Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user
found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 20 of 55 defect(s)
** CID 1006589: Time of check time of use (TOCTOU)
/usr.bin/sed/main.c: 443 in mf_fgets()
** CID 1006930: Resource leak (RESOURCE_LEAK)
/usr.bin/sed/main.c: 430 in mf_fgets()
** CID 1008159: Missing break in switch (MISSING_BREAK)
/usr.sbin/services_mkdb/uniq.c: 99 in uniq()
** CID 1008179: Missing break in switch (MISSING_BREAK)
/usr.sbin/btpand/btpand.c: 217 in main()
** CID 1008187: Missing break in switch (MISSING_BREAK)
/usr.bin/rpcgen/rpc_main.c: 395 in open_input()
** CID 1084311: Unchecked return value (CHECKED_RETURN)
/external/zlib/pigz/dist/pigz.c: 2784 in cat()
** CID 1084312: Explicit null dereferenced (FORWARD_NULL)
/external/zlib/pigz/dist/zopfli/squeeze.c: 439 in LZ77OptimalRun()
** CID 1084314: Resource leak (RESOURCE_LEAK)
/external/zlib/pigz/dist/zopfli/deflate.c: 175 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 175 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 175 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
** CID 1084315: Resource leak (RESOURCE_LEAK)
/external/zlib/pigz/dist/zopfli/deflate.c: 171 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 176 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 176 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 176 in AddDynamicTree()
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
** CID 1193390: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 674 in
sljit_emit_fast_enter()
** CID 1193391: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 670 in
sljit_emit_fast_enter()
** CID 1193392: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 713 in
sljit_emit_fast_return()
** CID 1193393: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 708 in
sljit_emit_fast_return()
** CID 1193394: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 688 in
emit_mov()
** CID 1193395: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 688 in
emit_mov()
** CID 1193396: Out-of-bounds access (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 679 in
emit_mov()
** CID 1193397: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 1227 in
emit_clz()
** CID 1193398: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 1225 in
emit_clz()
** CID 1193399: Out-of-bounds access (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 770 in
emit_mov_int()
** CID 1223334: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/fs/tmpfs/tmpfs_vfsops.c: 143 in tmpfs_mount()
________________________________________________________________________________________________________
*** CID 1006589: Time of check time of use (TOCTOU)
/usr.bin/sed/main.c: 443 in mf_fgets()
437 resetstate();
438 }
439 } else {
440 outfile = stdout;
441 outfname = "stdout";
442 }
>>> CID 1006589: Time of check time of use (TOCTOU)
>>> Calling function "fopen(char const *, char const *)" that uses "fname"
>>> after a check function. This can cause a time-of-check, time-of-use race
>>> condition.
443 if ((infile = fopen(fname, "r")) == NULL) {
444 warn("%s", fname);
445 rval = 1;
446 continue;
447 }
448 }
________________________________________________________________________________________________________
*** CID 1006930: Resource leak (RESOURCE_LEAK)
/usr.bin/sed/main.c: 430 in mf_fgets()
424 len = (size_t)snprintf(tmpfname,
sizeof(tmpfname),
425 "%s/.!%ld!%s", dirname(d_name),
(long)getpid(),
426 basename(f_name));
427 if (len >= sizeof(tmpfname))
428 errx(1, "%s: name too long", fname);
429 unlink(tmpfname);
>>> CID 1006930: Resource leak (RESOURCE_LEAK)
>>> Overwriting "outfile" in "outfile = fopen(tmpfname, "w")" leaks the
>>> storage that "outfile" points to.
430 if ((outfile = fopen(tmpfname, "w")) == NULL)
431 err(1, "%s", fname);
432 fchown(fileno(outfile), sb.st_uid, sb.st_gid);
433 fchmod(fileno(outfile), sb.st_mode & ALLPERMS);
434 outfname = tmpfname;
435 if (!ispan) {
________________________________________________________________________________________________________
*** CID 1008159: Missing break in switch (MISSING_BREAK)
/usr.sbin/services_mkdb/uniq.c: 99 in uniq()
93 line);
94 break;
95 case 1:
96 break;
97 case -1:
98 err(1, "put");
>>> CID 1008159: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
99 default:
100 abort();
101 break;
102 }
103 }
104 (void)fflush(stdout);
________________________________________________________________________________________________________
*** CID 1008179: Missing break in switch (MISSING_BREAK)
/usr.sbin/btpand/btpand.c: 217 in main()
211 * setup is finished so we can return an error if necessary.
