Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
28 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
51 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 28 defect(s)
** CID 271747: (RESOURCE_LEAK)
/usr.bin/mail/tty.c: 325 in grabh()
/usr.bin/mail/tty.c: 332 in grabh()
/usr.bin/mail/tty.c: 336 in grabh()
/usr.bin/mail/tty.c: 340 in grabh()
________________________________________________________________________________________________________
*** CID 271747: (RESOURCE_LEAK)
/usr.bin/mail/tty.c: 325 in grabh()
319 * Do this irrespective of whether the initial string is empty.
320 * Otherwise, the editing is inconsistent.
321 */
322 disable_erase_and_kill(&ttybuf);
323
324 if (gflags & GTO) {
>>> CID 271747: (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "readtty("To: ", detract(hp->h_to, 0))" leaks it.
325 hp->h_to =
326 extract(readtty("To: ", detract(hp->h_to, 0)), GTO);
327 }
328 if (gflags & GSUBJECT) {
329 hp->h_subject = readtty("Subject: ", hp->h_subject);
330 }
/usr.bin/mail/tty.c: 332 in grabh()
326 extract(readtty("To: ", detract(hp->h_to, 0)), GTO);
327 }
328 if (gflags & GSUBJECT) {
329 hp->h_subject = readtty("Subject: ", hp->h_subject);
330 }
331 if (gflags & GCC) {
>>> CID 271747: (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "readtty("Cc: ", detract(hp->h_cc, 0))" leaks it.
332 hp->h_cc =
333 extract(readtty("Cc: ", detract(hp->h_cc, 0)), GCC);
334 }
335 if (gflags & GBCC) {
336 hp->h_bcc =
337 extract(readtty("Bcc: ", detract(hp->h_bcc, 0)), GBCC);
/usr.bin/mail/tty.c: 336 in grabh()
330 }
331 if (gflags & GCC) {
332 hp->h_cc =
333 extract(readtty("Cc: ", detract(hp->h_cc, 0)), GCC);
334 }
335 if (gflags & GBCC) {
>>> CID 271747: (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "readtty("Bcc: ", detract(hp->h_bcc, 0))" leaks it.
336 hp->h_bcc =
337 extract(readtty("Bcc: ", detract(hp->h_bcc, 0)), GBCC);
338 }
339 if (gflags & GSMOPTS) {
340 hp->h_smopts =
341 shextract(readtty("Smopts: ", detract(hp->h_smopts, 0)),
/usr.bin/mail/tty.c: 340 in grabh()
334 }
335 if (gflags & GBCC) {
336 hp->h_bcc =
337 extract(readtty("Bcc: ", detract(hp->h_bcc, 0)), GBCC);
338 }
339 if (gflags & GSMOPTS) {
>>> CID 271747: (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "readtty("Smopts: ", detract(hp->h_smopts, 0))" leaks it.
340 hp->h_smopts =
341 shextract(readtty("Smopts: ", detract(hp->h_smopts, 0)),
342 GSMOPTS);
343 }
344 #ifdef MIME_SUPPORT
345 if (gflags & GSMOPTS) { /* XXX - Use a new flag for this? */
** CID 1066199: Control flow issues (MISSING_BREAK)
/bin/sh/parser.c: 526 in command()
________________________________________________________________________________________________________
*** CID 1066199: Control flow issues (MISSING_BREAK)
/bin/sh/parser.c: 526 in command()
520 * X= ; $X && $X
521 * --> &&
522 * I am not sure if this is intended to be legal or not.
523 */
524 if (!redir)
525 synexpect(-1, 0);
>>> CID 1066199: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
526 case TWORD:
527 tokpushback++;
528 n1 = simplecmd(rpp, redir);
529 goto checkneg;
530 case TENDCASE:
531 if (redir) {
** CID 1193401: Memory - illegal accesses (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2738 in sljit_emit_op_flags()
________________________________________________________________________________________________________
*** CID 1193401: Memory - illegal accesses (OVERRUN)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2738 in sljit_emit_op_flags()
2732 || (defined SLJIT_ARGUMENT_CHECKS && SLJIT_ARGUMENT_CHECKS)
2733 compiler->skip_checks = 1;
2734 #endif
2735 return sljit_emit_op2(compiler, op, dst, dstw, dst, dstw, TMP_REG1, 0);
2736 #else /* SLJIT_CONFIG_X86_64 */
2737 if (GET_OPCODE(op) < SLJIT_ADD && FAST_IS_REG(dst)) {
>>> CID 1193401: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "reg_map" of 13 bytes at byte offset 63 using index "dst" (which evaluates to 63).
