New Defects reported by Coverity Scan for RTEMS

scan-admin at coverity.com scan-admin at coverity.com
Wed May 10 05:22:09 UTC 2023


Hi,

Please find the latest report on new defect(s) introduced to RTEMS found with Coverity Scan.

7 new defect(s) introduced to RTEMS found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)


** CID 1529957:  Memory - corruptions  (OVERRUN)
/cpukit/zlib/gzread.c: 323 in gz_read()


________________________________________________________________________________________________________
*** CID 1529957:  Memory - corruptions  (OVERRUN)
/cpukit/zlib/gzread.c: 323 in gz_read()
317                 n = (unsigned)len;
318     
319             /* first just try copying data from the output buffer */
320             if (state->x.have) {
321                 if (state->x.have < n)
322                     n = state->x.have;
>>>     CID 1529957:  Memory - corruptions  (OVERRUN)
>>>     Calling "memcpy" with "state->x.next" and "n" is suspicious because of the very large index, 4294967295. The index may be due to a negative parameter being interpreted as unsigned.
323                 memcpy(buf, state->x.next, n);
324                 state->x.next += n;
325                 state->x.have -= n;
326             }
327     
328             /* output buffer empty -- return if we're at the end of the input */

** CID 1529956:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/compress.c: 51 in z_compress2()


________________________________________________________________________________________________________
*** CID 1529956:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/compress.c: 51 in z_compress2()
45         stream.avail_out = 0;
46         stream.next_in = (z_const Bytef *)source;
47         stream.avail_in = 0;
48     
49         do {
50             if (stream.avail_out == 0) {
>>>     CID 1529956:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "left > 4294967295UL /* (z_uLong)max */" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".
51                 stream.avail_out = left > (uLong)max ? max : (uInt)left;
52                 left -= stream.avail_out;
53             }
54             if (stream.avail_in == 0) {
55                 stream.avail_in = sourceLen > (uLong)max ? max : (uInt)sourceLen;
56                 sourceLen -= stream.avail_in;

** CID 1529955:  Memory - corruptions  (OVERRUN)
/cpukit/zlib/gzread.c: 323 in gz_read()


________________________________________________________________________________________________________
*** CID 1529955:  Memory - corruptions  (OVERRUN)
/cpukit/zlib/gzread.c: 323 in gz_read()
317                 n = (unsigned)len;
318     
319             /* first just try copying data from the output buffer */
320             if (state->x.have) {
321                 if (state->x.have < n)
322                     n = state->x.have;
>>>     CID 1529955:  Memory - corruptions  (OVERRUN)
>>>     Calling "memcpy" with "buf" and "n" is suspicious because of the very large index, 4294967295. The index may be due to a negative parameter being interpreted as unsigned.
323                 memcpy(buf, state->x.next, n);
324                 state->x.next += n;
325                 state->x.have -= n;
326             }
327     
328             /* output buffer empty -- return if we're at the end of the input */

** CID 1529954:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/uncompr.c: 63 in z_uncompress2()


________________________________________________________________________________________________________
*** CID 1529954:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/uncompr.c: 63 in z_uncompress2()
57     
58         stream.next_out = dest;
59         stream.avail_out = 0;
60     
61         do {
62             if (stream.avail_out == 0) {
>>>     CID 1529954:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "left > 4294967295UL /* (z_uLong)max */" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".
63                 stream.avail_out = left > (uLong)max ? max : (uInt)left;
64                 left -= stream.avail_out;
65             }
66             if (stream.avail_in == 0) {
67                 stream.avail_in = len > (uLong)max ? max : (uInt)len;
68                 len -= stream.avail_in;

** CID 1529953:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/compress.c: 55 in z_compress2()


________________________________________________________________________________________________________
*** CID 1529953:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/compress.c: 55 in z_compress2()
49         do {
50             if (stream.avail_out == 0) {
51                 stream.avail_out = left > (uLong)max ? max : (uInt)left;
52                 left -= stream.avail_out;
53             }
54             if (stream.avail_in == 0) {
>>>     CID 1529953:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "sourceLen > 4294967295UL /* (z_uLong)max */" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".
55                 stream.avail_in = sourceLen > (uLong)max ? max : (uInt)sourceLen;
56                 sourceLen -= stream.avail_in;
57             }
58             err = deflate(&stream, sourceLen ? Z_NO_FLUSH : Z_FINISH);
59         } while (err == Z_OK);
60     

** CID 1529952:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/uncompr.c: 67 in z_uncompress2()


________________________________________________________________________________________________________
*** CID 1529952:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/cpukit/zlib/uncompr.c: 67 in z_uncompress2()
61         do {
62             if (stream.avail_out == 0) {
63                 stream.avail_out = left > (uLong)max ? max : (uInt)left;
64                 left -= stream.avail_out;
65             }
66             if (stream.avail_in == 0) {
>>>     CID 1529952:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "len > 4294967295UL /* (z_uLong)max */" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".
67                 stream.avail_in = len > (uLong)max ? max : (uInt)len;
68                 len -= stream.avail_in;
69             }
70             err = inflate(&stream, Z_NO_FLUSH);
71         } while (err == Z_OK);
72     

** CID 1329198:  Error handling issues  (CHECKED_RETURN)
/cpukit/zlib/gzlib.c: 254 in gz_open()


________________________________________________________________________________________________________
*** CID 1329198:  Error handling issues  (CHECKED_RETURN)
/cpukit/zlib/gzlib.c: 254 in gz_open()
248         if (state->fd == -1) {
249             free(state->path);
250             free(state);
251             return NULL;
252         }
253         if (state->mode == GZ_APPEND) {
>>>     CID 1329198:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "lseek" without checking return value (as is done elsewhere 17 out of 21 times).
254             LSEEK(state->fd, 0, SEEK_END);  /* so gzoffset() is correct */
255             state->mode = GZ_WRITE;         /* simplify later checks */
256         }
257     
258         /* save the current position for rewinding (only if reading) */
259         if (state->mode == GZ_READ) {


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DEiX8_EU3W9teASMK00lBXX9WT4lsogDrkCcNZLvg-2FVxwAXMp8WaML92U0oGaAdE-2BladfeKLEnJvH80FuzhY2Yfq7hSyrfWMtnz98DIv1gPuJDyiW-2Fb-2FWWKohjoZMaUrtS9JkQ1olVsU6VJd06UJYsv8EDla7bF-2F2E6dxgIdXghVhgJU-2FC5vOxuDiRAPKuTJzStpvcdFEr-2FT7MpBPdFvTdRtKO4A-3D-3D



More information about the build mailing list