Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-i386-user



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.

72 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
9837 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 72 defect(s)


** CID 220011:  Null pointer dereferences  (FORWARD_NULL)
/external/mit/expat/dist/lib/xmlparse.c: 4448 in doProlog()


________________________________________________________________________________________________________
*** CID 220011:  Null pointer dereferences  (FORWARD_NULL)
/external/mit/expat/dist/lib/xmlparse.c: 4448 in doProlog()
4442           }
4443           groupConnector[prologState.level] = 0;
4444           if (dtd->in_eldecl) {
4445             int myindex = nextScaffoldPart(parser);
4446             if (myindex < 0)
4447               return XML_ERROR_NO_MEMORY;
>>>     CID 220011:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "dtd->scaffIndex".
4448             dtd->scaffIndex[dtd->scaffLevel] = myindex;
4449             dtd->scaffLevel++;
4450             dtd->scaffold[myindex].type = XML_CTYPE_SEQ;
4451             if (elementDeclHandler)
4452               handleDefault = XML_FALSE;
4453           }

** CID 502366:  Control flow issues  (MISSING_BREAK)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/infcodes.c: 120 in inflate_codes()


________________________________________________________________________________________________________
*** CID 502366:  Control flow issues  (MISSING_BREAK)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/infcodes.c: 120 in inflate_codes()
114             }
115           }
116     #endif /* !SLOW */
117           c->sub.code.need = c->lbits;
118           c->sub.code.tree = c->ltree;
119           c->mode = LEN;
>>>     CID 502366:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
120         case LEN:           /* i: get length/literal/eob next */
121           j = c->sub.code.need;
122           NEEDBITS(j)
123           t = c->sub.code.tree + ((uInt)b & inflate_mask[j]);
124           DUMPBITS(t->bits)
125           e = (uInt)(t->exop);

** CID 992299:  Incorrect expression  (MIXED_ENUMS)
/external/mit/expat/dist/lib/xmlparse.c: 1608 in XML_Parse()


________________________________________________________________________________________________________
*** CID 992299:  Incorrect expression  (MIXED_ENUMS)
/external/mit/expat/dist/lib/xmlparse.c: 1608 in XML_Parse()
1602         bufferPtr = buffer;
1603         bufferEnd = buffer + nLeftOver;
1604         positionPtr = bufferPtr;
1605         parseEndPtr = bufferEnd;
1606         eventPtr = bufferPtr;
1607         eventEndPtr = bufferPtr;
>>>     CID 992299:  Incorrect expression  (MIXED_ENUMS)
>>>     Mixing enum types "enum XML_Error" and "enum XML_Status" for "result".
1608         return result;
1609       }
1610     #endif  /* not defined XML_CONTEXT_BYTES */
1611       else {
1612         void *buff = XML_GetBuffer(parser, len);
1613         if (buff == NULL)

** CID 1035579:  Possible Control flow issues  (DEADCODE)
/home/phil/cov/xsrc/external/mit/fontconfig/dist/src/fcstat.c: 326 in FcFStatFs()


________________________________________________________________________________________________________
*** CID 1035579:  Possible Control flow issues  (DEADCODE)
/home/phil/cov/xsrc/external/mit/fontconfig/dist/src/fcstat.c: 326 in FcFStatFs()
320     #    error "BUG: No way to figure out with fstatfs()"
321     #  endif
322         }
323     #endif
324         if (p)
325         {
>>>     CID 1035579:  Possible Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "if (!flag && strcmp(p, "nfs...".
326     	if (!flag && strcmp (p, "nfs") == 0)
327     	    statb->is_remote_fs = FcTrue;
328     	if (strcmp (p, "msdosfs") == 0 ||
329     	    strcmp (p, "pcfs") == 0)
330     	    statb->is_mtime_broken = FcTrue;
331         }

** CID 1035584:  Resource leaks  (RESOURCE_LEAK)
/home/phil/cov/xsrc/external/mit/fontconfig/dist/src/fccache.c: 270 in lock_cache()


