Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-amd64-user



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.

29 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
51 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 29 defect(s)


** CID 271747:    (RESOURCE_LEAK)
/usr.bin/mail/tty.c: 325 in grabh()
/usr.bin/mail/tty.c: 332 in grabh()
/usr.bin/mail/tty.c: 336 in grabh()
/usr.bin/mail/tty.c: 340 in grabh()


________________________________________________________________________________________________________
*** CID 271747:    (RESOURCE_LEAK)
/usr.bin/mail/tty.c: 325 in grabh()
319     	 * Do this irrespective of whether the initial string is empty.
320     	 * Otherwise, the editing is inconsistent.
321     	 */
322     	disable_erase_and_kill(&ttybuf);
323     
324     	if (gflags & GTO) {
>>>     CID 271747:    (RESOURCE_LEAK)
>>>     Failing to save or free storage allocated by "readtty("To: ", detract(hp->h_to, 0))" leaks it.
325     		hp->h_to =
326     		    extract(readtty("To: ", detract(hp->h_to, 0)), GTO);
327     	}
328     	if (gflags & GSUBJECT) {
329     		hp->h_subject = readtty("Subject: ", hp->h_subject);
330     	}
/usr.bin/mail/tty.c: 332 in grabh()
326     		    extract(readtty("To: ", detract(hp->h_to, 0)), GTO);
327     	}
328     	if (gflags & GSUBJECT) {
329     		hp->h_subject = readtty("Subject: ", hp->h_subject);
330     	}
331     	if (gflags & GCC) {
>>>     CID 271747:    (RESOURCE_LEAK)
>>>     Failing to save or free storage allocated by "readtty("Cc: ", detract(hp->h_cc, 0))" leaks it.
332     		hp->h_cc =
333     		    extract(readtty("Cc: ", detract(hp->h_cc, 0)), GCC);
334     	}
335     	if (gflags & GBCC) {
336     		hp->h_bcc =
337     		    extract(readtty("Bcc: ", detract(hp->h_bcc, 0)), GBCC);
/usr.bin/mail/tty.c: 336 in grabh()
330     	}
331     	if (gflags & GCC) {
332     		hp->h_cc =
333     		    extract(readtty("Cc: ", detract(hp->h_cc, 0)), GCC);
334     	}
335     	if (gflags & GBCC) {
>>>     CID 271747:    (RESOURCE_LEAK)
>>>     Failing to save or free storage allocated by "readtty("Bcc: ", detract(hp->h_bcc, 0))" leaks it.
336     		hp->h_bcc =
337     		    extract(readtty("Bcc: ", detract(hp->h_bcc, 0)), GBCC);
338     	}
339     	if (gflags & GSMOPTS) {
340     		hp->h_smopts =
341     		    shextract(readtty("Smopts: ", detract(hp->h_smopts, 0)),
/usr.bin/mail/tty.c: 340 in grabh()
334     	}
335     	if (gflags & GBCC) {
336     		hp->h_bcc =
337     		    extract(readtty("Bcc: ", detract(hp->h_bcc, 0)), GBCC);
338     	}
339     	if (gflags & GSMOPTS) {
>>>     CID 271747:    (RESOURCE_LEAK)
>>>     Failing to save or free storage allocated by "readtty("Smopts: ", detract(hp->h_smopts, 0))" leaks it.
340     		hp->h_smopts =
341     		    shextract(readtty("Smopts: ", detract(hp->h_smopts, 0)),
342     			GSMOPTS);
343     	}
344     #ifdef MIME_SUPPORT
345     	if (gflags & GSMOPTS) {	/* XXX - Use a new flag for this? */

** CID 1066199:  Control flow issues  (MISSING_BREAK)
/bin/sh/parser.c: 526 in command()


________________________________________________________________________________________________________
*** CID 1066199:  Control flow issues  (MISSING_BREAK)
/bin/sh/parser.c: 526 in command()
520     		 *	X= ; $X && $X
521     		 * -->          &&
522     		 * I am not sure if this is intended to be legal or not.
523     		 */
524     		if (!redir)
525     			synexpect(-1, 0);
>>>     CID 1066199:  Control flow issues  (MISSING_BREAK)
>>>     The above case falls through to this one.
526     	case TWORD:
527     		tokpushback++;
528     		n1 = simplecmd(rpp, redir);
529     		goto checkneg;
530     	case TENDCASE:
531     		if (redir) {

** CID 1193400:  Memory - illegal accesses  (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2705 in sljit_emit_op_flags()


