Fix many important issues reported by clang-analyzer

binr/radiff2/radiff2.c

@@ -266,7 +266,7 @@ int main(int argc, char **argv) {
 		r_anal_diff_setup_i (c->anal, diffops, threshold, threshold);
 		r_anal_diff_setup_i (c2->anal, diffops, threshold, threshold);
 		if (mode == MODE_GRAPH) {
-			char *words = strdup (addr);
+			char *words = strdup (addr? addr: "0");
 			char *second = strstr (words, ",");
 			if (second) {
 				ut64 off;

binr/rafind2/rafind2.c

@@ -103,7 +103,7 @@ static int rafind_open(char *file) {
 	}
 	if (mode == R_SEARCH_MAGIC) {
 		char *tostr = (to && to != UT64_MAX)?
-			r_str_newf ("-e search.to=%"PFMT64d, to): "";
+			r_str_newf ("-e search.to=%"PFMT64d, to): strdup ("");
 		char *cmd = r_str_newf ("r2"
 			" -e search.in=range"
 			" -e search.align=%d"
@@ -112,8 +112,7 @@ static int rafind_open(char *file) {
 			align, from, tostr, file);
 		system (cmd);
 		free (cmd);
-		if (tostr)
-			free (tostr);
+		free (tostr);
 		return 0;
 	}
 	if (mode == R_SEARCH_KEYWORD) {

binr/rax2/rax2.c

@@ -347,7 +347,7 @@ static int use_stdin () {
 	int l, sflag = (flags & 5);
 	if (! (flags & 16384)) {
 		for (l=0; l>=0; l++) {
-			int n = read (0, buf+l, sizeof (buf)-l-1);
+			int n = read (0, buf+l, STDIN_BUFFER_SIZE-1);
 			if (n<1) break;
 			l+= n;
 			if (buf[l-1]==0) {
@@ -355,7 +355,7 @@ static int use_stdin () {
 				continue;
 			}
 			buf[n] = 0;
-			if (sflag && strlen (buf) < sizeof (buf)) // -S
+			if (sflag && strlen (buf) < STDIN_BUFFER_SIZE) // -S
 				buf[strlen (buf)] = '\0';
 			else buf[strlen (buf)-1] = '\0';
 			if (!rax (buf, l, 0)) break;

libr/anal/esil2reil.c

@@ -7,6 +7,7 @@
 
 #define REIL_TEMP_PREFIX "V"
 #define REIL_REG_PREFIX "R_"
+#define REGBUFSZ 32
 
 void reil_flag_spew_inst(RAnalEsil *esil, const char *flag);
 static const char *ops[] = { FOREACHOP(REIL_OP_STRING) };
@@ -40,16 +41,16 @@ RAnalReilArgType reil_get_arg_type(RAnalEsil *esil, char *s) {
 
 // Marshall the struct into a string
 void reil_push_arg(RAnalEsil *esil, RAnalReilArg *op) {
-	char tmp_buf[32];
-	snprintf(tmp_buf, sizeof(tmp_buf) - 1, "%s:%d", op->name, op->size);
-	r_anal_esil_push(esil, tmp_buf);
+	char tmp_buf[REGBUFSZ];
+	snprintf(tmp_buf, REGBUFSZ, "%s:%d", op->name, op->size);
+	r_anal_esil_push (esil, tmp_buf);
 }
 
 // Unmarshall the string in stack to the struct.
 RAnalReilArg *reil_pop_arg(RAnalEsil *esil) {
 	RAnalReilArg *op;
 	int i, j = 0, flag = 0, len;
-	char tmp_buf[32];
+	char tmp_buf[REGBUFSZ];
 	char *buf = r_anal_esil_pop(esil);
 	if (!buf) return NULL;
 	len = strlen(buf);
@@ -89,9 +90,8 @@ RAnalReilArg *reil_pop_arg(RAnalEsil *esil) {
 
 // Get the next available temp register.
 void get_next_temp_reg(RAnalEsil *esil, char *buf) {
-	int n;
-	n = esil->Reil->reilNextTemp;
-	snprintf(buf, sizeof(buf) - 1, "%s_%02d", REIL_TEMP_PREFIX, n);
+	snprintf (buf, REGBUFSZ, REIL_TEMP_PREFIX"_%02d",
+		esil->Reil->reilNextTemp);
 	esil->Reil->reilNextTemp++;
 }
 
