zeux/pugixml

Static analyzer: Null pointer dereference

AnaLGiN83 opened this issue · 2 comments

AnaLGiN83 commented

Hello!
Svace static analyzer warning seems possible for me, so please confirm or disproof nullptr dereference possibility.

Static analyzer report:

After having been compared to a NULL value at pugixml.cpp:2390,
pointer 'dest' is passed as 1st parameter in call to function
'pugi::impl::(anonymous namespace)::xml_allocator::deallocate_string' at pugixml.cpp:2413,
where it is dereferenced at pugixml.cpp:686.

pugixml/src/pugixml.cpp

Line 2413 in c2c61a5

if (header & header_mask) alloc->deallocate_string(dest);

zeux commented

dest can never be null in this branch because source_length == 0 implicitly checks for that condition. Unsure if your static analyzer processes assertions, adding assert(dest || source_length == 0); to the top of the function may help silence this.

Sorry, I'm not reading the code right :) The fact that dest is not null is guaranteed by the bit check in the quoted line, the header always has a bit set if the string is allocated (which implies it's not null). So it's still a false positive, just not for the reason I mentioned.

AnaLGiN83 commented

Thanks for explanation!