ++-- 3 files changed, 26 insertions(+), 21 deletions(-) diff --git a/va/va.c b/va/va.c index 45ff5f2..e331f74 100644 --- a/va/va.c +++ b/va/va.c @@ -86,10 +86,9 @@ int va_parseConfig(char *env, char *env_value) fclose(fp); /* no setting in config file, use env setting */ - if (getenv(env)) { - if (env_value) - strncpy(env_value, getenv(env), 1024); - + value = getenv(env); + if (value) { + strncpy(env_value, value, 1024); return 0; } @@ -214,6 +213,12 @@ static VAStatus va_openDriver(VADisplay dpy, char *driver_name) char *driver_path = (char *) malloc( strlen(driver_dir) + strlen(driver_name) + strlen(DRIVER_EXTENSION) + 2 ); + if (!driver_path) { + va_errorMessage("%s L%d Out of memory!n", + __FUNCTION__, __LINE__); + return VA_STATUS_ERROR_ALLOCATION_FAILED; + } + strncpy( driver_path, driver_dir, strlen(driver_dir) + 1); strncat( driver_path, "/", strlen("/") ); strncat( driver_path, driver_name, strlen(driver_name) ); diff --git a/va/va_fool.c b/va/va_fool.c index 807307e..3c7161b 100644 --- a/va/va_fool.c +++ b/va/va_fool.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -50,7 +51,7 @@ * . if set, decode does nothing * LIBVA_FOOL_ENCODE=: * . if set, encode does nothing, but fill in the coded buffer from the content of files with - * name framename.0,framename.1,framename.2, ..., framename.N, framename.N,framename.N,... + * name framename.0,framename.1,..., framename.N, framename.0,..., framename.N,...repeatly * LIBVA_FOOL_JPEG=:fill the content of filename to codedbuf for jpeg encoding * LIBVA_FOOL_POSTP: * . if set, do nothing for vaPutSurface @@ -256,31 +257,30 @@ VAStatus va_FoolBufferInfo( static int va_FoolFillCodedBufEnc(int idx) { char file_name[1024]; - struct stat file_stat; + struct stat file_stat = {0}; VACodedBufferSegment *codedbuf; int i, fd = -1; /* try file_name.file_count, if fail, try file_name.file_count-- */ for (i=0; i<=1; i++) { - sprintf(file_name, "%s.%d", - fool_context[idx].fn_enc, - fool_context[idx].file_count); + snprintf(file_name, 1024, "%s.%d", + fool_context[idx].fn_enc, + fool_context[idx].file_count); if ((fd = open(file_name, O_RDONLY)) != -1) { fstat(fd, &file_stat); fool_context[idx].file_count++; /* open next file */ break; - } - - fool_context[idx].file_count--; /* fall back to previous file */ - if (fool_context[idx].file_count < 0) + } else /* fall back to the first file file */ fool_context[idx].file_count = 0; } if (fd != -1) { fool_context[idx].segbuf_enc = realloc(fool_context[idx].segbuf_enc, file_stat.st_size); read(fd, fool_context[idx].segbuf_enc, file_stat.st_size); close(fd); - } + } else + va_errorMessage("Open file %s failed:%s\n", file_name, strerror(errno)); + codedbuf = (VACodedBufferSegment *)fool_context[idx].fool_buf[VAEncCodedBufferType]; codedbuf->size = file_stat.st_size; codedbuf->bit_offset = 0; @@ -295,18 +295,18 @@ static int va_FoolFillCodedBufEnc(int idx) static int va_FoolFillCodedBufJPG(int idx) { - struct stat file_stat; + struct stat file_stat = {0}; VACodedBufferSegment *codedbuf; int i, fd = -1; - if ((fd = open(fool_context[idx].fn_jpg, O_RDONLY)) != -1) + if ((fd = open(fool_context[idx].fn_jpg, O_RDONLY)) != -1) { fstat(fd, &file_stat); - - if (fd != -1) { fool_context[idx].segbuf_jpg = realloc(fool_context[idx].segbuf_jpg, file_stat.st_size); read(fd, fool_context[idx].segbuf_jpg, file_stat.st_size); close(fd); - } + } else + va_errorMessage("Open file %s failed:%s\n", fool_context[idx].fn_jpg, strerror(errno)); + codedbuf = (VACodedBufferSegment *)fool_context[idx].fool_buf[VAEncCodedBufferType]; codedbuf->size = file_stat.st_size; codedbuf->bit_offset = 0; diff --git a/va/va_trace.c b/va/va_trace.c index e6fd2b2..45856d7 100644 --- a/va/va_trace.c +++ b/va/va_trace.c @@ -1054,12 +1054,12 @@ static void va_TraceVASliceParameterBufferH264( if (p->slice_type == 0 || p->slice_type == 1) { va_TraceMsg(idx, "\tRefPicList0 ="); - for (i = 0; i < p->num_ref_idx_l0_active_minus1 + 1; i++) { + for (i = 0; (i < p->num_ref_idx_l0_active_minus1 + 1 && i < 32); i++) { va_TraceMsg(idx, "%d-%d-0x%08x-%d\n", p->RefPicList0[i].TopFieldOrderCnt, p->RefPicList0[i].BottomFieldOrderCnt, p->RefPicList0[i].picture_id, p->RefPicList0[i].frame_idx); } if (p->slice_type == 1) { va_TraceMsg(idx, "\tRefPicList1 ="); - for (i = 0; i < p->num_ref_idx_l1_active_minus1 + 1; i++) + for (i = 0; (i < p->num_ref_idx_l1_active_minus1 + 1 && i < 32); i++) { va_TraceMsg(idx, "%d-%d-0x%08x-%d\n", p->RefPicList1[i].TopFieldOrderCnt, p->RefPicList1[i].BottomFieldOrderCnt, p->RefPicList1[i].picture_id, p->RefPicList1[i].frame_idx); } -- 2.7.4