Null pointer dereferences (FORWARD_NULL) in mg_iobuf_init()

[jameshilliard]

I'm seeing this get flagged by coverity: https://github.com/cesanta/mongoose/blob/0a265e79a67d7bfcdca27f2ccb98ccb474677ec6/src/iobuf.c#L47

Passing "io" to "mg_iobuf_resize", which dereferences null "io->buf".

[scaprile]

As the function is called with new_size=0, dereferencing occurs in zeromem(), which checks for null, and free(), which is safe. Nothing to worry about here.

[jameshilliard]

As the function is called with new_size=0, dereferencing occurs in zeromem(), which checks for null, and free(), which is safe.

I don't think that's what it's complaining about:

2335int mg_iobuf_resize(struct mg_iobuf *io, size_t new_size) {
2336  int ok = 1;
2337  new_size = roundup(new_size, io->align);

1. Condition new_size == 0, taking false branch.

2338  if (new_size == 0) {
2339    zeromem(io->buf, io->size);
2340    free(io->buf);
2341    io->buf = NULL;
2342    io->len = io->size = 0;

2. Condition new_size != io->size, taking true branch.

2343  } else if (new_size != io->size) {
2344    // NOTE(lsm): do not use realloc here. Use calloc/free only, to ease the
2345    // porting to some obscure platforms like FreeRTOS
2346    void *p = calloc(1, new_size);

3. Condition p != NULL, taking true branch.

2347    if (p != NULL) {
2348      size_t len = new_size < io->len ? new_size : io->len;

4. Condition len > 0, taking true branch.
5. deref_parm_in_call: Function memmove dereferences io->buf.

2349      if (len > 0) memmove(p, io->buf, len);
2350      zeromem(io->buf, io->size);
2351      free(io->buf);
2352      io->buf = (unsigned char *) p;
2353      io->size = new_size;
2354    } else {
2355      ok = 0;
2356      MG_ERROR(("%lld->%lld", (uint64_t) io->size, (uint64_t) new_size));
2357    }
2358  }
2359  return ok;
2360}

[scaprile]

free() and zeromem() are safe, but memmove() should not get a null pointer

[cpq]

Shall this issue be closed?