Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
35 new defect(s) introduced to NetBSD-amd64-user found with Coverity Scan.
37 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 35 defect(s)
** CID 530: Error handling issues (CHECKED_RETURN)
/external/public-domain/sqlite/dist/sqlite3.c: 121439 in sqlite3VtabBeginParse()
________________________________________________________________________________________________________
*** CID 530: Error handling issues (CHECKED_RETURN)
/external/public-domain/sqlite/dist/sqlite3.c: 121439 in sqlite3VtabBeginParse()
121433 /* Creating a virtual table invokes the authorization callback twice.
121434 ** The first invocation, to obtain permission to INSERT a row into the
121435 ** sqlite_master table, has already been made by sqlite3StartTable().
121436 ** The second call, to obtain permission to create the table, is made now.
121437 */
121438 if( pTable->azModuleArg ){
>>> CID 530: Error handling issues (CHECKED_RETURN)
>>> Calling "sqlite3AuthCheck" without checking return value (as is done elsewhere 29 out of 31 times).
121439 sqlite3AuthCheck(pParse, SQLITE_CREATE_VTABLE, pTable->zName,
121440 pTable->azModuleArg[0], pParse->db->aDb[iDb].zName);
121441 }
121442 #endif
121443 }
121444
** CID 604: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 119321 in sqlite3DropTriggerPtr()
________________________________________________________________________________________________________
*** CID 604: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 119321 in sqlite3DropTriggerPtr()
119315 SQLITE_PRIVATE void sqlite3DropTriggerPtr(Parse *pParse, Trigger *pTrigger){
119316 Table *pTable;
119317 Vdbe *v;
119318 sqlite3 *db = pParse->db;
119319 int iDb;
119320
>>> CID 604: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "iDb" = "sqlite3SchemaToIndex".
119321 iDb = sqlite3SchemaToIndex(pParse->db, pTrigger->pSchema);
119322 assert( iDb>=0 && iDb<db->nDb );
119323 pTable = tableOfTrigger(pTrigger);
119324 assert( pTable );
119325 assert( pTable->pSchema==pTrigger->pSchema || iDb==1 );
119326 #ifndef SQLITE_OMIT_AUTHORIZATION
** CID 746: Integer handling issues (SIGN_EXTENSION)
/external/public-domain/sqlite/dist/sqlite3.c: 73382 in sqlite3VdbeSerialGet()
________________________________________________________________________________________________________
*** CID 746: Integer handling issues (SIGN_EXTENSION)
/external/public-domain/sqlite/dist/sqlite3.c: 73382 in sqlite3VdbeSerialGet()
73376 testcase( pMem->u.i<0 );
73377 return 3;
73378 }
73379 case 4: { /* 4-byte signed integer */
73380 /* EVIDENCE-OF: R-01849-26079 Value is a big-endian 32-bit
73381 ** twos-complement integer. */
>>> CID 746: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "buf[0]" with type "unsigned char" (8 bits, unsigned) is promoted in "16777216 * (i8)buf[0] | (buf[1] << 16) | (buf[2] << 8) | buf[3]" to type "int" (32 bits, signed), then sign-extended to type "long long" (64 bits, signed). If "16777216 * (i8)buf[0] | (buf[1] << 16) | (buf[2] << 8) | buf[3]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
73382 pMem->u.i = FOUR_BYTE_INT(buf);
73383 #ifdef __HP_cc
73384 /* Work around a sign-extension bug in the HP compiler for HP/UX */
73385 if( buf[0]&0x80 ) pMem->u.i |= 0xffffffff80000000LL;
73386 #endif
73387 pMem->flags = MEM_Int;
** CID 201052: Memory - illegal accesses (UNINIT)
/external/public-domain/sqlite/dist/sqlite3.c: 114388 in generateColumnTypes()
________________________________________________________________________________________________________
*** CID 201052: Memory - illegal accesses (UNINIT)
/external/public-domain/sqlite/dist/sqlite3.c: 114388 in generateColumnTypes()
114382 SrcList *pTabList, /* List of tables */
114383 ExprList *pEList /* Expressions defining the result set */
114384 ){
114385 #ifndef SQLITE_OMIT_DECLTYPE
114386 Vdbe *v = pParse->pVdbe;
114387 int i;
>>> CID 201052: Memory - illegal accesses (UNINIT)
>>> Declaring variable "sNC" without initializer.
114388 NameContext sNC;
114389 sNC.pSrcList = pTabList;
114390 sNC.pParse = pParse;
114391 for(i=0; i<pEList->nExpr; i++){
114392 Expr *p = pEList->a[i].pExpr;
114393 const char *zType;
** CID 221496: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/sqlite/dist/sqlite3.c: 87033 in memjrnlRead()
________________________________________________________________________________________________________
*** CID 221496: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/sqlite/dist/sqlite3.c: 87033 in memjrnlRead()
87027 int iSpace = p->nChunkSize - iChunkOffset;
87028 int nCopy = MIN(nRead, (p->nChunkSize - iChunkOffset));
87029 memcpy(zOut, (u8*)pChunk->zChunk + iChunkOffset, nCopy);
87030 zOut += nCopy;
87031 nRead -= iSpace;
87032 iChunkOffset = 0;
>>> CID 221496: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "pChunk".