212 */
213 switch(fork()) {
214 case -1: /* bad */
215 err(EXIT_FAILURE, "fork() failed");
216
>>> CID 1008179: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
217 case 0: /* child */
218 openlog(getprogname(), LOG_NDELAY | LOG_PERROR |
LOG_PID, LOG_DAEMON);
219
220 channel_init();
221 event_init();
222 server_init();
________________________________________________________________________________________________________
*** CID 1008187: Missing break in switch (MISSING_BREAK)
/usr.bin/rpcgen/rpc_main.c: 395 in open_input()
389 addarg(NULL);
390 (void) close(1);
391 (void) dup2(pd[1], 1);
392 (void) close(pd[0]);
393 execvp(arglist[0], __UNCONST(arglist));
394 err(1, "$RPCGEN_CPP: %s", CPP);
>>> CID 1008187: Missing break in switch (MISSING_BREAK)
>>> The above case falls through to this one.
395 case -1:
396 err(1, "fork");
397 }
398 (void) close(pd[1]);
399 fin = fdopen(pd[0], "r");
400 #endif
________________________________________________________________________________________________________
*** CID 1084311: Unchecked return value (CHECKED_RETURN)
/external/zlib/pigz/dist/pigz.c: 2784 in cat()
2778 bytes of input, then g.in_left is non-zero and g.in_next is
pointing to
2779 the second magic byte) */
2780 while (g.in_left) {
2781 writen(g.outd, g.in_next, g.in_left);
2782 g.out_tot += g.in_left;
2783 g.in_left = 0;
>>> CID 1084311: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "load()".
2784 load();
2785 }
2786 }
2787
2788 /* --- decompress deflate input --- */
2789
________________________________________________________________________________________________________
*** CID 1084312: Explicit null dereferenced (FORWARD_NULL)
/external/zlib/pigz/dist/zopfli/squeeze.c: 439 in LZ77OptimalRun()
433 unsigned short** path, size_t* pathsize,
434 unsigned short* length_array, CostModelFun* costmodel,
435 void* costcontext, ZopfliLZ77Store* store) {
436 double cost = GetBestLengths(
437 s, in, instart, inend, costmodel, costcontext, length_array);
438 free(*path);
>>> CID 1084312: Explicit null dereferenced (FORWARD_NULL)
>>> Assigning: "*path" = "NULL".
439 *path = 0;
440 *pathsize = 0;
441 TraceBackwards(inend - instart, length_array, path, pathsize);
442 FollowPath(s, in, instart, inend, *path, *pathsize, store);
443 assert(cost < ZOPFLI_LARGE_FLOAT);
444 return cost;
________________________________________________________________________________________________________
*** CID 1084314: Resource leak (RESOURCE_LEAK)
/external/zlib/pigz/dist/zopfli/deflate.c: 175 in AddDynamicTree()
169 if (repeat >= 3) {
170 ZOPFLI_APPEND_DATA(16, &rle, &rle_size);
171 ZOPFLI_APPEND_DATA(3 - 3, &rle_bits, &rle_bits_size);
172 repeat -= 3;
173 }
174 while (repeat != 0) {
>>> CID 1084314: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle" in "rle = ((rle_size == 0UL) ? malloc(4UL) :
>>> realloc(rle, rle_size * 2UL * 4UL))" leaks the storage that "rle" points to.