________________________________________________________________________________________________________
*** CID 1193400:  Memory - illegal accesses  (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2705 in sljit_emit_op_flags()
2699     		*inst++ = (reg_map[TMP_REG1] <= 7) ? REX : REX_B;
2700     		*inst++ = GROUP_0F;
2701     		*inst++ = cond_set;
2702     		*inst++ = MOD_REG | reg_lmap[TMP_REG1];
2703     		*inst++ = REX | (reg_map[TMP_REG1] <= 7 ? 0 : REX_R) | (reg_map[dst] <= 7 ? 0 : REX_B);
2704     		*inst++ = OR_rm8_r8;
>>>     CID 1193400:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "reg_lmap" of 17 bytes at byte offset 63 using index "dst" (which evaluates to 63).
2705     		*inst++ = MOD_REG | (reg_lmap[TMP_REG1] << 3) | reg_lmap[dst];
2706     		return SLJIT_SUCCESS;
2707     	}
2708     
2709     	reg = (op == SLJIT_MOV && FAST_IS_REG(dst)) ? dst : TMP_REG1;
2710     

** CID 1193401:  Memory - illegal accesses  (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2703 in sljit_emit_op_flags()


________________________________________________________________________________________________________
*** CID 1193401:  Memory - illegal accesses  (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2703 in sljit_emit_op_flags()
2697     		INC_SIZE(4 + 3);
2698     		/* Set low register to conditional flag. */
2699     		*inst++ = (reg_map[TMP_REG1] <= 7) ? REX : REX_B;
2700     		*inst++ = GROUP_0F;
2701     		*inst++ = cond_set;
2702     		*inst++ = MOD_REG | reg_lmap[TMP_REG1];
>>>     CID 1193401:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "reg_map" of 17 bytes at byte offset 63 using index "dst" (which evaluates to 63).
2703     		*inst++ = REX | (reg_map[TMP_REG1] <= 7 ? 0 : REX_R) | (reg_map[dst] <= 7 ? 0 : REX_B);
2704     		*inst++ = OR_rm8_r8;
2705     		*inst++ = MOD_REG | (reg_lmap[TMP_REG1] << 3) | reg_lmap[dst];
2706     		return SLJIT_SUCCESS;
2707     	}
2708     

** CID 1362404:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()


________________________________________________________________________________________________________
*** CID 1362404:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()
812     		kmem_free(endpoints, nendpt * sizeof(struct usbd_endpoint));
813     	}
814     	KASSERT(iface->ui_idesc != NULL);
815     
816     	req.bmRequestType = UT_WRITE_INTERFACE;
817     	req.bRequest = UR_SET_INTERFACE;
>>>     CID 1362404:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "iface->ui_idesc->bAlternateSetting >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
818     	USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
819     	USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820     	USETW(req.wLength, 0);
821     	return usbd_do_request(iface->ui_dev, &req, 0);
822     }
823     

** CID 1362405:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()


________________________________________________________________________________________________________
*** CID 1362405:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()
813     	}
814     	KASSERT(iface->ui_idesc != NULL);
815     
816     	req.bmRequestType = UT_WRITE_INTERFACE;
817     	req.bRequest = UR_SET_INTERFACE;
818     	USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
>>>     CID 1362405:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
819     	USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820     	USETW(req.wLength, 0);
821     	return usbd_do_request(iface->ui_dev, &req, 0);
822     }
823     
824     int

** CID 1362406:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()


________________________________________________________________________________________________________
*** CID 1362406:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()
689     	 */
690     	pipe->up_methods->upm_cleartoggle(pipe);
691     
692     	req.bmRequestType = UT_WRITE_ENDPOINT;
693     	req.bRequest = UR_CLEAR_FEATURE;
694     	USETW(req.wValue, UF_ENDPOINT_HALT);
>>>     CID 1362406:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
695     	USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
696     	USETW(req.wLength, 0);
697     	err = usbd_do_request(dev, &req, 0);
698     #if 0
699     XXX should we do this?
700     	if (!err) {

** CID 1362408:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()


________________________________________________________________________________________________________
*** CID 1362408:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()
714     
715     	pipe->up_methods->upm_cleartoggle(pipe);
716     
717     	req.bmRequestType = UT_WRITE_ENDPOINT;
718     	req.bRequest = UR_CLEAR_FEATURE;
719     	USETW(req.wValue, UF_ENDPOINT_HALT);
>>>     CID 1362408:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
720     	USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
721     	USETW(req.wLength, 0);
722     	(void)usbd_do_request(dev, &req, 0);
723     }
724     
725     void

