Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
72 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
9837 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 72 defect(s)
** CID 220011: Null pointer dereferences (FORWARD_NULL)
/external/mit/expat/dist/lib/xmlparse.c: 4448 in doProlog()
________________________________________________________________________________________________________
*** CID 220011: Null pointer dereferences (FORWARD_NULL)
/external/mit/expat/dist/lib/xmlparse.c: 4448 in doProlog()
4442 }
4443 groupConnector[prologState.level] = 0;
4444 if (dtd->in_eldecl) {
4445 int myindex = nextScaffoldPart(parser);
4446 if (myindex < 0)
4447 return XML_ERROR_NO_MEMORY;
>>> CID 220011: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dtd->scaffIndex".
4448 dtd->scaffIndex[dtd->scaffLevel] = myindex;
4449 dtd->scaffLevel++;
4450 dtd->scaffold[myindex].type = XML_CTYPE_SEQ;
4451 if (elementDeclHandler)
4452 handleDefault = XML_FALSE;
4453 }
** CID 502366: Control flow issues (MISSING_BREAK)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/infcodes.c: 120 in inflate_codes()
________________________________________________________________________________________________________
*** CID 502366: Control flow issues (MISSING_BREAK)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/infcodes.c: 120 in inflate_codes()
114 }
115 }
116 #endif /* !SLOW */
117 c->sub.code.need = c->lbits;
118 c->sub.code.tree = c->ltree;
119 c->mode = LEN;
>>> CID 502366: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
120 case LEN: /* i: get length/literal/eob next */
121 j = c->sub.code.need;
122 NEEDBITS(j)
123 t = c->sub.code.tree + ((uInt)b & inflate_mask[j]);
124 DUMPBITS(t->bits)
125 e = (uInt)(t->exop);
** CID 992299: Incorrect expression (MIXED_ENUMS)
/external/mit/expat/dist/lib/xmlparse.c: 1608 in XML_Parse()
________________________________________________________________________________________________________
*** CID 992299: Incorrect expression (MIXED_ENUMS)
/external/mit/expat/dist/lib/xmlparse.c: 1608 in XML_Parse()
1602 bufferPtr = buffer;
1603 bufferEnd = buffer + nLeftOver;
1604 positionPtr = bufferPtr;
1605 parseEndPtr = bufferEnd;
1606 eventPtr = bufferPtr;
1607 eventEndPtr = bufferPtr;
>>> CID 992299: Incorrect expression (MIXED_ENUMS)
>>> Mixing enum types "enum XML_Error" and "enum XML_Status" for "result".
1608 return result;
1609 }
1610 #endif /* not defined XML_CONTEXT_BYTES */
1611 else {
1612 void *buff = XML_GetBuffer(parser, len);
1613 if (buff == NULL)
** CID 1035579: Possible Control flow issues (DEADCODE)
/home/phil/cov/xsrc/external/mit/fontconfig/dist/src/fcstat.c: 326 in FcFStatFs()
________________________________________________________________________________________________________
*** CID 1035579: Possible Control flow issues (DEADCODE)
/home/phil/cov/xsrc/external/mit/fontconfig/dist/src/fcstat.c: 326 in FcFStatFs()
320 # error "BUG: No way to figure out with fstatfs()"
321 # endif
322 }
323 #endif
324 if (p)
325 {
>>> CID 1035579: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "if (!flag && strcmp(p, "nfs...".
326 if (!flag && strcmp (p, "nfs") == 0)
327 statb->is_remote_fs = FcTrue;
328 if (strcmp (p, "msdosfs") == 0 ||
329 strcmp (p, "pcfs") == 0)
330 statb->is_mtime_broken = FcTrue;
331 }
** CID 1035584: Resource leaks (RESOURCE_LEAK)
/home/phil/cov/xsrc/external/mit/fontconfig/dist/src/fccache.c: 270 in lock_cache()
________________________________________________________________________________________________________
*** CID 1035584: Resource leaks (RESOURCE_LEAK)
/home/phil/cov/xsrc/external/mit/fontconfig/dist/src/fccache.c: 270 in lock_cache()
264
265 static void
266 lock_cache (void)
267 {
268 FcMutex *lock;
269 retry:
>>> CID 1035584: Resource leaks (RESOURCE_LEAK)
>>> Overwriting "lock" in "lock = (void *)cache_lock" leaks the storage that "lock" points to.
