Coverity-updates archive
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index][
Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
28 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
39 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 28 defect(s)
** CID 420802: Resource leaks (RESOURCE_LEAK)
/external/gpl3/gdb/dist/gdb/breakpoint.c: 9657 in create_breakpoint()
________________________________________________________________________________________________________
*** CID 420802: Resource leaks (RESOURCE_LEAK)
/external/gpl3/gdb/dist/gdb/breakpoint.c: 9657 in create_breakpoint()
9651 else
9652 throw_exception (e);
9653 }
9654 END_CATCH
9655
9656 if (VEC_empty (linespec_sals, canonical.sals))
>>> CID 420802: Resource leaks (RESOURCE_LEAK)
>>> Variable "copy_arg" going out of scope leaks the storage it points to.
9657 return 0;
9658
9659 /* Create a chain of things that always need to be cleaned up. */
9660 old_chain = make_cleanup_destroy_linespec_result (&canonical);
9661
9662 /* ----------------------------- SNIP -----------------------------
** CID 1025004: Security best practices violations (TOCTOU)
/usr.bin/make/meta.c: 437 in meta_create()
________________________________________________________________________________________________________
*** CID 1025004: Security best practices violations (TOCTOU)
/usr.bin/make/meta.c: 437 in meta_create()
431 fprintf(debug_file, "Skipping meta for %s: no commands\n",
432 gn->name);
433 goto out;
434 }
435
436 /* make sure these are canonical */
>>> CID 1025004: Security best practices violations (TOCTOU)
>>> Calling function "realpath" that uses "dname" after a check function. This can cause a time-of-check, time-of-use race condition.
437 if (realpath(dname, objdir))
438 dname = objdir;
439
440 /* If we aren't in the object directory, don't create a meta file. */
441 if (!metaCurdirOk && strcmp(curdir, dname) == 0) {
442 if (DEBUG(META))
** CID 1025006: Null pointer dereferences (REVERSE_INULL)
/usr.bin/make/meta.c: 703 in meta_job_error()
________________________________________________________________________________________________________
*** CID 1025006: Null pointer dereferences (REVERSE_INULL)
/usr.bin/make/meta.c: 703 in meta_job_error()
697 }
698 if (gn) {
699 Var_Set(".ERROR_TARGET", gn->path ? gn->path : gn->name, VAR_GLOBAL, 0);
700 }
701 getcwd(cwd, sizeof(cwd));
702 Var_Set(".ERROR_CWD", cwd, VAR_GLOBAL, 0);
>>> CID 1025006: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "pbm" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
703 if (pbm && pbm->meta_fname[0]) {
704 Var_Set(".ERROR_META_FILE", pbm->meta_fname, VAR_GLOBAL, 0);
705 }
706 meta_job_finish(job);
707 }
708
** CID 1025007: (RESOURCE_LEAK)
/usr.bin/make/meta.c: 1393 in meta_oodate()
/usr.bin/make/meta.c: 1393 in meta_oodate()
________________________________________________________________________________________________________
*** CID 1025007: (RESOURCE_LEAK)
/usr.bin/make/meta.c: 1393 in meta_oodate()
1387 * All we can sanely do is set it to .ALLSRC.
1388 */
1389 Var_Delete(OODATE, gn);
1390 Var_Set(OODATE, Var_Value(ALLSRC, gn, &cp), gn, 0);
1391 free(cp);
1392 }
>>> CID 1025007: (RESOURCE_LEAK)
>>> Variable "missingFiles" going out of scope leaks the storage it points to.
1393 return oodate;
1394 }
1395
1396 /* support for compat mode */
1397
1398 static int childPipe[2];
/usr.bin/make/meta.c: 1393 in meta_oodate()
1387 * All we can sanely do is set it to .ALLSRC.
1388 */
1389 Var_Delete(OODATE, gn);
1390 Var_Set(OODATE, Var_Value(ALLSRC, gn, &cp), gn, 0);
1391 free(cp);
1392 }
>>> CID 1025007: (RESOURCE_LEAK)
>>> Variable "missingFiles" going out of scope leaks the storage it points to.