@@ -116,7 +116,7 @@ void reil_free_inst(RAnalReilInst *ins) {
 
 // Automatically increments the seq_num of the instruction.
 void reil_print_inst(RAnalEsil *esil, RAnalReilInst *ins) {
-	char tmp_buf[32];
+	char tmp_buf[REGBUFSZ];
 	int i;
 
 	if ((!ins) || (!esil)) return;
@@ -146,15 +146,15 @@ void reil_print_inst(RAnalEsil *esil, RAnalReilInst *ins) {
 // Used to cast sizes during assignment. OR is used for casting.
 // Pushes the new *casted* src onto stack. Warning: Frees the original src!
 void reil_cast_size(RAnalEsil *esil, RAnalReilArg *src, RAnalReilArg *dst) {
+	char tmp_buf[REGBUFSZ];
+	RAnalReilInst *ins;
+
 	// No need to case sizes if dst and src are of same size.
 	if (src->size == dst->size) {
 		reil_push_arg(esil, src);
 		return;
 	}
-	char tmp_buf[32];
-	RAnalReilInst *ins;
-
-	snprintf(tmp_buf, sizeof(tmp_buf) - 1, "0:%d", dst->size);
+	snprintf (tmp_buf, REGBUFSZ-1, "0:%d", dst->size);
 	r_anal_esil_push (esil, tmp_buf);
 	ins = R_NEW0 (RAnalReilInst);
 	ins->opcode = REIL_OR;
@@ -174,13 +174,13 @@ void reil_cast_size(RAnalEsil *esil, RAnalReilArg *src, RAnalReilArg *dst) {
 // Here start translation functions!
 static int reil_eq(RAnalEsil *esil) {
 	RAnalReilInst *ins;
-	char tmp_buf[32];
+	char tmp_buf[REGBUFSZ];
 	RAnalReilArgType src_type, dst_type;
 	RAnalReilArg *dst, *src;
 	
-	dst = reil_pop_arg(esil);
+	dst = reil_pop_arg (esil);
 	if (!dst) return false;
-	src = reil_pop_arg(esil);
+	src = reil_pop_arg (esil);
 	if (!src) {
 		R_FREE (dst);
 		return false;
@@ -224,9 +224,9 @@ static int reil_eq(RAnalEsil *esil) {
 		reil_print_inst(esil, ins);
 
 		// Used for setting the flags
-		snprintf(esil->Reil->old, sizeof(esil->Reil->old) - 1, "%s:%d",
+		snprintf (esil->Reil->old, sizeof (esil->Reil->old) - 1, "%s:%d",
 				ins->arg[2]->name, ins->arg[2]->size);
-		snprintf(esil->Reil->cur, sizeof(esil->Reil->cur) - 1, "%s:%d", dst->name,
+		snprintf (esil->Reil->cur, sizeof (esil->Reil->cur) - 1, "%s:%d", dst->name,
 				dst->size);
 		esil->Reil->lastsz = dst->size;
 
@@ -268,7 +268,7 @@ static int reil_eq(RAnalEsil *esil) {
 // General function for operations that take 2 operands
 static int reil_binop(RAnalEsil *esil, RAnalReilOpcode opcode) {
 	RAnalReilInst *ins;
-	char tmp_buf[32];
+	char tmp_buf[REGBUFSZ];
 	ut8 dst_size;
 	RAnalReilArg *op2, *op1;
 	
@@ -337,7 +337,7 @@ static int reil_smaller(RAnalEsil *esil) { return reil_binop (esil, REIL_LT);
 
 static int reil_cmp(RAnalEsil *esil) {
 	RAnalReilInst *ins;
-	char tmp_buf[32];
+	char tmp_buf[REGBUFSZ];
 	RAnalReilArg *op2, *op1;
 
 	op2 = reil_pop_arg(esil);
@@ -483,7 +483,7 @@ static int reil_inceq(RAnalEsil *esil) {
 }
 
 static int reil_neg(RAnalEsil *esil) {
-	char tmp_buf[32];
+	char tmp_buf[REGBUFSZ];
 	RAnalReilInst *ins;
 	RAnalReilArg *op = reil_pop_arg(esil);
 	if (!op) return false;
@@ -518,7 +518,7 @@ static int reil_negeq(RAnalEsil *esil) {
 }
 
 static int reil_not(RAnalEsil *esil) {
-	char tmp_buf[32];
+	char tmp_buf[REGBUFSZ];
 	RAnalReilInst *ins;
 	RAnalReilArg *op = reil_pop_arg(esil);
 	if (!op) return false;
@@ -565,7 +565,7 @@ static int reil_if_end(RAnalEsil *esil) { return true; }
 
 static int reil_peek(RAnalEsil *esil) {
 	RAnalReilInst *ins;
-	char tmp_buf[32];
+	char tmp_buf[REGBUFSZ];
 	RAnalReilArg *op1 = reil_pop_arg(esil);
 	if (!op1) return false;
 
