Warnings in xz
Chris Johns
chrisj at rtems.org
Sat Mar 11 01:51:23 UTC 2017
On 11/03/2017 02:10, Joel Sherrill wrote:
> And to pile on... Coverity thinks there is an out of bounds write
> in xz_dec_lzma2.c:
>
> https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=108959059&defectInstanceId=30877313&mergedDefectId=711586
>
> 779 * All probabilities are initialized to the same value. This hack
> 780 * makes the code smaller by avoiding a separate loop for each
> 781 * probability array.
> 782 *
> 783 * This could be optimized so that only that part of literal
> 784 * probabilities that are actually required. In the common case
> 785 * we would write 12 KiB less.
> 786 */
> 1. alias: Assigning: probs = s->lzma.is_match[0]. probs now points
> to element 0 of s->lzma.is_match (which consists of 192 2-byte elements).
> 787 probs = s->lzma.is_match[0];
> 2. Condition i < 14134U /* 1846 + (1 << 4) * 768 */, taking true branch.
> 4. Condition i < 14134U /* 1846 + (1 << 4) * 768 */, taking true branch.
> 5. cond_at_most: Checking i < 14134U implies that i may be up to
> 14133 on the true branch.
> 788 for (i = 0; i < PROBS_TOTAL; ++i)
> 3. Jumping back to the beginning of the loop.
>
> CID 711586 (#1 of 1): Out-of-bounds write (OVERRUN)
> 6. overrun-local: Overrunning array of 192 2-byte elements at element
> index 14133 (byte offset 28266) by dereferencing pointer probs + i.
> 789 probs[i] = RC_BIT_MODEL_TOTAL / 2;
> 790
>
I am ok looking into warnings however I suggest you approach upstream
with any issues related to the code. I do not know the code.
Chris
More information about the devel
mailing list