175 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
176 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
177 repeat--;
178 }
179 }
180
/external/zlib/pigz/dist/zopfli/deflate.c: 175 in AddDynamicTree()
169 if (repeat >= 3) {
170 ZOPFLI_APPEND_DATA(16, &rle, &rle_size);
171 ZOPFLI_APPEND_DATA(3 - 3, &rle_bits, &rle_bits_size);
172 repeat -= 3;
173 }
174 while (repeat != 0) {
>>> CID 1084314: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle" in "rle = ((rle_size == 0UL) ? malloc(4UL) :
>>> realloc(rle, rle_size * 2UL * 4UL))" leaks the storage that "rle" points to.
175 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
176 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
177 repeat--;
178 }
179 }
180
/external/zlib/pigz/dist/zopfli/deflate.c: 175 in AddDynamicTree()
169 if (repeat >= 3) {
170 ZOPFLI_APPEND_DATA(16, &rle, &rle_size);
171 ZOPFLI_APPEND_DATA(3 - 3, &rle_bits, &rle_bits_size);
172 repeat -= 3;
173 }
174 while (repeat != 0) {
>>> CID 1084314: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle" in "rle = ((rle_size == 0UL) ? malloc(4UL) :
>>> realloc(rle, rle_size * 2UL * 4UL))" leaks the storage that "rle" points to.
175 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
176 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
177 repeat--;
178 }
179 }
180
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
177 repeat--;
178 }
179 }
180
181 i += count - 1;
182 } else {
>>> CID 1084314: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle" in "rle = ((rle_size == 0UL) ? malloc(4UL) :
>>> realloc(rle, rle_size * 2UL * 4UL))" leaks the storage that "rle" points to.
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
/external/zlib/pigz/dist/zopfli/deflate.c: 183 in AddDynamicTree()
177 repeat--;
178 }
179 }
180
181 i += count - 1;
182 } else {
>>> CID 1084314: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle" in "rle = ((rle_size == 0UL) ? malloc(4UL) :
>>> realloc(rle, rle_size * 2UL * 4UL))" leaks the storage that "rle" points to.
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
________________________________________________________________________________________________________
*** CID 1084315: Resource leak (RESOURCE_LEAK)
/external/zlib/pigz/dist/zopfli/deflate.c: 171 in AddDynamicTree()
165 ZOPFLI_APPEND_DATA(16, &rle, &rle_size);
166 ZOPFLI_APPEND_DATA(6 - 3, &rle_bits, &rle_bits_size);
167 repeat -= 6;
168 }
169 if (repeat >= 3) {
170 ZOPFLI_APPEND_DATA(16, &rle, &rle_size);
>>> CID 1084315: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle_bits" in "rle_bits = ((rle_bits_size == 0UL) ?
>>> malloc(4UL) : realloc(rle_bits, rle_bits_size * 2UL * 4UL))" leaks the
>>> storage that "rle_bits" points to.
171 ZOPFLI_APPEND_DATA(3 - 3, &rle_bits, &rle_bits_size);
172 repeat -= 3;
173 }
174 while (repeat != 0) {
175 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
176 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
178 }
179 }
180
181 i += count - 1;
182 } else {
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
>>> CID 1084315: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle_bits" in "rle_bits = ((rle_bits_size == 0UL) ?
>>> malloc(4UL) : realloc(rle_bits, rle_bits_size * 2UL * 4UL))" leaks the
>>> storage that "rle_bits" points to.
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
189 for (i = 0; i < 19; i++) {
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
178 }
179 }
180
181 i += count - 1;
182 } else {
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
>>> CID 1084315: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle_bits" in "rle_bits = ((rle_bits_size == 0UL) ?
>>> malloc(4UL) : realloc(rle_bits, rle_bits_size * 2UL * 4UL))" leaks the
>>> storage that "rle_bits" points to.
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
189 for (i = 0; i < 19; i++) {
/external/zlib/pigz/dist/zopfli/deflate.c: 176 in AddDynamicTree()
170 ZOPFLI_APPEND_DATA(16, &rle, &rle_size);
171 ZOPFLI_APPEND_DATA(3 - 3, &rle_bits, &rle_bits_size);
172 repeat -= 3;
173 }
174 while (repeat != 0) {
175 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
>>> CID 1084315: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle_bits" in "rle_bits = ((rle_bits_size == 0UL) ?