@@ -620,7 +620,7 @@ static int reil_peek8(RAnalEsil *esil) { return reil_peekn(esil, 8); }
 
 // n = 8, 4, 2, 1
 static int reil_poken(RAnalEsil *esil, ut8 n) {
-	char tmp_buf[32];
+	char tmp_buf[REGBUFSZ];
 	RAnalReilInst *ins;
 	RAnalReilArg *op2, *op1;
 	
@@ -643,9 +643,9 @@ static int reil_poken(RAnalEsil *esil, ut8 n) {
 		reil_make_arg(esil, ins->arg[2], tmp_buf);
 		ins->arg[2]->size = ins->arg[0]->size;
 		reil_print_inst(esil, ins);
-		snprintf(esil->Reil->old, sizeof(esil->Reil->old) - 1, "%s:%d",
+		snprintf(esil->Reil->old, sizeof (esil->Reil->old) - 1, "%s:%d",
 				ins->arg[2]->name, ins->arg[2]->size);
-		snprintf(esil->Reil->cur, sizeof(esil->Reil->cur) - 1, "%s:%d", op2->name,
+		snprintf(esil->Reil->cur, sizeof (esil->Reil->cur) - 1, "%s:%d", op2->name,
 				op2->size);
 		esil->lastsz = n * 8;
 		reil_push_arg(esil, op1);

libr/anal/meta.c

@@ -399,7 +399,7 @@ static int meta_print_item(void *user, const char *k, const char *v) {
 	it.str = strchr (v2+1, ',');
 	if (it.str)
 		it.str = (char *)sdb_decode ((const char*)it.str+1, 0);
-	else it.str = strdup (it.str); // don't break in free
+	else it.str = strdup (it.str? it.str: ""); // don't break in free
 	printmetaitem (ui->anal, &it, ui->rad);
 	free (it.str);
 beach:

libr/bin/dwarf.c

@@ -1194,8 +1194,8 @@ static const ut8 *r_bin_dwarf_parse_attr_value (const ut8 *obuf, int obuf_len,
 	case DW_FORM_block1:
 		value->encoding.block.length = READ (buf, ut8);
 
-		value->encoding.block.data = calloc(sizeof(ut8),
-				value->encoding.block.length);
+		value->encoding.block.data = calloc (sizeof (ut8),
+				value->encoding.block.length + 1);
 
 		for (j = 0; j < value->encoding.block.length; j++) {
 			value->encoding.block.data[j] = READ (buf, ut8);

libr/bin/format/omf/omf.c

@@ -91,12 +91,11 @@ static int load_omf_lnames(OMF_record *record, const char *buf, ut64 buf_size) {
 		if (next<1) break;
 		tmp_size += next;
 	}
-	if (!(ret->elems = R_NEWS0 (char *, ret->nb_elem))) {
-		R_FREE(ret);
+	if (!(ret->elems = R_NEWS0 (char *, ret->nb_elem + 1))) {
+		R_FREE (ret);
 		return false;
 	}
 	names = (char **)ret->elems;
-
 	tmp_size = 0;
 	while ((int)tmp_size < (int)(record->size - 1)) {
 		if (ct_name >= ret->nb_elem) {

libr/bin/mangling/microsoft_demangle.c

@@ -121,7 +121,7 @@ static void run_state(	SStateInfo *state_info,
 int copy_string(STypeCodeStr *type_code_str, char *str_for_copy, unsigned int copy_len)
 {
 	int res = 1; // all is OK
-	int str_for_copy_len = (copy_len == 0) ? strlen(str_for_copy) : copy_len;
+	int str_for_copy_len = (copy_len == 0 && str_for_copy) ? strlen (str_for_copy) : copy_len;
 	int free_space = type_code_str->type_str_len - type_code_str->curr_pos - 1;
 	char *dst = 0;
 

libr/bin/p/bin_art.c

@@ -35,7 +35,7 @@ static int art_header_load(ARTHeader *art, RBuffer *buf, Sdb *db) {
 	sdb_set (db, "img.size", sdb_fmt (0, "0x%x", art->image_size), 0);
 	sdb_set (db, "art.checksum", sdb_fmt (0, "0x%x", art->checksum), 0);
 	sdb_set (db, "art.version", sdb_fmt (0, "%c%c%c",
-		art->version[0], art->version[1], art->version[2]), 0);
+				art->version[0], art->version[1], art->version[2]), 0);
 	sdb_set (db, "oat.begin", sdb_fmt (0, "0x%x", art->oat_begin), 0);
 	sdb_set (db, "oat.end", sdb_fmt (0, "0x%x", art->oat_end), 0);
 	sdb_set (db, "oat_data.begin", sdb_fmt (0, "0x%x", art->oat_data_begin), 0);

libr/bin/p/bin_ningb.c

@@ -7,9 +7,6 @@
 #include <string.h>
 #include "../format/nin/nin.h"
 