2738 if (reg_map[dst] <= 4) {
2739 /* Low byte is accessible. */
2740 inst = (sljit_u8*)ensure_buf(compiler, 1 + 3 + 3);
2741 FAIL_IF(!inst);
2742 INC_SIZE(3 + 3);
2743 /* Set low byte to conditional flag. */
** CID 1362404: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()
________________________________________________________________________________________________________
*** CID 1362404: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 818 in usbd_set_interface()
812 kmem_free(endpoints, nendpt * sizeof(struct usbd_endpoint));
813 }
814 KASSERT(iface->ui_idesc != NULL);
815
816 req.bmRequestType = UT_WRITE_INTERFACE;
817 req.bRequest = UR_SET_INTERFACE;
>>> CID 1362404: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "iface->ui_idesc->bAlternateSetting >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
818 USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
819 USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820 USETW(req.wLength, 0);
821 return usbd_do_request(iface->ui_dev, &req, 0);
822 }
823
** CID 1362405: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()
________________________________________________________________________________________________________
*** CID 1362405: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 819 in usbd_set_interface()
813 }
814 KASSERT(iface->ui_idesc != NULL);
815
816 req.bmRequestType = UT_WRITE_INTERFACE;
817 req.bRequest = UR_SET_INTERFACE;
818 USETW(req.wValue, iface->ui_idesc->bAlternateSetting);
>>> CID 1362405: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
819 USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
820 USETW(req.wLength, 0);
821 return usbd_do_request(iface->ui_dev, &req, 0);
822 }
823
824 int
** CID 1362406: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()
________________________________________________________________________________________________________
*** CID 1362406: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 695 in usbd_clear_endpoint_stall()
689 */
690 pipe->up_methods->upm_cleartoggle(pipe);
691
692 req.bmRequestType = UT_WRITE_ENDPOINT;
693 req.bRequest = UR_CLEAR_FEATURE;
694 USETW(req.wValue, UF_ENDPOINT_HALT);
>>> CID 1362406: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
695 USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
696 USETW(req.wLength, 0);
697 err = usbd_do_request(dev, &req, 0);
698 #if 0
699 XXX should we do this?
700 if (!err) {
** CID 1362408: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()
________________________________________________________________________________________________________
*** CID 1362408: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 720 in usbd_clear_endpoint_stall_task()
714
715 pipe->up_methods->upm_cleartoggle(pipe);
716
717 req.bmRequestType = UT_WRITE_ENDPOINT;
718 req.bRequest = UR_CLEAR_FEATURE;
719 USETW(req.wValue, UF_ENDPOINT_HALT);
>>> CID 1362408: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "pipe->up_endpoint->ue_edesc->bEndpointAddress >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
720 USETW(req.wIndex, pipe->up_endpoint->ue_edesc->bEndpointAddress);
721 USETW(req.wLength, 0);
722 (void)usbd_do_request(dev, &req, 0);
723 }
724
725 void
** CID 1362409: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()
________________________________________________________________________________________________________
*** CID 1362409: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/dev/usb/usbdi.c: 856 in usbd_get_interface()
850 {
851 usb_device_request_t req;
852
853 req.bmRequestType = UT_READ_INTERFACE;
854 req.bRequest = UR_GET_INTERFACE;
855 USETW(req.wValue, 0);
>>> CID 1362409: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "iface->ui_idesc->bInterfaceNumber >> 8" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
856 USETW(req.wIndex, iface->ui_idesc->bInterfaceNumber);
857 USETW(req.wLength, 1);
858 return usbd_do_request(iface->ui_dev, &req, aiface);
859 }
860
861 /*** Internal routines ***/
** CID 1362412: Control flow issues (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()
________________________________________________________________________________________________________
*** CID 1362412: Control flow issues (DEADCODE)
/sys/external/bsd/acpica/dist/utilities/utnonansi.c: 346 in AcpiUtStrtoul64()
340 /* Any string left? Check that '0x' is not followed by white space. */
341
342 if (!(*String) || isspace ((int) *String) || *String == '\t')
343 {
344 if (Base == ACPI_ANY_BASE)
345 {
>>> CID 1362412: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "goto ErrorExit;".