270 lock = fc_atomic_ptr_get (&cache_lock);
271 if (!lock) {
272 lock = (FcMutex *) malloc (sizeof (FcMutex));
273 FcMutexInit (lock);
274 if (!fc_atomic_ptr_cmpexch (&cache_lock, NULL, lock)) {
275 FcMutexFinish (lock);
** CID 1078671: Control flow issues (MISSING_RESTORE)
/external/mit/expat/dist/lib/xmlparse.c: 6041 in lookup()
________________________________________________________________________________________________________
*** CID 1078671: Control flow issues (MISSING_RESTORE)
/external/mit/expat/dist/lib/xmlparse.c: 6041 in lookup()
6035 i < step ? (i += newSize - step) : (i -= step);
6036 }
6037 }
6038 }
6039 table->v[i] = (NAMED *)table->mem->malloc_fcn(createSize);
6040 if (!table->v[i])
>>> CID 1078671: Control flow issues (MISSING_RESTORE)
>>> Value of non-local "table->size" that was verified to be "0U" is not restored as it was along other paths.
6041 return NULL;
6042 memset(table->v[i], 0, createSize);
6043 table->v[i]->name = name;
6044 (table->used)++;
6045 return table->v[i];
6046 }
** CID 1091568: (RESOURCE_LEAK)
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 236 in require_template_declaration(const char *)()
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 241 in require_template_declaration(const char *)()
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 236 in require_template_declaration(const char *)()
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 241 in require_template_declaration(const char *)()
________________________________________________________________________________________________________
*** CID 1091568: (RESOURCE_LEAK)
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 236 in require_template_declaration(const char *)()
230 /* Read the comma-separated list of identifiers. */
231 while (token () != '>')
232 {
233 const char *id = require2 (ID, ',');
234 if (id == NULL)
235 id = ",";
>>> CID 1091568: (RESOURCE_LEAK)
>>> Overwriting "str" in "str = concat(str, id, NULL)" leaks the storage that "str" points to.
236 str = concat (str, id, (char *) 0);
237 }
238
239 /* Recognize the closing '>'. */
240 require ('>');
241 str = concat (str, ">", (char *) 0);
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 241 in require_template_declaration(const char *)()
235 id = ",";
236 str = concat (str, id, (char *) 0);
237 }
238
239 /* Recognize the closing '>'. */
240 require ('>');
>>> CID 1091568: (RESOURCE_LEAK)
>>> Overwriting "str" in "str = concat(str, ">", NULL)" leaks the storage that "str" points to.
241 str = concat (str, ">", (char *) 0);
242
243 return str;
244 }
245
246
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 236 in require_template_declaration(const char *)()
230 /* Read the comma-separated list of identifiers. */
231 while (token () != '>')
232 {
233 const char *id = require2 (ID, ',');
234 if (id == NULL)
235 id = ",";
>>> CID 1091568: (RESOURCE_LEAK)
>>> Overwriting "str" in "str = concat(str, id, NULL)" leaks the storage that "str" points to.
236 str = concat (str, id, (char *) 0);
237 }
238
239 /* Recognize the closing '>'. */
240 require ('>');
241 str = concat (str, ">", (char *) 0);
/external/gpl3/gcc/dist/gcc/gengtype-parse.c: 241 in require_template_declaration(const char *)()
235 id = ",";
236 str = concat (str, id, (char *) 0);
237 }
238
239 /* Recognize the closing '>'. */
240 require ('>');
>>> CID 1091568: (RESOURCE_LEAK)
>>> Overwriting "str" in "str = concat(str, ">", NULL)" leaks the storage that "str" points to.
241 str = concat (str, ">", (char *) 0);
242
243 return str;
244 }
245
246
** CID 1206746: (BAD_SHIFT)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/inftrees.c: 288 in huft_build()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/inftrees.c: 288 in huft_build()
________________________________________________________________________________________________________
*** CID 1206746: (BAD_SHIFT)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/inftrees.c: 288 in huft_build()
282 /* backup over finished tables */
283 mask = (1 << w) - 1; /* needed on HP, cc -O bug */
284 while ((i & mask) != x[h])
285 {
286 h--; /* don't need to update q */
287 w -= l;
>>> CID 1206746: (BAD_SHIFT)
>>> In expression "1 << w", shifting by a negative amount has undefined behavior. The shift amount, "w", is -2.