-static int check(RBinFile *arch);
-static int check_bytes(const ut8 *buf, ut64 length);
-
 static Sdb* get_sdb (RBinObject *o) {
 	if (!o) return NULL;
 	//struct r_bin_[NAME]_obj_t *bin = (struct r_bin_r_bin_[NAME]_obj_t *) o->bin_obj;
@@ -21,12 +18,6 @@ static void * load_bytes(RBinFile *arch, const ut8 *buf, ut64 sz, ut64 loadaddr,
 	return R_NOTNULL;
 }
 
-static int check(RBinFile *arch) {
-	const ut8 *bytes = arch ? r_buf_buffer (arch->buf) : NULL;
-	ut64 sz = arch ? r_buf_size (arch->buf): 0;
-	return check_bytes (bytes, sz);
-}
-
 static int check_bytes(const ut8 *buf, ut64 length) {
 	ut8 lict[48];
 	if (!buf || length < (0x104+48))
@@ -35,6 +26,12 @@ static int check_bytes(const ut8 *buf, ut64 length) {
 	return (!memcmp (lict, lic, 48))? 1: 0;
 }
 
+static int check(RBinFile *arch) {
+	const ut8 *bytes = arch ? r_buf_buffer (arch->buf) : NULL;
+	ut64 sz = arch ? r_buf_size (arch->buf): 0;
+	return check_bytes (bytes, sz);
+}
+
 static int load(RBinFile *arch) {
 	const ut8 *bytes = arch ? r_buf_buffer (arch->buf) : NULL;
 	ut64 sz = arch ? r_buf_size (arch->buf): 0;

libr/bin/p/bin_smd.c

@@ -133,7 +133,7 @@ static RBinInfo* info(RBinFile *arch) {
 static void addsym(RList *ret, const char *name, ut64 addr) {
 	RBinSymbol *ptr = R_NEW0 (RBinSymbol);
 	if (!ptr) return;
-	ptr->name = strdup (name);
+	ptr->name = strdup (name? name: "");
 	ptr->paddr = ptr->vaddr = addr;
 	ptr->size = 0;
 	ptr->ordinal = 0;

libr/core/cmd.c

@@ -563,9 +563,9 @@ static int cmd_kuery(void *data, const char *input) {
 		if (!r_config_get_i (core->config, "scr.interactive"))
 			return false;
 		if (input[1]==' ') {
-			char *n = n, *o, *p = strdup (input+2);
+			char *n, *o, *p = strdup (input+2);
 			// TODO: slash split here? or inside sdb_ns ?
-			for (o = p; n; o = n) {
+			for (n = o = p; n; o = n) {
 				n = strchr (o, '/'); // SDB_NS_SEPARATOR NAMESPACE
 				if (n) *n++ = 0;
 				s = sdb_ns (s, o, 1);

libr/core/graph.c

@@ -552,7 +552,8 @@ static void create_layers (RAGraph *g) {
 			//FIXME how to handle properly this error ret2libc?
 			continue;
 		}
-		g->layers[i].nodes = R_NEWS (RGraphNode *, g->layers[i].n_nodes);
+		g->layers[i].nodes = R_NEWS (RGraphNode *,
+			1 + g->layers[i].n_nodes);
 		g->layers[i].position = 0;
 	}
 	graph_foreach_anode (nodes, it, gn, n) {
@@ -980,10 +981,8 @@ static void adjust_directions (const RAGraph *g, int i, int from_up, Sdb *D, Sdb
 		const RANode *wpa, *vpa = get_anode (vp);
 
 		if (!vpa->is_dummy) continue;
-		if (from_up)
-			wp = r_list_get_n (r_graph_innodes (g->graph, vp), 0);
-		else
-			wp = r_graph_nth_neighbour (g->graph, vp, 0);
+		if (from_up) wp = r_list_get_n (r_graph_innodes (g->graph, vp), 0);
+		else wp = r_graph_nth_neighbour (g->graph, vp, 0);
 		wpa = get_anode (wp);
 		if (!wpa->is_dummy) continue;
 

libr/core/panels.c

@@ -114,11 +114,11 @@ static int curnode = 0;
 