1393 return oodate;
1394 }
1395
1396 /* support for compat mode */
1397
1398 static int childPipe[2];
** CID 1025008: (RESOURCE_LEAK)
/usr.bin/make/meta.c: 614 in meta_mode_init()
/usr.bin/make/meta.c: 620 in meta_mode_init()
________________________________________________________________________________________________________
*** CID 1025008: (RESOURCE_LEAK)
/usr.bin/make/meta.c: 614 in meta_mode_init()
608 /*
609 * We ignore any paths that start with ${.MAKE.META.IGNORE_PATHS}
610 */
611 metaIgnorePaths = Lst_Init(FALSE);
612 Var_Append(MAKE_META_IGNORE_PATHS,
613 "/dev /etc /proc /tmp /var/run /var/tmp ${TMPDIR}", VAR_GLOBAL);
>>> CID 1025008: (RESOURCE_LEAK)
>>> Overwriting "cp" in "cp = Var_Subst(NULL, "${.MAKE.META.IGNORE_PATHS:O:u:tA}", VAR_GLOBAL, 2)" leaks the storage that "cp" points to.
614 cp = Var_Subst(NULL,
615 "${" MAKE_META_IGNORE_PATHS ":O:u:tA}", VAR_GLOBAL,
616 VARF_WANTRES);
617 if (cp) {
618 str2Lst_Append(metaIgnorePaths, cp, NULL);
619 }
/usr.bin/make/meta.c: 620 in meta_mode_init()
614 cp = Var_Subst(NULL,
615 "${" MAKE_META_IGNORE_PATHS ":O:u:tA}", VAR_GLOBAL,
616 VARF_WANTRES);
617 if (cp) {
618 str2Lst_Append(metaIgnorePaths, cp, NULL);
619 }
>>> CID 1025008: (RESOURCE_LEAK)
>>> Variable "cp" going out of scope leaks the storage it points to.
620 }
621
622 /*
623 * In each case below we allow for job==NULL
624 */
625 void
** CID 1025009: Null pointer dereferences (FORWARD_NULL)
/usr.bin/make/meta.c: 689 in meta_job_error()
________________________________________________________________________________________________________
*** CID 1025009: Null pointer dereferences (FORWARD_NULL)
/usr.bin/make/meta.c: 689 in meta_job_error()
683 BuildMon *pbm;
684
685 if (job != NULL) {
686 pbm = &job->bm;
687 } else {
688 if (!gn)
>>> CID 1025009: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "job".
689 gn = job->node;
690 pbm = &Mybm;
691 }
692 if (pbm->mfp != NULL) {
693 fprintf(pbm->mfp, "*** Error code %d%s\n",
694 status,
** CID 1249927: Insecure data handling (TAINTED_SCALAR)
/external/gpl3/gdb/dist/gdb/exec.c: 375 in exec_file_command()
________________________________________________________________________________________________________
*** CID 1249927: Insecure data handling (TAINTED_SCALAR)
/external/gpl3/gdb/dist/gdb/exec.c: 375 in exec_file_command()
369 for (; (*argv != NULL) && (**argv == '-'); argv++)
370 {;
371 }
372 if (*argv == NULL)
373 error (_("No executable file name was specified"));
374
>>> CID 1249927: Insecure data handling (TAINTED_SCALAR)
>>> Assigning: "filename" = "tilde_expand", which taints "filename".