346 goto ErrorExit;
347 }
348 else
349 {
350 goto AllDone;
351 }
** CID 1362414: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()
________________________________________________________________________________________________________
*** CID 1362414: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/usbroothub.c: 378 in roothub_ctrl_start()
372 /* Default to error */
373 buflen = -1;
374 }
375 break;
376 case C(UR_GET_DESCRIPTOR, UT_READ_CLASS_DEVICE):
377 buflen = min(len, sizeof(usbroothub_hubd));
>>> CID 1362414: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "buf" to "memcpy", which dereferences it.
378 memcpy(buf, &usbroothub_hubd, buflen);
379 break;
380 case C(UR_GET_INTERFACE, UT_READ_INTERFACE):
381 /* Get Interface, 9.4.4 */
382 if (len > 0) {
383 uint8_t *out = buf;
** CID 1362415: Control flow issues (MISSING_BREAK)
/sys/dev/usb/usb.c: 776 in usbioctl()
________________________________________________________________________________________________________
*** CID 1362415: Control flow issues (MISSING_BREAK)
/sys/dev/usb/usb.c: 776 in usbioctl()
770 if (ptr) {
771 len = UGETW(ur->ucr_request.wLength);
772 kmem_free(ptr, len);
773 }
774 }
775
>>> CID 1362415: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
776 case USB_DEVICEINFO:
777 {
778 struct usbd_device *dev;
779 struct usb_device_info *di = (void *)data;
780 int addr = di->udi_addr;
781
** CID 1362417: (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
________________________________________________________________________________________________________
*** CID 1362417: (TAINTED_SCALAR)
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 if (rlen + l > blen) {
2269 if (debug)
2270 addlog(" [overflow]");
2271 continue;
2272 }
2273 /* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 memcpy(r, p, l);
2275 r += l;
2276 rlen += l;
2277 }
2278 if (rlen) {
2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 if (rlen + l > blen) {
2269 if (debug)
2270 addlog(" [overflow]");
2271 continue;
2272 }
2273 /* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 memcpy(r, p, l);
2275 r += l;
2276 rlen += l;
2277 }
2278 if (rlen) {
2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 if (rlen + l > blen) {
2269 if (debug)
2270 addlog(" [overflow]");
2271 continue;
2272 }
2273 /* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 memcpy(r, p, l);
2275 r += l;
2276 rlen += l;
2277 }
2278 if (rlen) {
2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
/sys/net/if_spppsubr.c: 2274 in sppp_lcp_RCR()
2268 if (rlen + l > blen) {
2269 if (debug)
2270 addlog(" [overflow]");
2271 continue;
2272 }
2273 /* Add the option to nak'ed list. */
>>> CID 1362417: (TAINTED_SCALAR)
>>> Passing tainted variable "l" to a tainted sink.
2274 memcpy(r, p, l);
2275 r += l;
2276 rlen += l;
2277 }
2278 if (rlen) {
2279 if (++sp->fail_counter[IDX_LCP] >= sp->lcp.max_failure) {
** CID 1362422: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/sljit/dist/sljit_src/sljitLir.c: 1437 in check_sljit_emit_op_flags()
________________________________________________________________________________________________________
*** CID 1362422: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/sljit/dist/sljit_src/sljitLir.c: 1437 in check_sljit_emit_op_flags()
1431 sljit_s32 dst, sljit_sw dstw,
1432 sljit_s32 src, sljit_sw srcw,
1433 sljit_s32 type)
1434 {
1435 #if (defined SLJIT_ARGUMENT_CHECKS && SLJIT_ARGUMENT_CHECKS)
1436 CHECK_ARGUMENT(!(type & ~(0xff | SLJIT_I32_OP)));
>>> CID 1362422: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "(type & 0xff) >= 0" is always true regardless of the values of its operands. This occurs as the logical first operand of '&&'.