________________________________________________________________________________________________________
*** CID 1035584:  Resource leaks  (RESOURCE_LEAK)
/home/phil/cov/xsrc/external/mit/fontconfig/dist/src/fccache.c: 270 in lock_cache()
264     
265     static void
266     lock_cache (void)
267     {
268       FcMutex *lock;
269     retry:
>>>     CID 1035584:  Resource leaks  (RESOURCE_LEAK)
>>>     Overwriting "lock" in "lock = (void *)cache_lock" leaks the storage that "lock" points to.
270       lock = fc_atomic_ptr_get (&cache_lock);
271       if (!lock) {
272         lock = (FcMutex *) malloc (sizeof (FcMutex));
273         FcMutexInit (lock);
274         if (!fc_atomic_ptr_cmpexch (&cache_lock, NULL, lock)) {
275           FcMutexFinish (lock);

** CID 1078671:  Control flow issues  (MISSING_RESTORE)
/external/mit/expat/dist/lib/xmlparse.c: 6041 in lookup()


________________________________________________________________________________________________________
*** CID 1078671:  Control flow issues  (MISSING_RESTORE)
/external/mit/expat/dist/lib/xmlparse.c: 6041 in lookup()
6035             i < step ? (i += newSize - step) : (i -= step);
6036           }
6037         }
6038       }
6039       table->v[i] = (NAMED *)table->mem->malloc_fcn(createSize);
6040       if (!table->v[i])
>>>     CID 1078671:  Control flow issues  (MISSING_RESTORE)
>>>     Value of non-local "table->size" that was verified to be "0U" is not restored as it was along other paths.
6041         return NULL;
6042       memset(table->v[i], 0, createSize);
6043       table->v[i]->name = name;
6044       (table->used)++;
6045       return table->v[i];
6046     }

** CID 1091568:    (RESOURCE_LEAK)
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 236 in require_template_declaration(const char *)()
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 241 in require_template_declaration(const char *)()
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 236 in require_template_declaration(const char *)()
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 241 in require_template_declaration(const char *)()


________________________________________________________________________________________________________
*** CID 1091568:    (RESOURCE_LEAK)
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 236 in require_template_declaration(const char *)()
230       /* Read the comma-separated list of identifiers.  */
231       while (token () != '>')
232         {
233           const char *id = require2 (ID, ',');
234           if (id == NULL)
235     	id = ",";
>>>     CID 1091568:    (RESOURCE_LEAK)
>>>     Overwriting "str" in "str = concat(str, id, NULL)" leaks the storage that "str" points to.
236           str = concat (str, id, (char *) 0);
237         }
238     
239       /* Recognize the closing '>'.  */
240       require ('>');
241       str = concat (str, ">", (char *) 0);
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 241 in require_template_declaration(const char *)()
235     	id = ",";
236           str = concat (str, id, (char *) 0);
237         }
238     
239       /* Recognize the closing '>'.  */
240       require ('>');
>>>     CID 1091568:    (RESOURCE_LEAK)
>>>     Overwriting "str" in "str = concat(str, ">", NULL)" leaks the storage that "str" points to.
241       str = concat (str, ">", (char *) 0);
242     
243       return str;
244     }
245     
246     
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 236 in require_template_declaration(const char *)()
230       /* Read the comma-separated list of identifiers.  */
231       while (token () != '>')
232         {
233           const char *id = require2 (ID, ',');
234           if (id == NULL)
235     	id = ",";
>>>     CID 1091568:    (RESOURCE_LEAK)
>>>     Overwriting "str" in "str = concat(str, id, NULL)" leaks the storage that "str" points to.
236           str = concat (str, id, (char *) 0);
237         }
238     
239       /* Recognize the closing '>'.  */
240       require ('>');
241       str = concat (str, ">", (char *) 0);
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 241 in require_template_declaration(const char *)()
235     	id = ",";
236           str = concat (str, id, (char *) 0);
237         }
238     
239       /* Recognize the closing '>'.  */
240       require ('>');
>>>     CID 1091568:    (RESOURCE_LEAK)
>>>     Overwriting "str" in "str = concat(str, ">", NULL)" leaks the storage that "str" points to.
241       str = concat (str, ">", (char *) 0);
242     
243       return str;
244     }
245     
246     

** CID 1206746:    (BAD_SHIFT)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/inftrees.c: 288 in huft_build()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/inftrees.c: 288 in huft_build()