375 filename = tilde_expand (*argv);
376 make_cleanup (xfree, filename);
377 exec_file_attach (filename, from_tty);
378
379 do_cleanups (cleanups);
380 }
** CID 1354291: Control flow issues (DEADCODE)
/external/gpl3/gdb/dist/gdb/common/fileio.c: 97 in fileio_to_host_openflags()
________________________________________________________________________________________________________
*** CID 1354291: Control flow issues (DEADCODE)
/external/gpl3/gdb/dist/gdb/common/fileio.c: 97 in fileio_to_host_openflags()
91 open_flags |= O_EXCL;
92 if (fileio_open_flags & FILEIO_O_TRUNC)
93 open_flags |= O_TRUNC;
94 if (fileio_open_flags & FILEIO_O_APPEND)
95 open_flags |= O_APPEND;
96 if (fileio_open_flags & FILEIO_O_RDONLY)
>>> CID 1354291: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "open_flags |= 0;".
97 open_flags |= O_RDONLY;
98 if (fileio_open_flags & FILEIO_O_WRONLY)
99 open_flags |= O_WRONLY;
100 if (fileio_open_flags & FILEIO_O_RDWR)
101 open_flags |= O_RDWR;
102 /* On systems supporting binary and text mode, always open files
** CID 1354292: Control flow issues (MISSING_BREAK)
/external/gpl3/gdb/dist/bfd/reloc.c: 7491 in bfd_default_reloc_type_lookup()
________________________________________________________________________________________________________
*** CID 1354292: Control flow issues (MISSING_BREAK)
/external/gpl3/gdb/dist/bfd/reloc.c: 7491 in bfd_default_reloc_type_lookup()
7485 return &bfd_howto_32;
7486 case 16:
7487 BFD_FAIL ();
7488 default:
7489 BFD_FAIL ();
7490 }
>>> CID 1354292: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
7491 default:
7492 BFD_FAIL ();
7493 }
7494 return NULL;
7495 }
7496
** CID 1354293: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 1354293: Integer handling issues (NEGATIVE_RETURNS)
/bin/sh/parser.c: 728 in parseheredoc()
722 here = heredoclist;
723 heredoclist = here->next;
724 if (needprompt) {
725 setprompt(2);
726 needprompt = 0;
727 }
>>> CID 1354293: Integer handling issues (NEGATIVE_RETURNS)
>>> Passing variable "pgetc()" to a parameter that cannot be negative.
728 readtoken1(pgetc(), here->here->type == NHERE? SQSYNTAX : DQSYNTAX,
729 here->eofmark, here->striptabs);
730 n = (union node *)stalloc(sizeof (struct narg));
731 n->narg.type = NARG;
732 n->narg.next = NULL;
733 n->narg.text = wordtext;
** CID 1354294: Memory - corruptions (OVERRUN)
/external/gpl3/gdb/dist/gdb/ada-lang.c: 8590 in to_fixed_array_type()
________________________________________________________________________________________________________
*** CID 1354294: Memory - corruptions (OVERRUN)
/external/gpl3/gdb/dist/gdb/ada-lang.c: 8590 in to_fixed_array_type()
8584 {
8585 const char *type_name = ada_type_name (type0);
8586
8587 if (type_name != NULL)
8588 {
8589 const int len = strlen (type_name);
>>> CID 1354294: Memory - corruptions (OVERRUN)
>>> Allocating insufficient memory for the terminating null of the string.
8590 char *name = (char *) alloca (len + strlen (xa_suffix));
8591
8592 if (type_name[len - 1] == 'P')
8593 {
8594 strcpy (name, type_name);
8595 strcpy (name + len - 1, xa_suffix);
** CID 1354295: Memory - illegal accesses (OVERRUN)
/usr.bin/ftp/cmds.c: 1974 in dotrans()
________________________________________________________________________________________________________
*** CID 1354295: Memory - illegal accesses (OVERRUN)
/usr.bin/ftp/cmds.c: 1974 in dotrans()
1968 size_t i, ostop;
1969
1970 for (ostop = 0; ntout[ostop] && ostop < sizeof(ntout); ostop++)
1971 continue;
1972 for (cp1 = src; *cp1; cp1++) {
1973 int found = 0;
>>> CID 1354295: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "ntin" of 17 bytes at byte offset 17 using index "i" (which evaluates to 17).