288 mask = (1 << w) - 1;
289 }
290 }
291 }
292
293
/home/phil/cov/xsrc/external/mit/freetype/dist/src/gzip/inftrees.c: 288 in huft_build()
282 /* backup over finished tables */
283 mask = (1 << w) - 1; /* needed on HP, cc -O bug */
284 while ((i & mask) != x[h])
285 {
286 h--; /* don't need to update q */
287 w -= l;
>>> CID 1206746: (BAD_SHIFT)
>>> In expression "1 << w", shifting by a negative amount has undefined behavior. The shift amount, "w", is -1.
288 mask = (1 << w) - 1;
289 }
290 }
291 }
292
293
** CID 1206945: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/type1/t1afm.c: 217 in T1_Read_PFM()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/type1/t1afm.c: 155 in T1_Read_PFM()
________________________________________________________________________________________________________
*** CID 1206945: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/type1/t1afm.c: 217 in T1_Read_PFM()
211 if ( oldcharmap != NULL )
212 error = FT_Set_Charmap( t1_face, oldcharmap );
213 if ( error )
214 goto Exit;
215
216 /* now, sort the kern pairs according to their glyph indices */
>>> CID 1206945: (TAINTED_SCALAR)
>>> Passing tainted variable "fi->NumKernPair" to a tainted sink.
217 ft_qsort( fi->KernPairs, fi->NumKernPair, sizeof ( AFM_KernPairRec ),
218 compare_kern_pairs );
219
220 Exit:
221 if ( error )
222 {
/home/phil/cov/xsrc/external/mit/freetype/dist/src/type1/t1afm.c: 155 in T1_Read_PFM()
149 if ( p + 2 > limit )
150 {
151 error = FT_THROW( Unknown_File_Format );
152 goto Exit;
153 }
154
>>> CID 1206945: (TAINTED_SCALAR)
>>> Assigning: "fi->NumKernPair" = "(FT_UInt16)(((FT_UInt16)(FT_Byte const *)p[1] << 8) | ((FT_UInt16)(FT_Byte const *)p[0] << 0))". Both are now tainted.
155 fi->NumKernPair = FT_PEEK_USHORT_LE( p );
156 p += 2;
157 if ( p + 4 * fi->NumKernPair > limit )
158 {
159 error = FT_THROW( Unknown_File_Format );
160 goto Exit;
** CID 1206946: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 991 in tt_cmap4_validate()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 991 in tt_cmap4_validate()
________________________________________________________________________________________________________
*** CID 1206946: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 991 in tt_cmap4_validate()
985 /* check glyph indices within the segment range */
986 if ( valid->level >= FT_VALIDATE_TIGHT )
987 {
988 FT_UInt i, idx;
989
990
>>> CID 1206946: (TAINTED_SCALAR)
>>> Using tainted variable "end" as a loop boundary.
991 for ( i = start; i < end; i++ )
992 {
993 idx = FT_NEXT_USHORT( p );
994 if ( idx != 0 )
995 {
996 idx = (FT_UInt)( idx + delta ) & 0xFFFFU;
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 991 in tt_cmap4_validate()
985 /* check glyph indices within the segment range */
986 if ( valid->level >= FT_VALIDATE_TIGHT )
987 {
988 FT_UInt i, idx;
989
990
>>> CID 1206946: (TAINTED_SCALAR)
>>> Using tainted variable "end" as a loop boundary.