1437 CHECK_ARGUMENT((type & 0xff) >= SLJIT_EQUAL && (type & 0xff) <= SLJIT_ORDERED_F64);
1438 CHECK_ARGUMENT(op == SLJIT_MOV || GET_OPCODE(op) == SLJIT_MOV_U32 || GET_OPCODE(op) == SLJIT_MOV_S32
1439 || (GET_OPCODE(op) >= SLJIT_AND && GET_OPCODE(op) <= SLJIT_XOR));
1440 CHECK_ARGUMENT((op & (SLJIT_SET_U | SLJIT_SET_S | SLJIT_SET_O | SLJIT_SET_C)) == 0);
1441 CHECK_ARGUMENT((op & (SLJIT_SET_E | SLJIT_KEEP_FLAGS)) != (SLJIT_SET_E | SLJIT_KEEP_FLAGS));
1442 if (GET_OPCODE(op) < SLJIT_ADD) {
** CID 1362423: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2971 in sljit_x86_emit_cmov()
________________________________________________________________________________________________________
*** CID 1362423: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/sys/external/bsd/sljit/dist/sljit_src/sljitNativeX86_common.c: 2971 in sljit_x86_emit_cmov()
2965 sljit_u8* inst;
2966
2967 CHECK_ERROR();
2968 #if (defined SLJIT_ARGUMENT_CHECKS && SLJIT_ARGUMENT_CHECKS)
2969 CHECK_ARGUMENT(sljit_x86_is_cmov_available());
2970 CHECK_ARGUMENT(!(type & ~(0xff | SLJIT_I32_OP)));
>>> CID 1362423: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "(type & 0xff) >= 0" is always true regardless of the values of its operands. This occurs as the logical first operand of '&&'.
2971 CHECK_ARGUMENT((type & 0xff) >= SLJIT_EQUAL && (type & 0xff) <= SLJIT_ORDERED_F64);
2972 CHECK_ARGUMENT(FUNCTION_CHECK_IS_REG(dst_reg & ~SLJIT_I32_OP));
2973 FUNCTION_CHECK_SRC(src, srcw);
2974 #endif
2975 #if (defined SLJIT_VERBOSE && SLJIT_VERBOSE)
2976 if (SLJIT_UNLIKELY(!!compiler->verbose)) {
** CID 1362424: Control flow issues (DEADCODE)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/autofit/afcjk.c: 154 in af_cjk_metrics_init_widths()
________________________________________________________________________________________________________
*** CID 1362424: Control flow issues (DEADCODE)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/autofit/afcjk.c: 154 in af_cjk_metrics_init_widths()
148 af_shaper_buf_destroy( face, shaper_buf );
149
150 if ( !glyph_index )
151 goto Exit;
152
153 if ( !glyph_index )
>>> CID 1362424: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "goto Exit;".
154 goto Exit;
155
156 FT_TRACE5(( "standard character: U+%04lX (glyph index %d)\n",
157 ch, glyph_index ));
158
159 error = FT_Load_Glyph( face, glyph_index, FT_LOAD_NO_SCALE );
** CID 1362425: Control flow issues (DEADCODE)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/sfobjs.c: 955 in sfnt_init_face()
________________________________________________________________________________________________________
*** CID 1362425: Control flow issues (DEADCODE)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/sfnt/sfobjs.c: 955 in sfnt_init_face()
949 instance_size * num_instances > fvar_len )
950 num_instances = 0;
951
952 /* we support at most 2^15 - 1 instances */
953 if ( num_instances >= ( 1U << 15 ) - 1 )
954 {
>>> CID 1362425: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "if (face_instance_index >= ...".
955 if ( face_instance_index >= 0 )
956 return FT_THROW( Invalid_Argument );
957 else
958 num_instances = 0;
959 }
960
** CID 1362426: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/sljit/dist/test_src/sljitTest.c: 5041 in test54()
________________________________________________________________________________________________________
*** CID 1362426: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/sljit/dist/test_src/sljitTest.c: 5041 in test54()
5035 }
5036
5037 static void test54(void)
5038 {
5039 /* Check x86 cmov. */
5040 executable_code code;
>>> CID 1362426: Null pointer dereferences (NULL_RETURNS)
>>> Assigning: "compiler" = null return value from "sljit_create_compiler".