________________________________________________________________________________________________________
*** CID 1206746:    (BAD_SHIFT)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/inftrees.c: 288 in huft_build()
282           /* backup over finished tables */
283           mask = (1 << w) - 1;      /* needed on HP, cc -O bug */
284           while ((i & mask) != x[h])
285           {
286             h--;                    /* don't need to update q */
287             w -= l;
>>>     CID 1206746:    (BAD_SHIFT)
>>>     In expression "1 << w", shifting by a negative amount has undefined behavior.  The shift amount, "w", is -2.
288             mask = (1 << w) - 1;
289           }
290         }
291       }
292     
293     
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/inftrees.c: 288 in huft_build()
282           /* backup over finished tables */
283           mask = (1 << w) - 1;      /* needed on HP, cc -O bug */
284           while ((i & mask) != x[h])
285           {
286             h--;                    /* don't need to update q */
287             w -= l;
>>>     CID 1206746:    (BAD_SHIFT)
>>>     In expression "1 << w", shifting by a negative amount has undefined behavior.  The shift amount, "w", is -1.
288             mask = (1 << w) - 1;
289           }
290         }
291       }
292     
293     

** CID 1206945:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/type1/t1afm.c: 217 in T1_Read_PFM()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/type1/t1afm.c: 155 in T1_Read_PFM()


________________________________________________________________________________________________________
*** CID 1206945:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/type1/t1afm.c: 217 in T1_Read_PFM()
211         if ( oldcharmap != NULL )
212           error = FT_Set_Charmap( t1_face, oldcharmap );
213         if ( error )
214           goto Exit;
215     
216         /* now, sort the kern pairs according to their glyph indices */
>>>     CID 1206945:    (TAINTED_SCALAR)
>>>     Passing tainted variable "fi->NumKernPair" to a tainted sink.
217         ft_qsort( fi->KernPairs, fi->NumKernPair, sizeof ( AFM_KernPairRec ),
218                   compare_kern_pairs );
219     
220       Exit:
221         if ( error )
222         {
/home/phil/cov/xsrc/external/mit/freetype/dist/src/type1/t1afm.c: 155 in T1_Read_PFM()
149         if ( p + 2 > limit )
150         {
151           error = FT_THROW( Unknown_File_Format );
152           goto Exit;
153         }
154     
>>>     CID 1206945:    (TAINTED_SCALAR)
>>>     Assigning: "fi->NumKernPair" = "(FT_UInt16)(((FT_UInt16)(FT_Byte const *)p[1] << 8) | ((FT_UInt16)(FT_Byte const *)p[0] << 0))". Both are now tainted.
155         fi->NumKernPair = FT_PEEK_USHORT_LE( p );
156         p += 2;
157         if ( p + 4 * fi->NumKernPair > limit )
158         {
159           error = FT_THROW( Unknown_File_Format );
160           goto Exit;

** CID 1206946:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 991 in tt_cmap4_validate()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 991 in tt_cmap4_validate()


________________________________________________________________________________________________________
*** CID 1206946:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 991 in tt_cmap4_validate()
985               /* check glyph indices within the segment range */
986               if ( valid->level >= FT_VALIDATE_TIGHT )
987               {
988                 FT_UInt  i, idx;
989     
990     
>>>     CID 1206946:    (TAINTED_SCALAR)
>>>     Using tainted variable "end" as a loop boundary.
991                 for ( i = start; i < end; i++ )
992                 {
993                   idx = FT_NEXT_USHORT( p );
994                   if ( idx != 0 )
995                   {
996                     idx = (FT_UInt)( idx + delta ) & 0xFFFFU;
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 991 in tt_cmap4_validate()
985               /* check glyph indices within the segment range */
986               if ( valid->level >= FT_VALIDATE_TIGHT )
987               {
988                 FT_UInt  i, idx;
989     
990     
>>>     CID 1206946:    (TAINTED_SCALAR)
>>>     Using tainted variable "end" as a loop boundary.
991                 for ( i = start; i < end; i++ )
992                 {
993                   idx = FT_NEXT_USHORT( p );
994                   if ( idx != 0 )
995                   {
996                     idx = (FT_UInt)( idx + delta ) & 0xFFFFU;

** CID 1206947:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1542 in tt_cmap6_char_next()


________________________________________________________________________________________________________
*** CID 1206947:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1542 in tt_cmap6_char_next()
1536         if ( char_code < start )
1537           char_code = start;
1538     
1539         idx = (FT_UInt)( char_code - start );
1540         p  += 2 * idx;
1541     
>>>     CID 1206947:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "count" as a loop boundary.
1542         for ( ; idx < count; idx++ )
1543         {
1544           gindex = TT_NEXT_USHORT( p );
1545           if ( gindex != 0 )
1546           {
1547             result = char_code;