** CID 1362409:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()


________________________________________________________________________________________________________
*** CID 1362409:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()
850     {
851     	usb_device_request_t req;
852     
853     	req.bmRequestType = UT_READ_INTERFACE;
854     	req.bRequest = UR_GET_INTERFACE;
855     	USETW(req.wValue, 0);
>>>     CID 1362409:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
856     	USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
857     	USETW(req.wLength, 1);
858     	return usbd_do_request(iface->ui_dev, &req, aiface);
859     }
860     
861     /*** Internal routines ***/

** CID 1362412:  Control flow issues  (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()


________________________________________________________________________________________________________
*** CID 1362412:  Control flow issues  (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()
340         /* Any string left? Check that '0x' is not followed by white space. */
341     
342         if (!(*String) || isspace ((int) *String) || *String == '\t')
343         {
344             if (Base == ACPI_ANY_BASE)
345             {
>>>     CID 1362412:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "goto ErrorExit;".
346                 goto ErrorExit;
347             }
348             else
349             {
350                 goto AllDone;
351             }

** CID 1362414:  Null pointer dereferences  (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()


________________________________________________________________________________________________________
*** CID 1362414:  Null pointer dereferences  (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()
372     			/* Default to error */
373     			buflen = -1;
374     		}
375     		break;
376     	case C(UR_GET_DESCRIPTOR, UT_READ_CLASS_DEVICE):
377     		buflen = min(len, sizeof(usbroothub_hubd));
>>>     CID 1362414:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "buf" to "memcpy", which dereferences it.
378     		memcpy(buf, &usbroothub_hubd, buflen);
379     		break;
380     	case C(UR_GET_INTERFACE, UT_READ_INTERFACE):
381     		/* Get Interface, 9.4.4 */
382     		if (len > 0) {
383     			uint8_t *out = buf;

** CID 1362417:    (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()


________________________________________________________________________________________________________
*** CID 1362417:    (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268     		if (rlen + l > blen) {
2269     			if (debug)
2270     				addlog(" [overflow]");
2271     			continue;
2272     		}
2273     		/* Add the option to nak'ed list. */
>>>     CID 1362417:    (TAINTED_SCALAR)
>>>     Passing tainted variable "l" to a tainted sink.
2274     		memcpy(r, p, l);
2275     		r += l;
2276     		rlen += l;
2277     	}
2278     	if (rlen) {
2279     		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268     		if (rlen + l > blen) {
2269     			if (debug)
2270     				addlog(" [overflow]");
2271     			continue;
2272     		}
2273     		/* Add the option to nak'ed list. */
>>>     CID 1362417:    (TAINTED_SCALAR)
>>>     Passing tainted variable "l" to a tainted sink.
2274     		memcpy(r, p, l);
2275     		r += l;
2276     		rlen += l;
2277     	}
2278     	if (rlen) {
2279     		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268     		if (rlen + l > blen) {
2269     			if (debug)
2270     				addlog(" [overflow]");
2271     			continue;
2272     		}
2273     		/* Add the option to nak'ed list. */
>>>     CID 1362417:    (TAINTED_SCALAR)
>>>     Passing tainted variable "l" to a tainted sink.
2274     		memcpy(r, p, l);
2275     		r += l;
2276     		rlen += l;
2277     	}
2278     	if (rlen) {
2279     		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268     		if (rlen + l > blen) {
2269     			if (debug)
2270     				addlog(" [overflow]");
2271     			continue;
2272     		}
2273     		/* Add the option to nak'ed list. */
>>>     CID 1362417:    (TAINTED_SCALAR)
>>>     Passing tainted variable "l" to a tainted sink.
2274     		memcpy(r, p, l);
2275     		r += l;
2276     		rlen += l;
2277     	}
2278     	if (rlen) {
2279     		if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {

** CID 1362422:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/sljit/dist/sljit_src/sljitLir.c: 1437 in check_sljit_emit_op_flags()