5041 struct sljit_compiler* compiler = sljit_create_compiler(NULL);
5042 sljit_sw buf[6];
5043 sljit_s32 ibuf[6];
5044
5045 if (verbose)
5046 printf("Run test53\n");
** CID 1362427: Null pointer dereferences (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/bdf/bdflib.c: 1151 in _bdf_add_property()
________________________________________________________________________________________________________
*** CID 1362427: Null pointer dereferences (NULL_RETURNS)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/bdf/bdflib.c: 1151 in _bdf_add_property()
1145
1146 fp = font->props + font->props_size;
1147 FT_MEM_ZERO( fp, sizeof ( bdf_property_t ) );
1148 font->props_size++;
1149 }
1150
>>> CID 1362427: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "propid".
1151 if ( *propid >= _num_bdf_properties )
1152 prop = font->user_props + ( *propid - _num_bdf_properties );
1153 else
1154 prop = (bdf_property_t*)_bdf_properties + *propid;
1155
1156 fp = font->props + font->props_used;
** CID 1362428: Memory - corruptions (OVERRUN)
/usr.bin/mail/complete.c: 1153 in my_gets()
________________________________________________________________________________________________________
*** CID 1362428: Memory - corruptions (OVERRUN)
/usr.bin/mail/complete.c: 1153 in my_gets()
1147 if (buf[cnt - 1] == '\n')
1148 cnt--; /* trash the trailing LF */
1149
1150 len = MIN(sizeof(line) - 1, (size_t)cnt);
1151 (void)memcpy(line, buf, len);
1152 }
>>> CID 1362428: Memory - corruptions (OVERRUN)
>>> Overrunning array "line" of 2048 bytes at byte offset 2048 using index "cnt" (which evaluates to 2048).
1153 line[cnt] = '\0';
1154
1155 /* enter non-empty lines into history */
1156 if (em->hist) {
1157 const char *p;
1158
** CID 1362429: (RESOURCE_LEAK)
/usr.bin/mail/mime_attach.c: 832 in sget_encoding()
/usr.bin/mail/mime_attach.c: 838 in sget_encoding()
/usr.bin/mail/mime_attach.c: 855 in sget_encoding()
/usr.bin/mail/mime_attach.c: 855 in sget_encoding()
________________________________________________________________________________________________________
*** CID 1362429: (RESOURCE_LEAK)
/usr.bin/mail/mime_attach.c: 832 in sget_encoding()
826 for (;;) {
827 ename = get_line(&elm.mime_enc, "encoding", ename, num);
828
829 if (*ename == '\0') {
830 if (defename == NULL)
831 defename = content_encoding_by_name(filename, ctype);
>>> CID 1362429: (RESOURCE_LEAK)
>>> Overwriting "ename" in "ename = defename" leaks the storage that "ename" points to.
832 ename = defename;
833 }
834 else if (mime_fio_encoder(ename) == NULL) {
835 const void *cookie;
836 (void)printf("Sorry: valid encoding modes are: ");
837 cookie = NULL;
/usr.bin/mail/mime_attach.c: 838 in sget_encoding()
832 ename = defename;
833 }
834 else if (mime_fio_encoder(ename) == NULL) {
835 const void *cookie;
836 (void)printf("Sorry: valid encoding modes are: ");
837 cookie = NULL;
>>> CID 1362429: (RESOURCE_LEAK)
>>> Overwriting "ename" in "ename = mime_next_encoding_name(&cookie)" leaks the storage that "ename" points to.
838 ename = mime_next_encoding_name(&cookie);
839 for (;;) {
840 (void)printf("%s", ename);
841 ename = mime_next_encoding_name(&cookie);
842 if (ename == NULL)
843 break;
/usr.bin/mail/mime_attach.c: 855 in sget_encoding()
849 else {
850 if (strcmp(ename, *str) != 0)
851 *str = savestr(ename);
852 break;
853 }
854 }
>>> CID 1362429: (RESOURCE_LEAK)
>>> Variable "ename" going out of scope leaks the storage it points to.
855 }
856
857 /*
858 * Edit an attachment list.
859 * Return the new attachment list.
860 */
/usr.bin/mail/mime_attach.c: 855 in sget_encoding()
849 else {
850 if (strcmp(ename, *str) != 0)
851 *str = savestr(ename);
852 break;
853 }
854 }
>>> CID 1362429: (RESOURCE_LEAK)
>>> Variable "ename" going out of scope leaks the storage it points to.
855 }
856
857 /*
858 * Edit an attachment list.
859 * Return the new attachment list.
860 */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-i386-user?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index