[jboss-jira] [JBoss JIRA] (ELY-752) Coverity static analysis: Dereference null return value in SerializedPermissionCollection (Elytron)
David Lloyd (JIRA)
issues at jboss.org
Mon Nov 14 09:51:00 EST 2016
[ https://issues.jboss.org/browse/ELY-752?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Lloyd resolved ELY-752.
-----------------------------
Resolution: Rejected
What Coverity cannot see is that SerializedPermissionCollection is only ever generated for classes which have a newPermissionCollection method which has a non-null return value. Thus I think this is actually "safe" and there is no case which can produce an NPE (other than a corrupted stream, which can produce all manner of other problems as well).
> Coverity static analysis: Dereference null return value in SerializedPermissionCollection (Elytron)
> ---------------------------------------------------------------------------------------------------
>
> Key: ELY-752
> URL: https://issues.jboss.org/browse/ELY-752
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Josef Cacek
> Assignee: Darran Lofthouse
> Labels: static_analysis
>
> Coverity static-analysis scan found possible use of null object comming from {{SerializedPermissionCollection.readResolve()}} method.
> https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5760016&defectInstanceId=1541372&mergedDefectId=1369305
> The {{newPermissionCollection()}} call may return null in the code:
> {code}
> final PermissionCollection collection = s.newPermissionCollection();
> {code}
> It's than used without a null-check in the method:
> {code}
> for (Permission permission : p) {
> collection.add(permission);
> }
> if (r) collection.setReadOnly();
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list