 static void Panel_print(RConsCanvas *can, Panel *n, int cur) {
 	char title[128];
-	int delta_x = n->sx;
-	int delta_y = n->sy;
-
-	if (!can)
+	int delta_x, delta_x;
+	if (!n || !can)
 		return;
+	delta_x = n->sx;
+	delta_y = n->sy;
 	// clear
 	F(n->x, n->y, n->w, n->h, ' ');
 	if (n->type == PANEL_TYPE_FRAME) {

libr/core/visual.c

@@ -346,7 +346,7 @@ static void findPair (RCore *core) {
 	p = (const ut8*)strchr (keys, ch);
 	if (p) {
 		delta = (size_t)(p-(const ut8*)keys);
-		ch = (delta%2)? p[-1]: p[1];
+		ch = (delta%2 && p != keys)? p[-1]: p[1];
 	}
 	len = 1;
 	buf[0] = ch;

libr/util/debruijn.c

@@ -49,10 +49,10 @@ static void de_bruijn_seq(int prenecklace_len_t, int lyndon_prefix_len_p, int or
 // to free the memory.
 static char* de_bruijn(const char* charset, int order, int maxlen) {
 	int size = strlen (charset);
-	int* prenecklace_a = calloc(size * order, sizeof(int));
-	char* sequence = calloc(maxlen + 1, sizeof(char));
-	de_bruijn_seq(1, 1, order, maxlen, size, prenecklace_a, sequence, charset);
-	free(prenecklace_a);
+	int* prenecklace_a = calloc (size * order, sizeof(int));
+	char* sequence = calloc (maxlen + 1, sizeof(char));
+	de_bruijn_seq (1, 1, order, maxlen, size, prenecklace_a, sequence, charset);
+	free (prenecklace_a);
 	return sequence;
 }
 

shlr/java/class.c

@@ -300,7 +300,7 @@ R_API ut32 U(r_bin_java_swap_uint)(ut32 x) {
 	return (Byte0 << 24) | (Byte1 << 8) | (Byte2 >> 8) | (Byte3 >> 24);
 }
 
-static ut8 R_BIN_JAVA_NULL_TYPE_INITTED = 0;
+static bool R_BIN_JAVA_NULL_TYPE_INITTED = false;
 // XXX - this is a global variable used while parsing the class file
 // if multi-threaded class parsing is enabled, this variable needs to
 // be guarded with a lock.
@@ -1185,17 +1185,16 @@ R_API int sdb_iterate_build_list(void *user, const char *k, const char *v) {
 }
 
 R_API RBinJavaCPTypeObj* r_bin_java_get_java_null_cp() {
-	if(R_BIN_JAVA_NULL_TYPE_INITTED)
+	if (R_BIN_JAVA_NULL_TYPE_INITTED)
 		return &R_BIN_JAVA_NULL_TYPE;
-	R_BIN_JAVA_NULL_TYPE_INITTED = 1;
 	memset (&R_BIN_JAVA_NULL_TYPE, 0, sizeof (R_BIN_JAVA_NULL_TYPE));
-	R_BIN_JAVA_NULL_TYPE.metas = R_NEW0(RBinJavaMetaInfo);
-	if (R_BIN_JAVA_NULL_TYPE.metas == NULL)
-		return NULL;
+	R_BIN_JAVA_NULL_TYPE.metas = R_NEW0 (RBinJavaMetaInfo);
+	if (!R_BIN_JAVA_NULL_TYPE.metas) return NULL;
 	memset (R_BIN_JAVA_NULL_TYPE.metas, 0, sizeof (RBinJavaMetaInfo));
 	R_BIN_JAVA_NULL_TYPE.metas->type_info = &R_BIN_JAVA_CP_METAS[0];
 	R_BIN_JAVA_NULL_TYPE.metas->ord = 0;
 	R_BIN_JAVA_NULL_TYPE.file_offset = 0;
+	R_BIN_JAVA_NULL_TYPE_INITTED = true;
 	return &R_BIN_JAVA_NULL_TYPE;
 }
 

shlr/tcc/tccgen.c

@@ -1473,16 +1473,14 @@ static void type_decl(CType *type, AttributeDef *ad, int *v, int td)
         post_type(type, ad);
         nocode_wanted = saved_nocode_wanted;
     } else {
-{
 	    char kind[1024];
 	    char *name = get_tok_str (*v, NULL);
 	    type_to_str (kind, sizeof(kind), type, NULL);
 	    //eprintf ("---%d %s STATIC %s\n", td, kind, name);
 	    global_symname = name;
 	    global_type = kind;
-}
-        post_type(type, ad);
-}
+	    post_type(type, ad);
+    }
     type->t |= storage;
     if (tok == TOK_ATTRIBUTE1 || tok == TOK_ATTRIBUTE2)
         parse_attribute(ad);