________________________________________________________________________________________________________
*** CID 1362422:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/sljit/dist/sljit_src/sljitLir.c: 1437 in check_sljit_emit_op_flags()
1431     	sljit_s32 dst, sljit_sw dstw,
1432     	sljit_s32 src, sljit_sw srcw,
1433     	sljit_s32 type)
1434     {
1435     #if (defined SLJIT_ARGUMENT_CHECKS && SLJIT_ARGUMENT_CHECKS)
1436     	CHECK_ARGUMENT(!(type & ~(0xff | SLJIT_I32_OP)));
>>>     CID 1362422:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "(type & 0xff) >= 0" is always true regardless of the values of its operands. This occurs as the logical first operand of '&&'.
1437     	CHECK_ARGUMENT((type & 0xff) >= SLJIT_EQUAL && (type & 0xff) <= SLJIT_ORDERED_F64);
1438     	CHECK_ARGUMENT(op == SLJIT_MOV || GET_OPCODE(op) == SLJIT_MOV_U32 || GET_OPCODE(op) == SLJIT_MOV_S32
1439     		|| (GET_OPCODE(op) >= SLJIT_AND && GET_OPCODE(op) <= SLJIT_XOR));
1440     	CHECK_ARGUMENT((op & (SLJIT_SET_U | SLJIT_SET_S | SLJIT_SET_O | SLJIT_SET_C)) == 0);
1441     	CHECK_ARGUMENT((op & (SLJIT_SET_E | SLJIT_KEEP_FLAGS)) != (SLJIT_SET_E | SLJIT_KEEP_FLAGS));
1442     	if (GET_OPCODE(op) < SLJIT_ADD) {

** CID 1362423:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2971 in sljit_x86_emit_cmov()


________________________________________________________________________________________________________
*** CID 1362423:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2971 in sljit_x86_emit_cmov()
2965     	sljit_u8* inst;
2966     
2967     	CHECK_ERROR();
2968     #if (defined SLJIT_ARGUMENT_CHECKS && SLJIT_ARGUMENT_CHECKS)
2969     	CHECK_ARGUMENT(sljit_x86_is_cmov_available());
2970     	CHECK_ARGUMENT(!(type & ~(0xff | SLJIT_I32_OP)));
>>>     CID 1362423:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "(type & 0xff) >= 0" is always true regardless of the values of its operands. This occurs as the logical first operand of '&&'.
2971     	CHECK_ARGUMENT((type & 0xff) >= SLJIT_EQUAL && (type & 0xff) <= SLJIT_ORDERED_F64);
2972     	CHECK_ARGUMENT(FUNCTION_CHECK_IS_REG(dst_reg & ~SLJIT_I32_OP));
2973     	FUNCTION_CHECK_SRC(src, srcw);
2974     #endif
2975     #if (defined SLJIT_VERBOSE && SLJIT_VERBOSE)
2976     	if (SLJIT_UNLIKELY(!!compiler->verbose)) {

** CID 1362424:  Control flow issues  (DEADCODE)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/autofit/afcjk.c: 154 in af_cjk_metrics_init_widths()


________________________________________________________________________________________________________
*** CID 1362424:  Control flow issues  (DEADCODE)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/autofit/afcjk.c: 154 in af_cjk_metrics_init_widths()
148           af_shaper_buf_destroy( face, shaper_buf );
149     
150           if ( !glyph_index )
151             goto Exit;
152     
153           if ( !glyph_index )
>>>     CID 1362424:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "goto Exit;".
154             goto Exit;
155     
156           FT_TRACE5(( "standard character: U+%04lX (glyph index %d)\n",
157                       ch, glyph_index ));
158     
159           error = FT_Load_Glyph( face, glyph_index, FT_LOAD_NO_SCALE );

** CID 1362425:  Control flow issues  (DEADCODE)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/sfobjs.c: 955 in sfnt_init_face()


________________________________________________________________________________________________________
*** CID 1362425:  Control flow issues  (DEADCODE)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/sfobjs.c: 955 in sfnt_init_face()
949                  instance_size * num_instances > fvar_len )
950             num_instances = 0;
951     
952           /* we support at most 2^15 - 1 instances */
953           if ( num_instances >= ( 1U << 15 ) - 1 )
954           {
>>>     CID 1362425:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "if (face_instance_index >= ...".
955             if ( face_instance_index >= 0 )
956               return FT_THROW( Invalid_Argument );
957             else
958               num_instances = 0;
959           }
960     

** CID 1362426:  Null pointer dereferences  (NULL_RETURNS)
/sys/external/bsd/sljit/dist/test_src/sljitTest.c: 5041 in test54()


________________________________________________________________________________________________________
*** CID 1362426:  Null pointer dereferences  (NULL_RETURNS)
/sys/external/bsd/sljit/dist/test_src/sljitTest.c: 5041 in test54()
5035     }
5036     
5037     static void test54(void)
5038     {
5039     	/* Check x86 cmov. */
5040     	executable_code code;
>>>     CID 1362426:  Null pointer dereferences  (NULL_RETURNS)
>>>     Assigning: "compiler" = null return value from "sljit_create_compiler".
5041     	struct sljit_compiler* compiler = sljit_create_compiler(NULL);
5042     	sljit_sw buf[6];
5043     	sljit_s32 ibuf[6];
5044     
5045     	if (verbose)
5046     		printf("Run test53\n");