991 for ( i = start; i < end; i++ )
992 {
993 idx = FT_NEXT_USHORT( p );
994 if ( idx != 0 )
995 {
996 idx = (FT_UInt)( idx + delta ) & 0xFFFFU;
** CID 1206947: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1542 in tt_cmap6_char_next()
________________________________________________________________________________________________________
*** CID 1206947: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1542 in tt_cmap6_char_next()
1536 if ( char_code < start )
1537 char_code = start;
1538
1539 idx = (FT_UInt)( char_code - start );
1540 p += 2 * idx;
1541
>>> CID 1206947: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
1542 for ( ; idx < count; idx++ )
1543 {
1544 gindex = TT_NEXT_USHORT( p );
1545 if ( gindex != 0 )
1546 {
1547 result = char_code;
** CID 1206948: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1485 in tt_cmap6_validate()
________________________________________________________________________________________________________
*** CID 1206948: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1485 in tt_cmap6_validate()
1479 /* check glyph indices */
1480 if ( valid->level >= FT_VALIDATE_TIGHT )
1481 {
1482 FT_UInt gindex;
1483
1484
>>> CID 1206948: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
1485 for ( ; count > 0; count-- )
1486 {
1487 gindex = TT_NEXT_USHORT( p );
1488 if ( gindex >= TT_VALID_GLYPH_COUNT( valid ) )
1489 FT_INVALID_GLYPH_ID;
1490 }
** CID 1206949: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1762 in tt_cmap8_char_index()
________________________________________________________________________________________________________
*** CID 1206949: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1762 in tt_cmap8_char_index()
1756 FT_UInt result = 0;
1757 FT_Byte* p = table + 8204;
1758 FT_UInt32 num_groups = TT_NEXT_ULONG( p );
1759 FT_UInt32 start, end, start_id;
1760
1761
>>> CID 1206949: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "num_groups" as a loop boundary.
1762 for ( ; num_groups > 0; num_groups-- )
1763 {
1764 start = TT_NEXT_ULONG( p );
1765 end = TT_NEXT_ULONG( p );
1766 start_id = TT_NEXT_ULONG( p );
1767
** CID 1206950: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1796 in tt_cmap8_char_next()
________________________________________________________________________________________________________
*** CID 1206950: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1796 in tt_cmap8_char_next()
1790 FT_UInt32 num_groups = TT_NEXT_ULONG( p );
1791 FT_UInt32 start, end, start_id;
1792
1793
1794 p = table + 8208;
1795
>>> CID 1206950: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "num_groups" as a loop boundary.
1796 for ( ; num_groups > 0; num_groups-- )
1797 {
1798 start = TT_NEXT_ULONG( p );
1799 end = TT_NEXT_ULONG( p );
1800 start_id = TT_NEXT_ULONG( p );
1801
** CID 1206951: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttkern.c: 264 in tt_face_get_kerning()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttkern.c: 239 in tt_face_get_kerning()
________________________________________________________________________________________________________
*** CID 1206951: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttkern.c: 264 in tt_face_get_kerning()
258 }
259 else /* linear search */
260 {
261 FT_UInt count2;
262
263
>>> CID 1206951: (TAINTED_SCALAR)
>>> Using tainted variable "count2" as a loop boundary.
264 for ( count2 = num_pairs; count2 > 0; count2-- )
265 {
266 FT_ULong key = FT_NEXT_ULONG( p );
267
268
269 if ( key == key0 )
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttkern.c: 239 in tt_face_get_kerning()
233 if ( face->kern_order_bits & mask ) /* binary search */
234 {
235 FT_UInt min = 0;
236 FT_UInt max = num_pairs;
237
238
>>> CID 1206951: (TAINTED_SCALAR)
>>> Using tainted variable "max" as a loop boundary.
239 while ( min < max )
240 {
241 FT_UInt mid = ( min + max ) >> 1;
242 FT_Byte* q = p + 6 * mid;
243 FT_ULong key;
244
** CID 1206952: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 318 in ft_var_load_avar()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 331 in ft_var_load_avar()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 331 in ft_var_load_avar()
________________________________________________________________________________________________________
*** CID 1206952: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 318 in ft_var_load_avar()
312 goto Exit;
313
314 segment = &blend->avar_segment[0];
315 for ( i = 0; i < axisCount; ++i, ++segment )
316 {
317 segment->pairCount = FT_GET_USHORT();
>>> CID 1206952: (TAINTED_SCALAR)
>>> Casting narrower unsigned "segment->pairCount" to wider signed type "long" effectively tests its lower bound.
318 if ( FT_NEW_ARRAY( segment->correspondence, segment->pairCount ) )
319 {
320 /* Failure. Free everything we have done so far. We must do */
321 /* it right now since loading the `avar' table is optional. */
322
323 for ( j = i - 1; j >= 0; --j )
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 331 in ft_var_load_avar()
325
326 FT_FREE( blend->avar_segment );
327 blend->avar_segment = NULL;
328 goto Exit;
329 }
330
>>> CID 1206952: (TAINTED_SCALAR)
>>> Using tainted variable "segment->pairCount" as a loop boundary.