>>> malloc(4UL) : realloc(rle_bits, rle_bits_size * 2UL * 4UL))" leaks the
>>> storage that "rle_bits" points to.
176 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
177 repeat--;
178 }
179 }
180
181 i += count - 1;
/external/zlib/pigz/dist/zopfli/deflate.c: 176 in AddDynamicTree()
170 ZOPFLI_APPEND_DATA(16, &rle, &rle_size);
171 ZOPFLI_APPEND_DATA(3 - 3, &rle_bits, &rle_bits_size);
172 repeat -= 3;
173 }
174 while (repeat != 0) {
175 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
>>> CID 1084315: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle_bits" in "rle_bits = ((rle_bits_size == 0UL) ?
>>> malloc(4UL) : realloc(rle_bits, rle_bits_size * 2UL * 4UL))" leaks the
>>> storage that "rle_bits" points to.
176 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
177 repeat--;
178 }
179 }
180
181 i += count - 1;
/external/zlib/pigz/dist/zopfli/deflate.c: 176 in AddDynamicTree()
170 ZOPFLI_APPEND_DATA(16, &rle, &rle_size);
171 ZOPFLI_APPEND_DATA(3 - 3, &rle_bits, &rle_bits_size);
172 repeat -= 3;
173 }
174 while (repeat != 0) {
175 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
>>> CID 1084315: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle_bits" in "rle_bits = ((rle_bits_size == 0UL) ?
>>> malloc(4UL) : realloc(rle_bits, rle_bits_size * 2UL * 4UL))" leaks the
>>> storage that "rle_bits" points to.
176 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
177 repeat--;
178 }
179 }
180
181 i += count - 1;
/external/zlib/pigz/dist/zopfli/deflate.c: 184 in AddDynamicTree()
178 }
179 }
180
181 i += count - 1;
182 } else {
183 ZOPFLI_APPEND_DATA(lld_lengths[i], &rle, &rle_size);
>>> CID 1084315: Resource leak (RESOURCE_LEAK)
>>> Overwriting "rle_bits" in "rle_bits = ((rle_bits_size == 0UL) ?
>>> malloc(4UL) : realloc(rle_bits, rle_bits_size * 2UL * 4UL))" leaks the
>>> storage that "rle_bits" points to.
184 ZOPFLI_APPEND_DATA(0, &rle_bits, &rle_bits_size);
185 }
186 assert(rle[rle_size - 1] <= 18);
187 }
188
189 for (i = 0; i < 19; i++) {
________________________________________________________________________________________________________
*** CID 1193390: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 674 in
sljit_emit_fast_enter()
668
669 if (FAST_IS_REG(dst)) {
670 if (reg_map[dst] < 8) {
671 inst = (sljit_ub*)ensure_buf(compiler, 1 + 1);
672 FAIL_IF(!inst);
673 INC_SIZE(1);
>>> CID 1193390: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_lmap" of 15 bytes at byte offset 63 using index
>>> "dst" (which evaluates to 63).
674 POP_REG(reg_lmap[dst]);
675 return SLJIT_SUCCESS;
676 }
677
678 inst = (sljit_ub*)ensure_buf(compiler, 1 + 2);
679 FAIL_IF(!inst);
________________________________________________________________________________________________________
*** CID 1193391: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 670 in
sljit_emit_fast_enter()
664
665 /* For UNUSED dst. Uncommon, but possible. */
666 if (dst == SLJIT_UNUSED)
667 dst = TMP_REG1;
668
669 if (FAST_IS_REG(dst)) {
>>> CID 1193391: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_map" of 15 bytes at byte offset 63 using index
>>> "dst" (which evaluates to 63).
