<div dir="ltr">Hi<div><br></div><div>Sebastian I know this is third party code that you just imported but this looks like a potentially serious issue.</div><div><br></div><div>Does anyone see how this could occur? Have a suggestion?</div><div><br></div><div>Minimum is to report it upstream. I did that years ago with another issue in zlib.</div><div><br></div><div>--joel<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <span dir="auto"><<a href="mailto:scan-admin@coverity.com">scan-admin@coverity.com</a>></span><br>Date: Wed, May 10, 2023 at 12:22 AM<br>Subject: New Defects reported by Coverity Scan for RTEMS<br>To: <<a href="mailto:build@rtems.org">build@rtems.org</a>><br></div><br><br>Hi,<br>
<br>
Please find the latest report on new defect(s) introduced to RTEMS found with Coverity Scan.<br>
<br>
7 new defect(s) introduced to RTEMS found with Coverity Scan.<br>
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.<br>
<br>
New defect(s) Reported-by: Coverity Scan<br>
Showing 7 of 7 defect(s)<br>
<br>
<br>
** CID 1529957: Memory - corruptions (OVERRUN)<br>
/cpukit/zlib/gzread.c: 323 in gz_read()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1529957: Memory - corruptions (OVERRUN)<br>
/cpukit/zlib/gzread.c: 323 in gz_read()<br>
317 n = (unsigned)len;<br>
318 <br>
319 /* first just try copying data from the output buffer */<br>
320 if (state->x.have) {<br>
321 if (state->x.have < n)<br>
322 n = state->x.have;<br>
>>> CID 1529957: Memory - corruptions (OVERRUN)<br>
>>> Calling "memcpy" with "state->x.next" and "n" is suspicious because of the very large index, 4294967295. The index may be due to a negative parameter being interpreted as unsigned.<br>
323 memcpy(buf, state->x.next, n);<br>
324 state->x.next += n;<br>
325 state->x.have -= n;<br>
326 }<br>
327 <br>
328 /* output buffer empty -- return if we're at the end of the input */<br>
<br>
** CID 1529956: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
/cpukit/zlib/compress.c: 51 in z_compress2()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1529956: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
/cpukit/zlib/compress.c: 51 in z_compress2()<br>
45 stream.avail_out = 0;<br>
46 stream.next_in = (z_const Bytef *)source;<br>
47 stream.avail_in = 0;<br>
48 <br>
49 do {<br>
50 if (stream.avail_out == 0) {<br>
>>> CID 1529956: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
>>> "left > 4294967295UL /* (z_uLong)max */" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".<br>
51 stream.avail_out = left > (uLong)max ? max : (uInt)left;<br>
52 left -= stream.avail_out;<br>
53 }<br>
54 if (stream.avail_in == 0) {<br>
55 stream.avail_in = sourceLen > (uLong)max ? max : (uInt)sourceLen;<br>
56 sourceLen -= stream.avail_in;<br>
<br>
** CID 1529955: Memory - corruptions (OVERRUN)<br>
/cpukit/zlib/gzread.c: 323 in gz_read()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1529955: Memory - corruptions (OVERRUN)<br>
/cpukit/zlib/gzread.c: 323 in gz_read()<br>
317 n = (unsigned)len;<br>
318 <br>
319 /* first just try copying data from the output buffer */<br>
320 if (state->x.have) {<br>
321 if (state->x.have < n)<br>
322 n = state->x.have;<br>
>>> CID 1529955: Memory - corruptions (OVERRUN)<br>
>>> Calling "memcpy" with "buf" and "n" is suspicious because of the very large index, 4294967295. The index may be due to a negative parameter being interpreted as unsigned.<br>
323 memcpy(buf, state->x.next, n);<br>
324 state->x.next += n;<br>
325 state->x.have -= n;<br>
326 }<br>
327 <br>
328 /* output buffer empty -- return if we're at the end of the input */<br>
<br>
** CID 1529954: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
/cpukit/zlib/uncompr.c: 63 in z_uncompress2()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1529954: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
/cpukit/zlib/uncompr.c: 63 in z_uncompress2()<br>
57 <br>
58 stream.next_out = dest;<br>
59 stream.avail_out = 0;<br>
60 <br>
61 do {<br>
62 if (stream.avail_out == 0) {<br>
>>> CID 1529954: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