** CID 1206948:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1485 in tt_cmap6_validate()


________________________________________________________________________________________________________
*** CID 1206948:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1485 in tt_cmap6_validate()
1479         /* check glyph indices */
1480         if ( valid->level >= FT_VALIDATE_TIGHT )
1481         {
1482           FT_UInt  gindex;
1483     
1484     
>>>     CID 1206948:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "count" as a loop boundary.
1485           for ( ; count > 0; count-- )
1486           {
1487             gindex = TT_NEXT_USHORT( p );
1488             if ( gindex >= TT_VALID_GLYPH_COUNT( valid ) )
1489               FT_INVALID_GLYPH_ID;
1490           }

** CID 1206949:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1762 in tt_cmap8_char_index()


________________________________________________________________________________________________________
*** CID 1206949:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1762 in tt_cmap8_char_index()
1756         FT_UInt    result     = 0;
1757         FT_Byte*   p          = table + 8204;
1758         FT_UInt32  num_groups = TT_NEXT_ULONG( p );
1759         FT_UInt32  start, end, start_id;
1760     
1761     
>>>     CID 1206949:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "num_groups" as a loop boundary.
1762         for ( ; num_groups > 0; num_groups-- )
1763         {
1764           start    = TT_NEXT_ULONG( p );
1765           end      = TT_NEXT_ULONG( p );
1766           start_id = TT_NEXT_ULONG( p );
1767     

** CID 1206950:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1796 in tt_cmap8_char_next()


________________________________________________________________________________________________________
*** CID 1206950:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1796 in tt_cmap8_char_next()
1790         FT_UInt32  num_groups = TT_NEXT_ULONG( p );
1791         FT_UInt32  start, end, start_id;
1792     
1793     
1794         p = table + 8208;
1795     
>>>     CID 1206950:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "num_groups" as a loop boundary.
1796         for ( ; num_groups > 0; num_groups-- )
1797         {
1798           start    = TT_NEXT_ULONG( p );
1799           end      = TT_NEXT_ULONG( p );
1800           start_id = TT_NEXT_ULONG( p );
1801     

** CID 1206951:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttkern.c: 264 in tt_face_get_kerning()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttkern.c: 239 in tt_face_get_kerning()


________________________________________________________________________________________________________
*** CID 1206951:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttkern.c: 264 in tt_face_get_kerning()
258               }
259               else /* linear search */
260               {
261                 FT_UInt  count2;
262     
263     
>>>     CID 1206951:    (TAINTED_SCALAR)
>>>     Using tainted variable "count2" as a loop boundary.
264                 for ( count2 = num_pairs; count2 > 0; count2-- )
265                 {
266                   FT_ULong  key = FT_NEXT_ULONG( p );
267     
268     
269                   if ( key == key0 )
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttkern.c: 239 in tt_face_get_kerning()
233               if ( face->kern_order_bits & mask )   /* binary search */
234               {
235                 FT_UInt   min = 0;
236                 FT_UInt   max = num_pairs;
237     
238     
>>>     CID 1206951:    (TAINTED_SCALAR)
>>>     Using tainted variable "max" as a loop boundary.
239                 while ( min < max )
240                 {
241                   FT_UInt   mid = ( min + max ) >> 1;
242                   FT_Byte*  q   = p + 6 * mid;
243                   FT_ULong  key;
244     

** CID 1206952:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 318 in ft_var_load_avar()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 331 in ft_var_load_avar()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 331 in ft_var_load_avar()


