Potential NULL pointer dereference in fun_solver_assign_base_values

SRI-CSL / yices2

The Yices SMT Solver

https://yices.csl.sri.com/

GNU General Public License v3.0

370 stars 47 forks source link

Potential NULL pointer dereference in fun_solver_assign_base_values #108

Closed shaobo-he closed 5 years ago

shaobo-he commented 5 years ago

buffer is initialized to an empty vector and is then resized via resize_ivector. If p can be 0, then resize_ivector does nothing, causing buffer.data to be NULL.

The error trace starting from fun_solver_assign_base_values is attached. Bug7.txt

BrunoDutertre commented 5 years ago

Here's the code fragment that sets p:

      h = type_card(solver->types, sigma);
      p = i - m;
      if (p > h) p = h;

h is positive because there are no empty types in Yices and i is larger than m. So p can't be zero.