1974 for (i = 0; ntin[i] && i < sizeof(ntin); i++) {
1975 if (*cp1 == ntin[i]) {
1976 found++;
1977 if (i < ostop) {
1978 *cp2++ = ntout[i];
1979 if (cp2 - dst >= (ptrdiff_t)(dlen - 1))
** CID 1354296: Memory - illegal accesses (OVERRUN)
/usr.bin/ftp/cmds.c: 1970 in dotrans()
________________________________________________________________________________________________________
*** CID 1354296: Memory - illegal accesses (OVERRUN)
/usr.bin/ftp/cmds.c: 1970 in dotrans()
1964 dotrans(char *dst, size_t dlen, const char *src)
1965 {
1966 const char *cp1;
1967 char *cp2 = dst;
1968 size_t i, ostop;
1969
>>> CID 1354296: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "ntout" of 17 bytes at byte offset 17 using index "ostop" (which evaluates to 17).
1970 for (ostop = 0; ntout[ostop] && ostop < sizeof(ntout); ostop++)
1971 continue;
1972 for (cp1 = src; *cp1; cp1++) {
1973 int found = 0;
1974 for (i = 0; ntin[i] && i < sizeof(ntin); i++) {
1975 if (*cp1 == ntin[i]) {
** CID 1354297: (STRING_NULL)
/lib/libedit/read.c: 317 in read_char()
/lib/libedit/read.c: 317 in read_char()
________________________________________________________________________________________________________
*** CID 1354297: (STRING_NULL)
/lib/libedit/read.c: 317 in read_char()
311 char cbuf[MB_LEN_MAX];
312 size_t cbp = 0;
313 int save_errno = errno;
314
315 again:
316 el->el_signal->sig_no = 0;
>>> CID 1354297: (STRING_NULL)
>>> Function "read" does not terminate string "cbuf[cbp]". [Note: The source code implementation of the function has been overridden by a builtin model.]
317 while ((num_read = read(el->el_infd, cbuf + cbp, (size_t)1)) == -1) {
318 int e = errno;
319 switch (el->el_signal->sig_no) {
320 case SIGCONT:
321 FUN(el,set)(el, EL_REFRESH);
322 /*FALLTHROUGH*/
/lib/libedit/read.c: 317 in read_char()
311 char cbuf[MB_LEN_MAX];
312 size_t cbp = 0;
313 int save_errno = errno;
314
315 again:
316 el->el_signal->sig_no = 0;
>>> CID 1354297: (STRING_NULL)
>>> Function "read" does not terminate string "cbuf[cbp]". [Note: The source code implementation of the function has been overridden by a builtin model.]
317 while ((num_read = read(el->el_infd, cbuf + cbp, (size_t)1)) == -1) {
318 int e = errno;
319 switch (el->el_signal->sig_no) {
320 case SIGCONT:
321 FUN(el,set)(el, EL_REFRESH);
322 /*FALLTHROUGH*/
** CID 1354298: Insecure data handling (TAINTED_SCALAR)
/external/gpl3/gdb/dist/gdb/top.c: 1733 in init_history()
________________________________________________________________________________________________________
*** CID 1354298: Insecure data handling (TAINTED_SCALAR)
/external/gpl3/gdb/dist/gdb/top.c: 1733 in init_history()
1727
1728 void
1729 init_history (void)
1730 {
1731 char *tmpenv;
1732
>>> CID 1354298: Insecure data handling (TAINTED_SCALAR)
>>> Assigning: "tmpenv" = "getenv", which taints "tmpenv".
1733 tmpenv = getenv ("GDBHISTSIZE");
1734 if (tmpenv)
1735 {
1736 long var;
1737 int saved_errno;
1738 char *endptr;
** CID 1354299: Insecure data handling (TAINTED_SCALAR)
/external/gpl3/gdb/dist/gdb/inferior.c: 865 in add_inferior_command()
________________________________________________________________________________________________________
*** CID 1354299: Insecure data handling (TAINTED_SCALAR)
/external/gpl3/gdb/dist/gdb/inferior.c: 865 in add_inferior_command()
859 }
860 else if (strcmp (*argv, "-exec") == 0)
861 {
862 ++argv;
863 if (!*argv)
864 error (_("No argument to -exec"));
>>> CID 1354299: Insecure data handling (TAINTED_SCALAR)
>>> Assigning: "exec" = "tilde_expand", which taints "exec".
