New Defects reported by Coverity Scan for NetBSD

To: coverity-updates%netbsd.org@localhost
Subject: New Defects reported by Coverity Scan for NetBSD
From: scan-admin%coverity.com@localhost
Date: Wed, 06 Nov 2013 00:02:32 -0800
Hi,

Please find the latest report on new defect(s) introduced to NetBSD 
(NetBSD-amd64-user) found with Coverity Scan

Defect(s) Reported-by: Coverity Scan
Showing 7 of 34 defects
        
** CID 1125965: Unintended sign extension (SIGN_EXTENSION)
/lib/libc/stdlib/mrand48.c: 32

** CID 1125964: Unintended sign extension (SIGN_EXTENSION)
/lib/libc/stdlib/jrand48.c: 38

** CID 1125963: Missing break in switch (MISSING_BREAK)
/external/mit/lua/dist/src/llex.c: 364

** CID 1125962: Dereference after null check (FORWARD_NULL)

** CID 1125961: Dereference after null check (FORWARD_NULL)
/external/mit/lua/dist/src/lparser.c: 988

** CID 1125960: Logically dead code (DEADCODE)
/external/mit/lua/dist/src/llex.c: 185

** CID 1125884: Double close (USE_AFTER_FREE)
/tests/net/net/t_unix.c: 247


________________________________________________________________________
CID 1125965: Unintended sign extension (SIGN_EXTENSION)

/lib/libc/stdlib/mrand48.c: 32 ( sign_extension)
   29    mrand48(void)
   30    {
   31           __dorand48(__rand48_seed);
>>> CID 1125965: Unintended sign extension (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "__rand48_seed[2]" with type "unsigned 
>>> short" (16 bits, unsigned) is promoted in "(__int16_t)__rand48_seed[2] * 
>>> 65536 + __rand48_seed[1]" to type "int" (32 bits, signed), then 
>>> sign-extended to type "long" (64 bits, signed).  If 
>>> "(__int16_t)__rand48_seed[2] * 65536 + __rand48_seed[1]" is greater than 
>>> 0x7FFFFFFF, the upper bits of the result will all be 1.
   32           return (int16_t)__rand48_seed[2] * 65536 + __rand48_seed[1];
   33    }
  
________________________________________________________________________
CID 1125964: Unintended sign extension (SIGN_EXTENSION)

/lib/libc/stdlib/jrand48.c: 38 ( sign_extension)
   35           _DIAGASSERT(xseed != NULL);
   36    
   37           __dorand48(xseed);
>>> CID 1125964: Unintended sign extension (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "xseed[2]" with type "unsigned short" 
>>> (16 bits, unsigned) is promoted in "(__int16_t)xseed[2] * 65536 + xseed[1]" 
>>> to type "int" (32 bits, signed), then sign-extended to type "long" (64 
>>> bits, signed).  If "(__int16_t)xseed[2] * 65536 + xseed[1]" is greater than 
>>> 0x7FFFFFFF, the upper bits of the result will all be 1.
   38           return (int16_t)xseed[2] * 65536 + xseed[1];
   39    }
  
________________________________________________________________________
CID 1125963: Missing break in switch (MISSING_BREAK)

/external/mit/lua/dist/src/llex.c: 364 ( unterminated_case)
   361              next(ls);
   362            continue;
   363          }
>>> CID 1125963: Missing break in switch (MISSING_BREAK)
>>> This case (value 91) is not terminated by a 'break' statement.
   364          case '[': {
   365            int sep = skip_sep(ls);
   366            if (sep >= 0) {
   367              read_long_string(ls, seminfo, sep);
   368              return TK_STRING;
  

/external/mit/lua/dist/src/llex.c: 373 ( fallthrough)
   370            else if (sep == -1) return '[';
   371            else luaX_lexerror(ls, "invalid long string delimiter", 
TK_STRING);
   372          }
>>> The above case falls through to this one.
   373          case '=': {
   374            next(ls);
   375            if (ls->current != '=') return '=';
   376            else { next(ls); return TK_EQ; }
   377          }
  
________________________________________________________________________
CID 1125962: Dereference after null check (FORWARD_NULL)

/external/mit/lua/dist/src/lparser.c: 985 ( var_compare_op)
   982        upval |= bl->upval;
   983        bl = bl->previous;
   984      }
>>> Comparing "bl" to null implies that "bl" might be null.
   985      if (!bl)
   986        luaX_syntaxerror(ls, "no loop to break");
   987      if (upval)
   988        luaK_codeABC(fs, OP_CLOSE, bl->nactvar, 0, 0);
   989      luaK_concat(fs, &bl->breaklist, luaK_jump(fs));
  

/external/mit/lua/dist/src/lparser.c: 989 ( var_deref_model)
   986        luaX_syntaxerror(ls, "no loop to break");
   987      if (upval)
   988        luaK_codeABC(fs, OP_CLOSE, bl->nactvar, 0, 0);
>>> CID 1125962: Dereference after null check (FORWARD_NULL)
>>> Passing null pointer "&bl->breaklist" to function "luaK_concat(FuncState *, 
>>> int *, int)", which dereferences it.
   989      luaK_concat(fs, &bl->breaklist, luaK_jump(fs));
   990    }
   991    
   992    
   993    static void whilestat (LexState *ls, int line) {
  
