patch 9.1.0608: Coverity warns about a few potential issues

Problem:  Coverity warns about a few potential issues
Solution: Fix those issues (see details below)

1) Fix overflow warning in highlight.c
   This happens because we are comparing int with long
   and assign a potential long value to an int, which
   could cause an overflow. So add some casts to ensure
   the value fits into an int.

2) Fix Overflow warning in shift_line().
   This happens because we are performing a division/modulo
   operation of a long type by an int type and assign the result
   to an int, which could then overflow. So before performing
   the operation, trim the long to value to at most max int value,
   so that it can't overflow.

3) Fix overflow warning in syn_list_cluster in syntax.c
   This is essential the same issue as 1)

4) not checking the return value of vim_mkdir() in spellfile.c
   Creating the spell directory could fail. Handle this case
   and return early in this case.

5) qsort() may deref a NULL pointer when fuzzy match does not
   return a result. Fix this by checking that the accessed growarray
   fuzzy_indices actually contains  data. If not we can silently skip
   the qsort() and related logic.

closes: #15284

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/highlight.c b/src/highlight.c
index a71a100dcdd68ff3ecb7d35fdf458c137765f14d..d3ea2d20168592d07fc2e5a6631541cf59c1a873 100644 (file)
--- a/src/highlight.c
+++ b/src/highlight.c
@@ -3351,8 +3351,8 @@ syn_list_header(
 
     if (msg_col >= endcol)     // output at least one space
        endcol = msg_col + 1;
-    if (Columns <= endcol)     // avoid hang for tiny window
-       endcol = Columns - 1;
+    if (Columns <= (long)endcol)       // avoid hang for tiny window
+       endcol = (int)(Columns - 1);
 
     msg_advance(endcol);
 

diff --git a/src/insexpand.c b/src/insexpand.c
index 4ad1f41a647372f93979edb2beb699bdffcf7753..2be63a58ef9cbcf9f6b9b802f2175ea709eb321d 100644 (file)
--- a/src/insexpand.c
+++ b/src/insexpand.c
@@ -3618,16 +3618,21 @@ get_next_filename_completion(void)
            }
        }
 
-       fuzzy_indices_data = (int *)fuzzy_indices.ga_data;
-       qsort(fuzzy_indices_data, fuzzy_indices.ga_len, sizeof(int), compare_scores);
+       // prevent qsort from deref NULL pointer
+       if (fuzzy_indices.ga_len > 0)
+       {
+           fuzzy_indices_data = (int *)fuzzy_indices.ga_data;
+           qsort(fuzzy_indices_data, fuzzy_indices.ga_len, sizeof(int), compare_scores);
+
+           sorted_matches = (char_u **)alloc(sizeof(char_u *) * fuzzy_indices.ga_len);
+           for (i = 0; i < fuzzy_indices.ga_len; ++i)
+               sorted_matches[i] = vim_strsave(matches[fuzzy_indices_data[i]]);
 
-       sorted_matches = (char_u **)alloc(sizeof(char_u *) * fuzzy_indices.ga_len);
-       for (i = 0; i < fuzzy_indices.ga_len; ++i)
-           sorted_matches[i] = vim_strsave(matches[fuzzy_indices_data[i]]);
+           FreeWild(num_matches, matches);
+           matches = sorted_matches;
+           num_matches = fuzzy_indices.ga_len;
+       }
 
-       FreeWild(num_matches, matches);
-       matches = sorted_matches;
-       num_matches = fuzzy_indices.ga_len;
        vim_free(compl_fuzzy_scores);
        ga_clear(&fuzzy_indices);
     }

diff --git a/src/ops.c b/src/ops.c
index 2de2557fbd1aabc7d1ec1344225cfca18b9736dd..eb8f64c1fbcbf0c2d2943d09d9a4c7778ed77d9e 100644 (file)
--- a/src/ops.c
+++ b/src/ops.c
@@ -240,8 +240,8 @@ shift_line(
 
     if (round)                 // round off indent
     {
-       i = count / sw_val;     // number of 'shiftwidth' rounded down
-       j = count % sw_val;     // extra spaces
+       i = trim_to_int(count) / sw_val;        // number of 'shiftwidth' rounded down
+       j = trim_to_int(count) % sw_val;        // extra spaces
        if (j && left)          // first remove extra spaces
            --amount;
        if (left)

diff --git a/src/spellfile.c b/src/spellfile.c
index 51261abfb50e4e632a3f9a5d54a6df89a410594e..0b9536dc16c9a28dbfe43b8176b07e8430f394f6 100644 (file)
--- a/src/spellfile.c
+++ b/src/spellfile.c
@@ -6434,7 +6434,13 @@ init_spellfile(void)
                l = (int)STRLEN(buf);
                vim_snprintf((char *)buf + l, MAXPATHL - l, "/spell");
                if (filewritable(buf) != 2)
-                   vim_mkdir(buf, 0755);
+               {
+                   if (vim_mkdir(buf, 0755) != 0)
+                   {
+                       vim_free(buf);
+                       return;
+                   }
+               }
 
                l = (int)STRLEN(buf);
                vim_snprintf((char *)buf + l, MAXPATHL - l,

diff --git a/src/syntax.c b/src/syntax.c
index 48e71520114007c02677227510bf57ecb74a3851..02120529f3447e56cc9e6e9c27185e0d88c5e45f 100644 (file)
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -4084,8 +4084,8 @@ syn_list_cluster(int id)
 
     if (msg_col >= endcol)     // output at least one space
        endcol = msg_col + 1;
-    if (Columns <= endcol)     // avoid hang for tiny window
-       endcol = Columns - 1;
+    if (Columns <= (long)endcol)       // avoid hang for tiny window
+       endcol = (int)(Columns - 1);
 
     msg_advance(endcol);
     if (SYN_CLSTR(curwin->w_s)[id].scl_list != NULL)

diff --git a/src/version.c b/src/version.c
index e174c790a23f00f01fd90aa233934f6fcfe43a46..bd7457384bfd3c2f9c27c1b22c05a0e931847378 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    608,
 /**/
     607,
 /**/