>>> "left > 4294967295UL /* (z_uLong)max */" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".<br>
63 stream.avail_out = left > (uLong)max ? max : (uInt)left;<br>
64 left -= stream.avail_out;<br>
65 }<br>
66 if (stream.avail_in == 0) {<br>
67 stream.avail_in = len > (uLong)max ? max : (uInt)len;<br>
68 len -= stream.avail_in;<br>
<br>
** CID 1529953: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
/cpukit/zlib/compress.c: 55 in z_compress2()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1529953: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
/cpukit/zlib/compress.c: 55 in z_compress2()<br>
49 do {<br>
50 if (stream.avail_out == 0) {<br>
51 stream.avail_out = left > (uLong)max ? max : (uInt)left;<br>
52 left -= stream.avail_out;<br>
53 }<br>
54 if (stream.avail_in == 0) {<br>
>>> CID 1529953: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
>>> "sourceLen > 4294967295UL /* (z_uLong)max */" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".<br>
55 stream.avail_in = sourceLen > (uLong)max ? max : (uInt)sourceLen;<br>
56 sourceLen -= stream.avail_in;<br>
57 }<br>
58 err = deflate(&stream, sourceLen ? Z_NO_FLUSH : Z_FINISH);<br>
59 } while (err == Z_OK);<br>
60 <br>
<br>
** CID 1529952: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
/cpukit/zlib/uncompr.c: 67 in z_uncompress2()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1529952: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
/cpukit/zlib/uncompr.c: 67 in z_uncompress2()<br>
61 do {<br>
62 if (stream.avail_out == 0) {<br>
63 stream.avail_out = left > (uLong)max ? max : (uInt)left;<br>
64 left -= stream.avail_out;<br>
65 }<br>
66 if (stream.avail_in == 0) {<br>
>>> CID 1529952: Integer handling issues (CONSTANT_EXPRESSION_RESULT)<br>
>>> "len > 4294967295UL /* (z_uLong)max */" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".<br>
67 stream.avail_in = len > (uLong)max ? max : (uInt)len;<br>
68 len -= stream.avail_in;<br>
69 }<br>
70 err = inflate(&stream, Z_NO_FLUSH);<br>
71 } while (err == Z_OK);<br>
72 <br>
<br>
** CID 1329198: Error handling issues (CHECKED_RETURN)<br>
/cpukit/zlib/gzlib.c: 254 in gz_open()<br>
<br>
<br>
________________________________________________________________________________________________________<br>
*** CID 1329198: Error handling issues (CHECKED_RETURN)<br>
/cpukit/zlib/gzlib.c: 254 in gz_open()<br>
248 if (state->fd == -1) {<br>
249 free(state->path);<br>
250 free(state);<br>
251 return NULL;<br>
252 }<br>
253 if (state->mode == GZ_APPEND) {<br>
>>> CID 1329198: Error handling issues (CHECKED_RETURN)<br>
>>> Calling "lseek" without checking return value (as is done elsewhere 17 out of 21 times).<br>
254 LSEEK(state->fd, 0, SEEK_END); /* so gzoffset() is correct */<br>
255 state->mode = GZ_WRITE; /* simplify later checks */<br>
256 }<br>
257 <br>
258 /* save the current position for rewinding (only if reading) */<br>
259 if (state->mode == GZ_READ) {<br>
<br>
<br>
________________________________________________________________________________________________________<br>
To view the defects in Coverity Scan visit, <a href="https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DEiX8_EU3W9teASMK00lBXX9WT4lsogDrkCcNZLvg-2FVxwAXMp8WaML92U0oGaAdE-2BladfeKLEnJvH80FuzhY2Yfq7hSyrfWMtnz98DIv1gPuJDyiW-2Fb-2FWWKohjoZMaUrtS9JkQ1olVsU6VJd06UJYsv8EDla7bF-2F2E6dxgIdXghVhgJU-2FC5vOxuDiRAPKuTJzStpvcdFEr-2FT7MpBPdFvTdRtKO4A-3D-3D" rel="noreferrer" target="_blank">https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DEiX8_EU3W9teASMK00lBXX9WT4lsogDrkCcNZLvg-2FVxwAXMp8WaML92U0oGaAdE-2BladfeKLEnJvH80FuzhY2Yfq7hSyrfWMtnz98DIv1gPuJDyiW-2Fb-2FWWKohjoZMaUrtS9JkQ1olVsU6VJd06UJYsv8EDla7bF-2F2E6dxgIdXghVhgJU-2FC5vOxuDiRAPKuTJzStpvcdFEr-2FT7MpBPdFvTdRtKO4A-3D-3D</a><br>
<br>
_______________________________________________<br>
build mailing list<br>
<a href="mailto:build@rtems.org" target="_blank">build@rtems.org</a><br>
<a href="http://lists.rtems.org/mailman/listinfo/build" rel="noreferrer" target="_blank">http://lists.rtems.org/mailman/listinfo/build</a><br>
</div></div></div>