| Project Name | CID | Checker | Category | Developer Description |
|---|---|---|---|---|
| ScummVM | 1003944 | OVERRUN | Memory - illegal accesses | Realy nice catch by Coverity. We've been getting report on the random crashes, and here it is, the swapped check for index and actual indexed array value. Thanks, Coverity! |
3631 3632 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 |
if (fn == CONV_DEF) g_InvD[INV_CONV].inventoryY = 8; else if (fn == CONV_BOTTOM) g_InvD[INV_CONV].inventoryY = 150; } extern void ConvPoly(HPOLYGON hPoly) { g_thisConvPoly = hPoly; } extern int GetIcon() { return g_thisIcon; } extern void CloseDownConv() { if (g_InventoryState == ACTIVE_INV && g_ino == INV_CONV) { KillInventory(); } } extern void HideConversation(bool bHide) { int aniX, aniY; int i; |
< 1. Condition "Tinsel::g_InventoryState == Tinsel::ACTIVE_INV", taking true branch
< 2. Condition "Tinsel::g_ino == Tinsel::INV_CONV", taking true branch
3655 |
if (g_InventoryState == ACTIVE_INV && g_ino == INV_CONV) { |
< 3. Condition "bHide", taking false branch
3656 3657 3658 3659 3660 3661 3662 3663 3664 3665 3666 3667 3668 3669 3670 3671 3672 |
if (bHide) { // Move all the window and icons off-screen for (i = 0; i < MAX_WCOMP && g_objArray[i]; i++) { MultiAdjustXY(g_objArray[i], 2 * SCREEN_WIDTH, 0); } for (i = 0; i < MAX_ICONS && g_iconArray[i]; i++) { MultiAdjustXY(g_iconArray[i], 2 * SCREEN_WIDTH, 0); } // Window is hidden g_InventoryHidden = true; // Remove any labels InvLabels(false, 0, 0); } else { // Window is not hidden g_InventoryHidden = false; |
< 4. Condition "Tinsel::_vm->getVersion() == Tinsel::TINSEL_V2", taking true branch
< 5. Condition "Tinsel::g_ItemsChanged", taking true branch
3674 3675 |
if (TinselV2 && g_ItemsChanged) // Just rebuild the whole thing |
< 6. Falling through to end of if statement
3676 3677 3678 3679 3680 3681 3682 3683 3684 3685 3686 3687 3688 3689 |
ConstructInventory(FULL);
else {
// Move it all back on-screen
for (i = 0; g_objArray[i] && i < MAX_WCOMP; i++) {
MultiAdjustXY(g_objArray[i], -2 * SCREEN_WIDTH, 0);
}
// Don't flash if items changed. If they have, will be redrawn anyway.
if (TinselV2 || !g_ItemsChanged) {
for (i = 0; g_iconArray[i] && i < MAX_ICONS; i++) {
MultiAdjustXY(g_iconArray[i], -2*SCREEN_WIDTH, 0);
}
}
}
|
< 7. Condition "Tinsel::_vm->getVersion() == Tinsel::TINSEL_V2", taking true branch
< 8. Condition "Tinsel::g_bMoveOnUnHide", taking true branch
3691 3692 3693 3694 3695 3696 3697 3698 3699 3700 3701 3702 3703 3704 3705 |
if (TinselV2 && g_bMoveOnUnHide) { /* * First time, position it appropriately */ int left, center; int x, y, deltay; // Only do it once per conversation g_bMoveOnUnHide = false; // Current center of the window left = MultiLeftmost(g_RectObject); center = (MultiRightmost(g_RectObject) + left) / 2; // Get the x-offset for the conversation window |
< 9. Condition "Tinsel::g_thisConvActor", taking true branch
3706 3707 3708 3709 3710 3711 3712 |
if (g_thisConvActor) { int Loffset, Toffset; GetActorMidTop(g_thisConvActor, &x, &y); PlayfieldGetPos(FIELD_WORLD, &Loffset, &Toffset); x -= Loffset; y -= Toffset; |
< 10. Falling through to end of if statement
3713 3714 3715 3716 3717 3718 3719 |
} else { x = SCREEN_WIDTH / 2; y = SCREEN_BOX_HEIGHT2 / 2; } // Save old y-position deltay = g_InvD[INV_CONV].inventoryY; |
< 11. Switch case value "Tinsel::CONV_TOP"
3721 3722 3723 |
switch (g_thisConvFn) { case CONV_TOP: g_InvD[INV_CONV].inventoryY = SysVar(SV_CONV_TOPY); |
< 12. Breaking from switch
3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737 3738 3739 3740 3741 |
break; case CONV_BOTTOM: g_InvD[INV_CONV].inventoryY = SysVar(SV_CONV_BOTY); break; case CONV_DEF: g_InvD[INV_CONV].inventoryY = y - SysVar(SV_CONV_ABOVE_Y); break; default: break; } // Calculate y change deltay = g_InvD[INV_CONV].inventoryY - deltay; // Move it all |
< 13. Condition "Tinsel::g_objArray[i]", taking true branch
< 14. Condition "i < 21", taking true branch
< 16. Condition "Tinsel::g_objArray[i]", taking true branch
< 17. Condition "i < 21", taking true branch
<< 18. Checking "i < 21" implies that "i" may be up to 20 on the true branch.
<< 20. Incrementing "i". The value of "i" may now be up to 21.
<<< CID 1003944: Memory - illegal accesses OVERRUN <<< 21. Overrunning array "Tinsel::g_objArray" of 21 8-byte elements at element index 21 (byte offset 168) using index "i" (which evaluates to 21).
3742 3743 |
for (i = 0; g_objArray[i] && i < MAX_WCOMP; i++) { MultiMoveRelXY(g_objArray[i], x - center, deltay); |
< 15. Jumping back to the beginning of the loop
< 19. Jumping back to the beginning of the loop
3744 3745 3746 3747 3748 3749 3750 3751 3752 3753 3754 3755 3756 3757 3758 3759 3760 3761 3762 3763 3764 3765 3766 3767 3768 3769 3770 |
}
for (i = 0; g_iconArray[i] && i < MAX_ICONS; i++) {
MultiMoveRelXY(g_iconArray[i], x - center, deltay);
}
g_InvD[INV_CONV].inventoryX += x - center;
/*
* Now positioned as worked out
* - but it must be in a sensible place
*/
if (MultiLeftmost(g_RectObject) < SysVar(SV_CONV_MINX))
x = SysVar(SV_CONV_MINX) - MultiLeftmost(g_RectObject);
else if (MultiRightmost(g_RectObject) > SCREEN_WIDTH - SysVar(SV_CONV_MINX))
x = SCREEN_WIDTH - SysVar(SV_CONV_MINX) - MultiRightmost(g_RectObject);
else
x = 0;
if (g_thisConvFn == CONV_DEF && MultiHighest(g_RectObject) < SysVar(SV_CONV_MINY)
&& g_thisConvActor) {
int Loffset, Toffset;
PlayfieldGetPos(FIELD_WORLD, &Loffset, &Toffset);
y = GetActorBottom(g_thisConvActor) - MultiHighest(g_RectObject) +
SysVar(SV_CONV_BELOW_Y);
y -= Toffset;
}
else |
| 18. cond_at_most | dialogs.cpp:3742 | |
| 20. incr | dialogs.cpp:3742 | |
| 21. overrun-local | dialogs.cpp:3742 |