Static analysis shows that blk->size is not initialized in malloc call in line 252 and so garbage can be printed in line 272. The analysis below starts at step #7 and following each strep one can see blk->size is allocated from the heap (and not zero'd) and being printed later on. Suggest either assigning blk->size to zero after the malloc on line 252 or replacing malloc with calloc call.
204 QzBlock_T *parseFormatOption(char *buf)
205 {
206 char *str = buf, *sub_str = NULL;
207 char *delim = "/", *sub_delim = ":";
208 char *token, *sub_token;
209 char *saveptr, *sub_saveptr;
210
211 int i, j, fmt_idx;
212 unsigned int fmt_found = 0;
213 QzBlock_T *blk = NULL;
214 QzBlock_T *head, *prev, *r;
215 unsigned int list_len = sizeof(g_format_list) / sizeof(QzFormat_T);
216
217 head = malloc(sizeof(QzBlock_T));
218 assert(NULL != head);
step #7
Assuming 'head' is not equal to null
step #8
Taking true branch
219 head->next = NULL;
220 prev = head;
221
222 for (i = 1; ; i++, str = NULL) {
step #9
Loop condition is true. Entering loop body
step #28
Loop condition is true. Entering loop body
223 token = strtok_r(str, delim, &saveptr);
224 if (NULL == token) {
step #10
Assuming 'token' is not equal to NULL
step #11
Taking false branch
step #29
Assuming 'token' is equal to NULL
step #30
Taking true branch
step #31
Execution continues on line 269
226 }
227 QZ_DEBUG("String[%d]: %s\n", i, token);
228
229 fmt_found = 0;
230 blk = NULL;
231
232 for (j = 1, sub_str = token; ; j++, sub_str = NULL) {
step #12
Loop condition is true. Entering loop body
step #23
Loop condition is true. Entering loop body
233 sub_token = strtok_r(sub_str, sub_delim, &sub_saveptr);
234 if (NULL == sub_token) {
step #13
Assuming 'sub_token' is not equal to NULL
step #14
Taking false branch
step #24
Assuming 'sub_token' is equal to NULL
step #25
Taking true branch
235 break;
step #26
Execution continues on line 264
236 }
237 QZ_DEBUG(" -[%d]-> %s\n", j, sub_token);
238
239 if (fmt_found) {
step #15
Taking false branch
240 blk->size = atoi(sub_token);
241 break;
242 }
243
244 char *tmp = sub_token;
245 while (*tmp) {
step #16
Loop condition is false. Execution continues on line 250
246 *tmp = GET_LOWER_8BITS(toupper(*tmp));
247 tmp++;
248 }
249
250 for (fmt_idx = 0; fmt_idx < list_len; fmt_idx++) {
step #17
Loop condition is true. Entering loop body
251 if (0 == strcmp(sub_token, g_format_list[fmt_idx].fmt_name)) {
step #18
Taking true branch
252 blk = malloc(sizeof(QzBlock_T));
step #19
Uninitialized value stored to field 'size'
253 assert(NULL != blk);
step #20
Assuming 'blk' is not equal to null
step #21
Taking true branch
254
255 blk->fmt = g_format_list[fmt_idx].fmt;
256 blk->next = NULL;
257 prev->next = blk;
258 fmt_found = 1;
259 break;
step #22
Execution continues on line 232
260 }
261 }
262 }
263
264 if (NULL != blk) {
step #27
Taking true branch
265 prev = blk;
266 }
267 }
268
269 blk = head->next;
270 i = 1;
271 while (blk) {
step #32
Loop condition is true. Entering loop body
272 QZ_PRINT("[INFO] Block%d: format -%8s, \tsize - %d\n",
step #33
4th function call argument is an uninitialized value
273 i++, g_format_list[blk->fmt - 1].fmt_name, blk->size);
274 blk = blk->next;
275 }
276
277 if (NULL == head->next) {
278 r = head->next;
279 free(head);
280 } else {
281 r = head;
282 }
283 return r;
284 }
285
Static analysis shows that blk->size is not initialized in malloc call in line 252 and so garbage can be printed in line 272. The analysis below starts at step #7 and following each strep one can see blk->size is allocated from the heap (and not zero'd) and being printed later on. Suggest either assigning blk->size to zero after the malloc on line 252 or replacing malloc with calloc call.