Hi,
Coverity issue "CID 1299032 Explicit null dereferenced" shows I think a problem of the widl generated stub marshaller.
The IDL is: interface IAccIdentity : IUnknown { HRESULT GetIdentityString([in] DWORD idchild, [out, size_is(*string_len)] BYTE **str, [out] DWORD *string_len); }
the generated stub is:
void __RPC_STUB IAccIdentity_GetIdentityString_Stub( IRpcStubBuffer* This, IRpcChannelBuffer *_pRpcChannelBuffer, PRPC_MESSAGE _pRpcMessage, DWORD* _pdwStubPhase) { struct __frame_IAccIdentity_GetIdentityString_Stub __f, * const __frame = &__f;
__frame->_This = (IAccIdentity*)((CStdStubBuffer*)This)->pvServerObject;
NdrStubInitialize(_pRpcMessage, &__frame->_StubMsg, &Object_StubDesc, _pRpcChannelBuffer);
RpcExceptionInit( 0, __finally_IAccIdentity_GetIdentityString_Stub ); __frame->str = 0; __frame->string_len = 0;
RpcTryFinally { if ((_pRpcMessage->DataRepresentation & 0xffff) != NDR_LOCAL_DATA_REPRESENTATION) NdrConvert( &__frame->_StubMsg, &__MIDL_ProcFormatString.Format[216]);
__frame->_StubMsg.Buffer = (unsigned char *)(((ULONG_PTR)__frame->_StubMsg.Buffer + 3) & ~0x3); if (__frame->_StubMsg.Buffer + sizeof(DWORD) > __frame->_StubMsg.BufferEnd) { RpcRaiseException(RPC_X_BAD_STUB_DATA); } __frame->idchild = *(DWORD *)__frame->_StubMsg.Buffer; __frame->_StubMsg.Buffer += sizeof(DWORD);
__frame->str = NdrAllocate(&__frame->_StubMsg, *__frame->string_len * 4); // DEREFERENCED memset(__frame->str, 0, *__frame->string_len * 4); __frame->string_len = &__frame->_W0; // ACTUALLY initialized __frame->_W0 = 0;
Not that __frame->string_len is dereferenced before it is set to &__frame->_W0.
There seems to be a bit of an ordering problem here?
Ciao, Marcus