670 if (reg_map[dst] < 8) {
671 inst = (sljit_ub*)ensure_buf(compiler, 1 + 1);
672 FAIL_IF(!inst);
673 INC_SIZE(1);
674 POP_REG(reg_lmap[dst]);
675 return SLJIT_SUCCESS;
________________________________________________________________________________________________________
*** CID 1193392: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 713 in
sljit_emit_fast_return()
707 if (FAST_IS_REG(src)) {
708 if (reg_map[src] < 8) {
709 inst = (sljit_ub*)ensure_buf(compiler, 1 + 1 +
1);
710 FAIL_IF(!inst);
711
712 INC_SIZE(1 + 1);
>>> CID 1193392: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_lmap" of 15 bytes at byte offset 63 using index
>>> "src" (which evaluates to 63).
713 PUSH_REG(reg_lmap[src]);
714 }
715 else {
716 inst = (sljit_ub*)ensure_buf(compiler, 1 + 2 +
1);
717 FAIL_IF(!inst);
718
________________________________________________________________________________________________________
*** CID 1193393: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 708 in
sljit_emit_fast_return()
702 if ((src & SLJIT_IMM) && NOT_HALFWORD(srcw)) {
703 FAIL_IF(emit_load_imm64(compiler, TMP_REG1, srcw));
704 src = TMP_REG1;
705 }
706
707 if (FAST_IS_REG(src)) {
>>> CID 1193393: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_map" of 15 bytes at byte offset 63 using index
>>> "src" (which evaluates to 63).
708 if (reg_map[src] < 8) {
709 inst = (sljit_ub*)ensure_buf(compiler, 1 + 1 +
1);
710 FAIL_IF(!inst);
711
712 INC_SIZE(1 + 1);
713 PUSH_REG(reg_lmap[src]);
________________________________________________________________________________________________________
*** CID 1193394: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 688 in
emit_mov()
682 #else
683 if (!compiler->mode32) {
684 if (NOT_HALFWORD(srcw))
685 return
emit_load_imm64(compiler, dst, srcw);
686 }
687 else
>>> CID 1193394: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_lmap" of 15 bytes at byte offset 63 using index
>>> "dst" (which evaluates to 63).
688 return emit_do_imm32(compiler,
(reg_map[dst] >= 8) ? REX_B : 0, MOV_r_i32 + reg_lmap[dst], srcw);
689 #endif
690 }
691 #if (defined SLJIT_CONFIG_X86_64 && SLJIT_CONFIG_X86_64)
692 if (!compiler->mode32 && NOT_HALFWORD(srcw)) {
693 FAIL_IF(emit_load_imm64(compiler, TMP_REG2,
srcw));
________________________________________________________________________________________________________
*** CID 1193395: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 688 in
emit_mov()
682 #else
683 if (!compiler->mode32) {
684 if (NOT_HALFWORD(srcw))
685 return
emit_load_imm64(compiler, dst, srcw);
686 }
687 else
>>> CID 1193395: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_map" of 15 bytes at byte offset 63 using index
>>> "dst" (which evaluates to 63).
688 return emit_do_imm32(compiler,
(reg_map[dst] >= 8) ? REX_B : 0, MOV_r_i32 + reg_lmap[dst], srcw);
689 #endif
690 }
691 #if (defined SLJIT_CONFIG_X86_64 && SLJIT_CONFIG_X86_64)
692 if (!compiler->mode32 && NOT_HALFWORD(srcw)) {
693 FAIL_IF(emit_load_imm64(compiler, TMP_REG2,
srcw));
________________________________________________________________________________________________________
*** CID 1193396: Out-of-bounds access (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 679 in
emit_mov()
673 inst = emit_x86_instruction(compiler, 1, src, 0, dst,
dstw);
674 FAIL_IF(!inst);
675 *inst = MOV_rm_r;
676 return SLJIT_SUCCESS;
677 }
678 if (src & SLJIT_IMM) {
>>> CID 1193396: Out-of-bounds access (OVERRUN)
>>> Checking "dst <= 63" implies that the value of "dst" may be up to 63 on
>>> the true branch.