** CID 1362427:  Null pointer dereferences  (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/bdf/bdflib.c: 1151 in _bdf_add_property()


________________________________________________________________________________________________________
*** CID 1362427:  Null pointer dereferences  (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/bdf/bdflib.c: 1151 in _bdf_add_property()
1145     
1146           fp = font->props + font->props_size;
1147           FT_MEM_ZERO( fp, sizeof ( bdf_property_t ) );
1148           font->props_size++;
1149         }
1150     
>>>     CID 1362427:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a null pointer "propid".
1151         if ( *propid >= _num_bdf_properties )
1152           prop = font->user_props + ( *propid - _num_bdf_properties );
1153         else
1154           prop = (bdf_property_t*)_bdf_properties + *propid;
1155     
1156         fp = font->props + font->props_used;

** CID 1362428:  Memory - corruptions  (OVERRUN)
/usr.bin/mail/complete.c: 1153 in my_gets()


________________________________________________________________________________________________________
*** CID 1362428:  Memory - corruptions  (OVERRUN)
/usr.bin/mail/complete.c: 1153 in my_gets()
1147     		if (buf[cnt - 1] == '\n')
1148     			cnt--;	/* trash the trailing LF */
1149     
1150     		len = MIN(sizeof(line) - 1, (size_t)cnt);
1151     		(void)memcpy(line, buf, len);
1152     	}
>>>     CID 1362428:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "line" of 2048 bytes at byte offset 2048 using index "cnt" (which evaluates to 2048).
1153     	line[cnt] = '\0';
1154     
1155     	/* enter non-empty lines into history */
1156     	if (em->hist) {
1157     		const char *p;
1158     

** CID 1362429:    (RESOURCE_LEAK)
/usr.bin/mail/mime_attach.c: 832 in sget_encoding()
/usr.bin/mail/mime_attach.c: 838 in sget_encoding()
/usr.bin/mail/mime_attach.c: 855 in sget_encoding()
/usr.bin/mail/mime_attach.c: 855 in sget_encoding()


________________________________________________________________________________________________________
*** CID 1362429:    (RESOURCE_LEAK)
/usr.bin/mail/mime_attach.c: 832 in sget_encoding()
826     	for (;;) {
827     		ename = get_line(&elm.mime_enc, "encoding", ename, num);
828     
829     		if (*ename == '\0') {
830     			if (defename == NULL)
831     				defename = content_encoding_by_name(filename, ctype);
>>>     CID 1362429:    (RESOURCE_LEAK)
>>>     Overwriting "ename" in "ename = defename" leaks the storage that "ename" points to.
832     			ename = defename;
833     		}
834     		else if (mime_fio_encoder(ename) == NULL) {
835     			const void *cookie;
836     			(void)printf("Sorry: valid encoding modes are: ");
837     			cookie = NULL;
/usr.bin/mail/mime_attach.c: 838 in sget_encoding()
832     			ename = defename;
833     		}
834     		else if (mime_fio_encoder(ename) == NULL) {
835     			const void *cookie;
836     			(void)printf("Sorry: valid encoding modes are: ");
837     			cookie = NULL;
>>>     CID 1362429:    (RESOURCE_LEAK)
>>>     Overwriting "ename" in "ename = mime_next_encoding_name(&cookie)" leaks the storage that "ename" points to.
838     			ename = mime_next_encoding_name(&cookie);
839     			for (;;) {
840     				(void)printf("%s", ename);
841     				ename = mime_next_encoding_name(&cookie);
842     				if (ename == NULL)
843     					break;
/usr.bin/mail/mime_attach.c: 855 in sget_encoding()
849     		else {
850     			if (strcmp(ename, *str) != 0)
851     				*str = savestr(ename);
852     			break;
853     		}
854     	}
>>>     CID 1362429:    (RESOURCE_LEAK)
>>>     Variable "ename" going out of scope leaks the storage it points to.
855     }
856     
857     /*
858      * Edit an attachment list.
859      * Return the new attachment list.
860      */
/usr.bin/mail/mime_attach.c: 855 in sget_encoding()
849     		else {
850     			if (strcmp(ename, *str) != 0)
851     				*str = savestr(ename);
852     			break;
853     		}
854     	}
>>>     CID 1362429:    (RESOURCE_LEAK)
>>>     Variable "ename" going out of scope leaks the storage it points to.
855     }
856     
857     /*
858      * Edit an attachment list.
859      * Return the new attachment list.
860      */


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-user?tab=overview

To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782



Home | Main Index | Thread Index | Old Index