865 exec = tilde_expand (*argv);
866 make_cleanup (xfree, exec);
867 }
868 }
869 else
870 error (_("Invalid argument"));
** CID 1354300: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1354300: Insecure data handling (TAINTED_SCALAR)
/external/gpl3/gdb/dist/gdb/exec.c: 173 in exec_file_locate_attach()
167 (If that fails, we'll just fall back on the original
168 filename. Not much more we can do...) */
169 if (!source_full_path_of (exec_file, &full_exec_path))
170 full_exec_path = xstrdup (exec_file);
171 }
172
>>> CID 1354300: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "full_exec_path" to a tainted sink.
173 exec_file_attach (full_exec_path, from_tty);
174 symbol_file_add_main (full_exec_path, from_tty);
175 }
176
177 /* Set FILENAME as the new exec file.
178
** CID 1354301: Uninitialized variables (UNINIT)
/usr.sbin/acpitools/acpidump/acpi.c: 1972 in acpi_print_rsdt()
________________________________________________________________________________________________________
*** CID 1354301: Uninitialized variables (UNINIT)
/usr.sbin/acpitools/acpidump/acpi.c: 1972 in acpi_print_rsdt()
1966 addr = le32toh(rsdt->TableOffsetEntry[i]);
1967 break;
1968 case 8:
1969 addr = le64toh(xsdt->TableOffsetEntry[i]);
1970 break;
1971 default:
>>> CID 1354301: Uninitialized variables (UNINIT)
>>> Using uninitialized value "addr".
1972 assert((addr == 0));
1973 }
1974 printf("0x%08lx", addr);
1975 }
1976 printf(" }\n");
1977 printf(END_COMMENT);
** CID 1354302: Uninitialized variables (UNINIT)
/usr.sbin/acpitools/acpidump/acpi.c: 2238 in acpi_handle_rsdt()
________________________________________________________________________________________________________
*** CID 1354302: Uninitialized variables (UNINIT)
/usr.sbin/acpitools/acpidump/acpi.c: 2238 in acpi_handle_rsdt()
2232 addr = le32toh(rsdt->TableOffsetEntry[i]);
2233 break;
2234 case 8:
2235 addr = le64toh(xsdt->TableOffsetEntry[i]);
2236 break;
2237 default:
>>> CID 1354302: Uninitialized variables (UNINIT)
>>> Using uninitialized value "addr".
2238 assert((addr == 0));
2239 }
2240
2241 sdp = (ACPI_TABLE_HEADER *)acpi_map_sdt(addr);
2242 if (acpi_checksum(sdp, sdp->Length)) {
2243 warnx("RSDT entry %d (sig %.4s) is corrupt", i,
** CID 1354303: Uninitialized variables (UNINIT)
/usr.sbin/acpitools/acpidump/acpi.c: 2474 in sdt_from_rsdt()
________________________________________________________________________________________________________
*** CID 1354303: Uninitialized variables (UNINIT)
/usr.sbin/acpitools/acpidump/acpi.c: 2474 in sdt_from_rsdt()
2468 addr = le32toh(rsdt->TableOffsetEntry[i]);
2469 break;
2470 case 8:
2471 addr = le64toh(xsdt->TableOffsetEntry[i]);
2472 break;
2473 default:
>>> CID 1354303: Uninitialized variables (UNINIT)
>>> Using uninitialized value "addr".
2474 assert((addr == 0));
2475 }
2476 sdt = (ACPI_TABLE_HEADER *)acpi_map_sdt(addr);
2477 if (last != NULL) {
2478 if (sdt == last)
2479 last = NULL;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-user?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index