679 if (FAST_IS_REG(dst)) {
680 #if (defined SLJIT_CONFIG_X86_32 && SLJIT_CONFIG_X86_32)
681 return emit_do_imm(compiler, MOV_r_i32 +
reg_map[dst], srcw);
682 #else
683 if (!compiler->mode32) {
684 if (NOT_HALFWORD(srcw))
________________________________________________________________________________________________________
*** CID 1193397: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 1227 in
emit_clz()
1221 INC_SIZE(5);
1222
1223 *inst++ = JE_i8;
1224 *inst++ = 3;
1225 *inst++ = REX_W | (reg_map[dst_r] >= 8 ? REX_R : 0) |
(reg_map[TMP_REG1] >= 8 ? REX_B : 0);
1226 *inst++ = MOV_r_rm;
>>> CID 1193397: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_lmap" of 15 bytes at byte offset 63 using index
>>> "dst_r" (which evaluates to 63).
1227 *inst++ = MOD_REG | (reg_lmap[dst_r] << 3) |
reg_lmap[TMP_REG1];
1228 #endif
1229 }
1230
1231 #if (defined SLJIT_CONFIG_X86_32 && SLJIT_CONFIG_X86_32)
1232 inst = emit_x86_instruction(compiler, 1 | EX86_BIN_INS,
SLJIT_IMM, 31, dst_r, 0);
________________________________________________________________________________________________________
*** CID 1193398: Out-of-bounds read (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 1225 in
emit_clz()
1219 inst = (sljit_ub*)ensure_buf(compiler, 1 + 5);
1220 FAIL_IF(!inst);
1221 INC_SIZE(5);
1222
1223 *inst++ = JE_i8;
1224 *inst++ = 3;
>>> CID 1193398: Out-of-bounds read (OVERRUN)
>>> Overrunning array "reg_map" of 15 bytes at byte offset 63 using index
>>> "dst_r" (which evaluates to 63).
1225 *inst++ = REX_W | (reg_map[dst_r] >= 8 ? REX_R : 0) |
(reg_map[TMP_REG1] >= 8 ? REX_B : 0);
1226 *inst++ = MOV_r_rm;
1227 *inst++ = MOD_REG | (reg_lmap[dst_r] << 3) |
reg_lmap[TMP_REG1];
1228 #endif
1229 }
1230
________________________________________________________________________________________________________
*** CID 1193399: Out-of-bounds access (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_64.c: 770 in
emit_mov_int()
764 compiler->mode32 = 0;
765
766 if (dst == SLJIT_UNUSED && !(src & SLJIT_MEM))
767 return SLJIT_SUCCESS; /* Empty instruction. */
768
769 if (src & SLJIT_IMM) {
>>> CID 1193399: Out-of-bounds access (OVERRUN)
>>> Checking "dst <= 63" implies that the value of "dst" may be up to 63 on
>>> the true branch.
770 if (FAST_IS_REG(dst)) {
771 if (sign || ((sljit_uw)srcw <= 0x7fffffff)) {
772 inst = emit_x86_instruction(compiler,
1, SLJIT_IMM, (sljit_sw)(sljit_si)srcw, dst, dstw);
773 FAIL_IF(!inst);
774 *inst = MOV_rm_i32;
775 return SLJIT_SUCCESS;
________________________________________________________________________________________________________
*** CID 1223334: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
/sys/fs/tmpfs/tmpfs_vfsops.c: 143 in tmpfs_mount()
137
138 /* Check for invalid uid and gid arguments */
139 if (args->ta_root_uid == VNOVAL || args->ta_root_gid == VNOVAL)
140 return EINVAL;
141
142 /* This can never happen? */
>>> CID 1223334: Operands don't affect result (CONSTANT_EXPRESSION_RESULT)
>>> "(args->ta_root_mode & (4095U /* ((((0x800 | 0x400) | 0x200) | 0x1c0) |
>>> 0x38) | 7 */)) == -1" is always false regardless of the values of its
>>> operands. This occurs as the logical operand of if.
143 if ((args->ta_root_mode & ALLPERMS) == VNOVAL)
144 return EINVAL;
145
146 /* Get the memory usage limit for this file-system. */
147 if (args->ta_size_max < PAGE_SIZE) {
148 memlimit = UINT64_MAX;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/1449?tab=overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index