Possible NULL deref in cfp_matcher_range?

[Mikael Magnusson <mikachu@xxxxxxxxx>]

Checking some stuff with clang, and it complained here;

static char *
cfp_matcher_range(Cmatcher *ms, char *add)
{
    Cmatcher *mp, m;
    int len = 0, mt;
    char *ret = NULL, *p = NULL, *adds = add;

    /*
     * Do this twice:  once to work out the length of the
     * string in len, the second time to build it in ret.
     * This is probably worthwhile because otherwise memory
     * management is difficult.
     */
    for (;;) {
    MB_METACHARINIT();
    for (mp = ms; *add; ) {
        convchar_t addc;
        int addlen;

        addlen = MB_METACHARLENCONV(add, &addc);
#ifdef MULTIBYTE_SUPPORT
        if (addc == WEOF)
        addc = (wchar_t)(*p == Meta ? p[1] ^ 32 : *p);
#endif


First run through this code p is NULL, and the other places all (at
least the ones I looked at) protect accesses to p by "if (ret)" (which
is set at the same time as p). Should this do that, and/or do
something clever with len at the same time? Is there any way to
actually trigger addc to be WEOF here? Presumably if it is WEOF on the
second run when  is set, then it was also WEOF the first time.

-- 
Mikael Magnusson