331 for ( j = 0; j < segment->pairCount; ++j )
332 {
333 segment->correspondence[j].fromCoord =
334 FT_GET_SHORT() << 2; /* convert to Fixed */
335 segment->correspondence[j].toCoord =
336 FT_GET_SHORT()<<2; /* convert to Fixed */
/home/phil/cov/xsrc/external/mit/freetype/dist/src/truetype/ttgxvar.c: 331 in ft_var_load_avar()
325
326 FT_FREE( blend->avar_segment );
327 blend->avar_segment = NULL;
328 goto Exit;
329 }
330
>>> CID 1206952: (TAINTED_SCALAR)
>>> Using tainted variable "segment->pairCount" as a loop boundary.
331 for ( j = 0; j < segment->pairCount; ++j )
332 {
333 segment->correspondence[j].fromCoord =
334 FT_GET_SHORT() << 2; /* convert to Fixed */
335 segment->correspondence[j].toCoord =
336 FT_GET_SHORT()<<2; /* convert to Fixed */
** CID 1206953: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttpost.c: 227 in load_format_20()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttpost.c: 230 in load_format_20()
________________________________________________________________________________________________________
*** CID 1206953: (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttpost.c: 227 in load_format_20()
221
222 /* now load the name strings */
223 {
224 FT_UShort n;
225
226
>>> CID 1206953: (TAINTED_SCALAR)
>>> Casting narrower unsigned "num_names" to wider signed type "long" effectively tests its lower bound.
227 if ( FT_NEW_ARRAY( name_strings, num_names ) )
228 goto Fail;
229
230 for ( n = 0; n < num_names; n++ )
231 {
232 FT_UInt len;
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttpost.c: 230 in load_format_20()
224 FT_UShort n;
225
226
227 if ( FT_NEW_ARRAY( name_strings, num_names ) )
228 goto Fail;
229
>>> CID 1206953: (TAINTED_SCALAR)
>>> Using tainted variable "num_names" as a loop boundary.
230 for ( n = 0; n < num_names; n++ )
231 {
232 FT_UInt len;
233
234
235 if ( FT_STREAM_POS() >= post_limit )
** CID 1206954: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1964 in tt_cmap10_char_next()
________________________________________________________________________________________________________
*** CID 1206954: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 1964 in tt_cmap10_char_next()
1958 if ( char_code < start )
1959 char_code = start;
1960
1961 idx = (FT_UInt32)( char_code - start );
1962 p += 2 * idx;
1963
>>> CID 1206954: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
1964 for ( ; idx < count; idx++ )
1965 {
1966 gindex = TT_NEXT_USHORT( p );
1967 if ( gindex != 0 )
1968 break;
1969 char_code++;
** CID 1206955: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 2158 in tt_cmap12_next()
________________________________________________________________________________________________________
*** CID 1206955: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 2158 in tt_cmap12_next()
2152 end = TT_NEXT_ULONG( p );
2153 start_id = TT_PEEK_ULONG( p );
2154
2155 if ( char_code < start )
2156 char_code = start;
2157
>>> CID 1206955: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "end" as a loop boundary.
2158 for ( ; char_code <= end; char_code++ )
2159 {
2160 gindex = (FT_UInt)( start_id + char_code - start );
2161
2162 if ( gindex )
2163 {
** CID 1206956: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 2205 in tt_cmap12_char_map_binary()
________________________________________________________________________________________________________
*** CID 1206956: Insecure data handling (TAINTED_SCALAR)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c: 2205 in tt_cmap12_char_map_binary()
2199 char_code++;
2200
2201 min = 0;
2202 max = num_groups;
2203
2204 /* binary search */
>>> CID 1206956: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "max" as a loop boundary.
2205 while ( min < max )
2206 {
2207 mid = ( min + max ) >> 1;
2208 p = cmap->data + 16 + 12 * mid;
2209
2210 start = TT_NEXT_ULONG( p );
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1448?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .
Home |
Main Index |
Thread Index |
Old Index