possible NULL dereference bugs in libgtkhtml

[Brian Alexander Quistorff <bequw stanford edu>]

Hey all,
	First, if this is not the right list of libgtkhtml devel
discussions, would someone please point me to the appropriate list? The
following were picked up by an automated checker here at Stanford.  They
were found by looking at were a program checks a variable against NULL
(meaning that its probably possible) and then latter dereferencing it
unprotectedly. Consequently many of these reports should (hopefully) be
either be real bugs (the variable actually could've been NULL), or
extraneous and possibly misleading snipets of code. Your input on its
effectiveness would be appreciated since I don't know much about this
program.


>>>>>>>>>>> htmlstyleborder.c:60
if (border)
	memcpy (result, border, sizeof (HtmlStyleBorder));
result->refcount = 0;
if (border->top.color)
<<<<<<<<<<
If border ever is NULL, the check is useless because it will dereference
it in the if test.

This construction happened in these similar places
htmlstyleinherited.c : 61
htmlstyleoutline.c : 53


>>>>>>>>>> htmlstylebox.c:76
if (!(style->box && html_length_equals(&style->box->height, height))){
	if (style->box->refcount > 1)
		html_style_set_style_box(style, html_style_box_dup (st\yle->box));
	html_length_set (&style->box->height, height);
<<<<<<<<<<
If style->box ever is NULL (it was checked for) then
if test will short-circuit right after that. Since the whole thing is
notted style->box will be derenced in the subsequent if test (and then
*again* right after that statement).  This construction happened a lot so
I'll just list the places that it happened.

htmlstylebox.c : 66, 76, 86, 96, 107, 118
htmlstylesurround.c : 61, 71, 81, 91, 101, 111, 121, 131, 141, 151, 161,
171

Cheers,
Brian

ps - If you have comments please make sure I'm included, since I'm not
subscribed to this list