________________________________________________________________________________________________________
*** CID 1206952:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 318 in ft_var_load_avar()
312           goto Exit;
313     
314         segment = &blend->avar_segment[0];
315         for ( i = 0; i < axisCount; ++i, ++segment )
316         {
317           segment->pairCount = FT_GET_USHORT();
>>>     CID 1206952:    (TAINTED_SCALAR)
>>>     Casting narrower unsigned "segment->pairCount" to wider signed type "long" effectively tests its lower bound.
318           if ( FT_NEW_ARRAY( segment->correspondence, segment->pairCount ) )
319           {
320             /* Failure.  Free everything we have done so far.  We must do */
321             /* it right now since loading the `avar' table is optional.   */
322     
323             for ( j = i - 1; j >= 0; --j )
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 331 in ft_var_load_avar()
325     
326             FT_FREE( blend->avar_segment );
327             blend->avar_segment = NULL;
328             goto Exit;
329           }
330     
>>>     CID 1206952:    (TAINTED_SCALAR)
>>>     Using tainted variable "segment->pairCount" as a loop boundary.
331           for ( j = 0; j < segment->pairCount; ++j )
332           {
333             segment->correspondence[j].fromCoord =
334               FT_GET_SHORT() << 2;    /* convert to Fixed */
335             segment->correspondence[j].toCoord =
336               FT_GET_SHORT()<<2;    /* convert to Fixed */
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 331 in ft_var_load_avar()
325     
326             FT_FREE( blend->avar_segment );
327             blend->avar_segment = NULL;
328             goto Exit;
329           }
330     
>>>     CID 1206952:    (TAINTED_SCALAR)
>>>     Using tainted variable "segment->pairCount" as a loop boundary.
331           for ( j = 0; j < segment->pairCount; ++j )
332           {
333             segment->correspondence[j].fromCoord =
334               FT_GET_SHORT() << 2;    /* convert to Fixed */
335             segment->correspondence[j].toCoord =
336               FT_GET_SHORT()<<2;    /* convert to Fixed */

** CID 1206953:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttpost.c: 227 in load_format_20()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttpost.c: 230 in load_format_20()


________________________________________________________________________________________________________
*** CID 1206953:    (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttpost.c: 227 in load_format_20()
221     
222         /* now load the name strings */
223         {
224           FT_UShort  n;
225     
226     
>>>     CID 1206953:    (TAINTED_SCALAR)
>>>     Casting narrower unsigned "num_names" to wider signed type "long" effectively tests its lower bound.
227           if ( FT_NEW_ARRAY( name_strings, num_names ) )
228             goto Fail;
229     
230           for ( n = 0; n < num_names; n++ )
231           {
232             FT_UInt  len;
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttpost.c: 230 in load_format_20()
224           FT_UShort  n;
225     
226     
227           if ( FT_NEW_ARRAY( name_strings, num_names ) )
228             goto Fail;
229     
>>>     CID 1206953:    (TAINTED_SCALAR)
>>>     Using tainted variable "num_names" as a loop boundary.
230           for ( n = 0; n < num_names; n++ )
231           {
232             FT_UInt  len;
233     
234     
235             if ( FT_STREAM_POS() >= post_limit )

** CID 1206954:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1964 in tt_cmap10_char_next()


________________________________________________________________________________________________________
*** CID 1206954:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1964 in tt_cmap10_char_next()
1958         if ( char_code < start )
1959           char_code = start;
1960     
1961         idx = (FT_UInt32)( char_code - start );
1962         p  += 2 * idx;
1963     
>>>     CID 1206954:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "count" as a loop boundary.
1964         for ( ; idx < count; idx++ )
1965         {
1966           gindex = TT_NEXT_USHORT( p );
1967           if ( gindex != 0 )
1968             break;
1969           char_code++;

** CID 1206955:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 2158 in tt_cmap12_next()


________________________________________________________________________________________________________
*** CID 1206955:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 2158 in tt_cmap12_next()
2152           end      = TT_NEXT_ULONG( p );
2153           start_id = TT_PEEK_ULONG( p );
2154     
2155           if ( char_code < start )
2156             char_code = start;
2157     
>>>     CID 1206955:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "end" as a loop boundary.
2158           for ( ; char_code <= end; char_code++ )
2159           {
2160             gindex = (FT_UInt)( start_id + char_code - start );
2161     
2162             if ( gindex )
2163             {

** CID 1206956:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 2205 in tt_cmap12_char_map_binary()


________________________________________________________________________________________________________
*** CID 1206956:  Insecure data handling  (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 2205 in tt_cmap12_char_map_binary()
2199           char_code++;
2200     
2201         min = 0;
2202         max = num_groups;
2203     
2204         /* binary search */
>>>     CID 1206956:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "max" as a loop boundary.
2205         while ( min < max )
2206         {
2207           mid = ( min + max ) >> 1;
2208           p   = cmap->data + 16 + 12 * mid;
2209     
2210           start = TT_NEXT_ULONG( p );


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1448?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .



Home | Main Index | Thread Index | Old Index