________________________________________________________________________
CID 1125961: Dereference after null check (FORWARD_NULL)

/external/mit/lua/dist/src/lparser.c: 985 ( var_compare_op)
   982        upval |= bl->upval;
   983        bl = bl->previous;
   984      }
>>> Comparing "bl" to null implies that "bl" might be null.
   985      if (!bl)
   986        luaX_syntaxerror(ls, "no loop to break");
   987      if (upval)
   988        luaK_codeABC(fs, OP_CLOSE, bl->nactvar, 0, 0);
   989      luaK_concat(fs, &bl->breaklist, luaK_jump(fs));
  

/external/mit/lua/dist/src/lparser.c: 988 ( var_deref_op)
   985      if (!bl)
   986        luaX_syntaxerror(ls, "no loop to break");
   987      if (upval)
>>> CID 1125961: Dereference after null check (FORWARD_NULL)
>>> Dereferencing null pointer "bl".
   988        luaK_codeABC(fs, OP_CLOSE, bl->nactvar, 0, 0);
   989      luaK_concat(fs, &bl->breaklist, luaK_jump(fs));
   990    }
   991    
   992    
  
________________________________________________________________________
CID 1125960: Logically dead code (DEADCODE)

/external/mit/lua/dist/src/llex.c: 183 ( assignment)
   180    
   181    static void trydecpoint (LexState *ls, SemInfo *seminfo) {
   182      /* format error: try to update decimal point separator */
>>> Assigning: "cv" = "NULL".
   183      struct lconv *cv = localeconv();
   184      char old = ls->decpoint;
   185      ls->decpoint = (cv ? cv->decimal_point[0] : '.');
   186      buffreplace(ls, old, ls->decpoint);  /* try updated decimal 
separator */
   187      if (!luaO_str2d(luaZ_buffer(ls->buff), &seminfo->r)) {
  

/external/mit/lua/dist/src/llex.c: 185 ( null)
   182      /* format error: try to update decimal point separator */
   183      struct lconv *cv = localeconv();
   184      char old = ls->decpoint;
>>> At condition "cv", the value of "cv" must be NULL.
   185      ls->decpoint = (cv ? cv->decimal_point[0] : '.');
   186      buffreplace(ls, old, ls->decpoint);  /* try updated decimal 
separator */
   187      if (!luaO_str2d(luaZ_buffer(ls->buff), &seminfo->r)) {
   188        /* format error with correct decimal point: no more options */
   189        buffreplace(ls, ls->decpoint, '.');  /* undo change (for error 
message) */
  

/external/mit/lua/dist/src/llex.c: 185 ( dead_error_condition)
   182      /* format error: try to update decimal point separator */
   183      struct lconv *cv = localeconv();
   184      char old = ls->decpoint;
>>> The condition "cv" cannot be true.
   185      ls->decpoint = (cv ? cv->decimal_point[0] : '.');
   186      buffreplace(ls, old, ls->decpoint);  /* try updated decimal 
separator */
   187      if (!luaO_str2d(luaZ_buffer(ls->buff), &seminfo->r)) {
   188        /* format error with correct decimal point: no more options */
   189        buffreplace(ls, ls->decpoint, '.');  /* undo change (for error 
message) */
  

/external/mit/lua/dist/src/llex.c: 185 ( dead_error_line)
   182      /* format error: try to update decimal point separator */
   183      struct lconv *cv = localeconv();
   184      char old = ls->decpoint;
>>> CID 1125960: Logically dead code (DEADCODE)
>>> Execution cannot reach this expression "cv->decimal_point[0]" inside 
>>> statement "ls->decpoint = (cv ? cv->de...".
   185      ls->decpoint = (cv ? cv->decimal_point[0] : '.');
   186      buffreplace(ls, old, ls->decpoint);  /* try updated decimal 
separator */
   187      if (!luaO_str2d(luaZ_buffer(ls->buff), &seminfo->r)) {
   188        /* format error with correct decimal point: no more options */
   189        buffreplace(ls, ls->decpoint, '.');  /* undo change (for error 
message) */
  
________________________________________________________________________
CID 1125884: Double close (USE_AFTER_FREE)

/tests/net/net/t_unix.c: 188 ( closed_arg)
   185                  FAIL("connect");
   186    
   187          if (closeit) {
>>> "close(int)" closes "clnt".
   188                  if (close(clnt) == -1)
   189                          FAIL("close");
   190          }
   191    
   192          acpt = acc(srvr);
  

/tests/net/net/t_unix.c: 247 ( double_close)
   244    fail:
   245          (void)close(acpt);
   246          (void)close(srvr);
>>> CID 1125884: Double close (USE_AFTER_FREE)
>>> Calling "close(int)" closes handle "clnt" which has already been closed.
   247          (void)close(clnt);
   248          free(sock_addr);
   249          free(sun);
   250          return -1;
   251    }
  
________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com

To unsubscribe from the email notification for new defects, 
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Prev by Date: New Defects reported by Coverity Scan for NetBSD
Next by Date: New Defects reported by Coverity Scan for NetBSD
Previous by Thread: New Defects reported by Coverity Scan for NetBSD
Next by Thread: New Defects reported by Coverity Scan for NetBSD
Indexes:
Home | Main Index | Thread Index | Old Index