Fwd: New Defects reported by Coverity Scan for RTEMS
Joel Sherrill
joel at rtems.org
Wed May 10 13:33:19 UTC 2023
Hi
Sebastian I know this is third party code that you just imported but this
looks like a potentially serious issue.
Does anyone see how this could occur? Have a suggestion?
Minimum is to report it upstream. I did that years ago with another issue
in zlib.
--joel
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Wed, May 10, 2023 at 12:22 AM
Subject: New Defects reported by Coverity Scan for RTEMS
To: <build at rtems.org>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS found
with Coverity Scan.
7 new defect(s) introduced to RTEMS found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)
** CID 1529957: Memory - corruptions (OVERRUN)
/cpukit/zlib/gzread.c: 323 in gz_read()
________________________________________________________________________________________________________
*** CID 1529957: Memory - corruptions (OVERRUN)
/cpukit/zlib/gzread.c: 323 in gz_read()
317 n = (unsigned)len;
318
319 /* first just try copying data from the output buffer */
320 if (state->x.have) {
321 if (state->x.have < n)
322 n = state->x.have;
>>> CID 1529957: Memory - corruptions (OVERRUN)
>>> Calling "memcpy" with "state->x.next" and "n" is suspicious because
of the very large index, 4294967295. The index may be due to a negative
parameter being interpreted as unsigned.
323 memcpy(buf, state->x.next, n);
324 state->x.next += n;
325 state->x.have -= n;
326 }
327
328 /* output buffer empty -- return if we're at the end of the
input */
** CID 1529956: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/compress.c: 51 in z_compress2()
________________________________________________________________________________________________________
*** CID 1529956: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/compress.c: 51 in z_compress2()
45 stream.avail_out = 0;
46 stream.next_in = (z_const Bytef *)source;
47 stream.avail_in = 0;
48
49 do {
50 if (stream.avail_out == 0) {
>>> CID 1529956: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "left > 4294967295UL /* (z_uLong)max */" is always false regardless
of the values of its operands. This occurs as the logical first operand of
"?:".
51 stream.avail_out = left > (uLong)max ? max : (uInt)left;
52 left -= stream.avail_out;
53 }
54 if (stream.avail_in == 0) {
55 stream.avail_in = sourceLen > (uLong)max ? max :
(uInt)sourceLen;
56 sourceLen -= stream.avail_in;
** CID 1529955: Memory - corruptions (OVERRUN)
/cpukit/zlib/gzread.c: 323 in gz_read()
________________________________________________________________________________________________________
*** CID 1529955: Memory - corruptions (OVERRUN)
/cpukit/zlib/gzread.c: 323 in gz_read()
317 n = (unsigned)len;
318
319 /* first just try copying data from the output buffer */
320 if (state->x.have) {
321 if (state->x.have < n)
322 n = state->x.have;
>>> CID 1529955: Memory - corruptions (OVERRUN)
>>> Calling "memcpy" with "buf" and "n" is suspicious because of the
very large index, 4294967295. The index may be due to a negative parameter
being interpreted as unsigned.
323 memcpy(buf, state->x.next, n);
324 state->x.next += n;
325 state->x.have -= n;
326 }
327
328 /* output buffer empty -- return if we're at the end of the
input */
** CID 1529954: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/uncompr.c: 63 in z_uncompress2()
________________________________________________________________________________________________________
*** CID 1529954: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/uncompr.c: 63 in z_uncompress2()
57
58 stream.next_out = dest;
59 stream.avail_out = 0;
60
61 do {
62 if (stream.avail_out == 0) {
>>> CID 1529954: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "left > 4294967295UL /* (z_uLong)max */" is always false regardless
of the values of its operands. This occurs as the logical first operand of
"?:".
63 stream.avail_out = left > (uLong)max ? max : (uInt)left;
64 left -= stream.avail_out;
65 }
66 if (stream.avail_in == 0) {
67 stream.avail_in = len > (uLong)max ? max : (uInt)len;
68 len -= stream.avail_in;
** CID 1529953: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/compress.c: 55 in z_compress2()
________________________________________________________________________________________________________
*** CID 1529953: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/compress.c: 55 in z_compress2()
49 do {
50 if (stream.avail_out == 0) {
51 stream.avail_out = left > (uLong)max ? max : (uInt)left;
52 left -= stream.avail_out;
53 }
54 if (stream.avail_in == 0) {
>>> CID 1529953: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "sourceLen > 4294967295UL /* (z_uLong)max */" is always false
regardless of the values of its operands. This occurs as the logical first
operand of "?:".
55 stream.avail_in = sourceLen > (uLong)max ? max :
(uInt)sourceLen;
56 sourceLen -= stream.avail_in;
57 }
58 err = deflate(&stream, sourceLen ? Z_NO_FLUSH : Z_FINISH);
59 } while (err == Z_OK);
60
** CID 1529952: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/uncompr.c: 67 in z_uncompress2()
________________________________________________________________________________________________________
*** CID 1529952: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/uncompr.c: 67 in z_uncompress2()
61 do {
62 if (stream.avail_out == 0) {
63 stream.avail_out = left > (uLong)max ? max : (uInt)left;
64 left -= stream.avail_out;
65 }
66 if (stream.avail_in == 0) {
>>> CID 1529952: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "len > 4294967295UL /* (z_uLong)max */" is always false regardless
of the values of its operands. This occurs as the logical first operand of
"?:".
67 stream.avail_in = len > (uLong)max ? max : (uInt)len;
68 len -= stream.avail_in;
69 }
70 err = inflate(&stream, Z_NO_FLUSH);
71 } while (err == Z_OK);
72
** CID 1329198: Error handling issues (CHECKED_RETURN)
/cpukit/zlib/gzlib.c: 254 in gz_open()
________________________________________________________________________________________________________
*** CID 1329198: Error handling issues (CHECKED_RETURN)
/cpukit/zlib/gzlib.c: 254 in gz_open()
248 if (state->fd == -1) {
249 free(state->path);
250 free(state);
251 return NULL;
252 }
253 if (state->mode == GZ_APPEND) {
>>> CID 1329198: Error handling issues (CHECKED_RETURN)
>>> Calling "lseek" without checking return value (as is done elsewhere
17 out of 21 times).
254 LSEEK(state->fd, 0, SEEK_END); /* so gzoffset() is correct
*/
255 state->mode = GZ_WRITE; /* simplify later checks */
256 }
257
258 /* save the current position for rewinding (only if reading) */
259 if (state->mode == GZ_READ) {
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DEiX8_EU3W9teASMK00lBXX9WT4lsogDrkCcNZLvg-2FVxwAXMp8WaML92U0oGaAdE-2BladfeKLEnJvH80FuzhY2Yfq7hSyrfWMtnz98DIv1gPuJDyiW-2Fb-2FWWKohjoZMaUrtS9JkQ1olVsU6VJd06UJYsv8EDla7bF-2F2E6dxgIdXghVhgJU-2FC5vOxuDiRAPKuTJzStpvcdFEr-2FT7MpBPdFvTdRtKO4A-3D-3D
_______________________________________________
build mailing list
build at rtems.org
http://lists.rtems.org/mailman/listinfo/build
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/devel/attachments/20230510/67a235d8/attachment.htm>
More information about the devel
mailing list