87033 } while( nRead>=0 && (pChunk=pChunk->pNext)!=0 && nRead>0 );
87034 p->readpoint.iOffset = pChunk ? iOfst+iAmt : 0;
87035 p->readpoint.pChunk = pChunk;
87036
87037 return SQLITE_OK;
87038 }
** CID 718489: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/sqlite/dist/sqlite3.c: 108026 in xferOptimization()
________________________________________________________________________________________________________
*** CID 718489: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/sqlite/dist/sqlite3.c: 108026 in xferOptimization()
108020 for(pDestIdx=pDest->pIndex; pDestIdx; pDestIdx=pDestIdx->pNext){
108021 u8 idxInsFlags = 0;
108022 for(pSrcIdx=pSrc->pIndex; ALWAYS(pSrcIdx); pSrcIdx=pSrcIdx->pNext){
108023 if( xferCompatibleIndex(pDestIdx, pSrcIdx) ) break;
108024 }
108025 assert( pSrcIdx );
>>> CID 718489: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "pSrcIdx".
108026 sqlite3VdbeAddOp3(v, OP_OpenRead, iSrc, pSrcIdx->tnum, iDbSrc);
108027 sqlite3VdbeSetP4KeyInfo(pParse, pSrcIdx);
108028 VdbeComment((v, "%s", pSrcIdx->zName));
108029 sqlite3VdbeAddOp3(v, OP_OpenWrite, iDest, pDestIdx->tnum, iDbDest);
108030 sqlite3VdbeSetP4KeyInfo(pParse, pDestIdx);
108031 sqlite3VdbeChangeP5(v, OPFLAG_BULKCSR);
** CID 1192837: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 106443 in sqlite3Insert()
________________________________________________________________________________________________________
*** CID 1192837: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 106443 in sqlite3Insert()
106437 zTab = pTabList->a[0].zName;
106438 if( NEVER(zTab==0) ) goto insert_cleanup;
106439 pTab = sqlite3SrcListLookup(pParse, pTabList);
106440 if( pTab==0 ){
106441 goto insert_cleanup;
106442 }
>>> CID 1192837: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "iDb" = "sqlite3SchemaToIndex".
106443 iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
106444 assert( iDb<db->nDb );
106445 pDb = &db->aDb[iDb];
106446 zDb = pDb->zName;
106447 if( sqlite3AuthCheck(pParse, SQLITE_INSERT, pTab->zName, 0, zDb) ){
106448 goto insert_cleanup;
** CID 1192838: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 107957 in xferOptimization()
________________________________________________________________________________________________________
*** CID 1192838: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 107957 in xferOptimization()
107951 ** least a possibility, though it might only work if the destination
107952 ** table (tab1) is initially empty.
107953 */
107954 #ifdef SQLITE_TEST
107955 sqlite3_xferopt_count++;
107956 #endif
>>> CID 1192838: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "iDbSrc" = "sqlite3SchemaToIndex".
107957 iDbSrc = sqlite3SchemaToIndex(db, pSrc->pSchema);
107958 v = sqlite3GetVdbe(pParse);
107959 sqlite3CodeVerifySchema(pParse, iDbSrc);
107960 iSrc = pParse->nTab++;
107961 iDest = pParse->nTab++;
107962 regAutoinc = autoIncBegin(pParse, iDbDest, pDest);
** CID 1192839: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 90767 in sqlite3FindInIndex()
________________________________________________________________________________________________________
*** CID 1192839: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 90767 in sqlite3FindInIndex()
90761 assert( p->pSrc!=0 ); /* Because of isCandidateForInOpt(p) */
90762 pTab = p->pSrc->a[0].pTab;
90763 pExpr = p->pEList->a[0].pExpr;
90764 iCol = (i16)pExpr->iColumn;
90765
90766 /* Code an OP_Transaction and OP_TableLock for <table>. */
>>> CID 1192839: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "iDb" = "sqlite3SchemaToIndex".
90767 iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
90768 sqlite3CodeVerifySchema(pParse, iDb);
90769 sqlite3TableLock(pParse, iDb, pTab->tnum, 0, pTab->zName);
90770
90771 /* This function is only called from two places. In both cases the vdbe
90772 ** has already been allocated. So assume sqlite3GetVdbe() is always
** CID 1192840: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 101064 in reindexTable()
________________________________________________________________________________________________________
*** CID 1192840: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 101064 in reindexTable()
101058 #ifndef SQLITE_OMIT_REINDEX
101059 static void reindexTable(Parse *pParse, Table *pTab, char const *zColl){
101060 Index *pIndex; /* An index associated with pTab */
101061
101062 for(pIndex=pTab->pIndex; pIndex; pIndex=pIndex->pNext){
101063 if( zColl==0 || collationMatch(zColl, pIndex) ){
>>> CID 1192840: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "iDb" = "sqlite3SchemaToIndex".
101064 int iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
101065 sqlite3BeginWriteOperation(pParse, 0, iDb);
101066 sqlite3RefillIndex(pParse, pIndex, -1);
101067 }
101068 }
101069 }
** CID 1192841: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 102049 in sqlite3DeleteFrom()
________________________________________________________________________________________________________
*** CID 1192841: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 102049 in sqlite3DeleteFrom()
102043 goto delete_from_cleanup;
102044 }
102045
102046 if( sqlite3IsReadOnly(pParse, pTab, (pTrigger?1:0)) ){
102047 goto delete_from_cleanup;
102048 }
>>> CID 1192841: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "iDb" = "sqlite3SchemaToIndex".
102049 iDb = sqlite3SchemaToIndex(db, pTab->pSchema);
102050 assert( iDb<db->nDb );
102051 zDb = db->aDb[iDb].zName;
102052 rcauth = sqlite3AuthCheck(pParse, SQLITE_DELETE, pTab->zName, 0, zDb);
102053 assert( rcauth==SQLITE_OK || rcauth==SQLITE_DENY || rcauth==SQLITE_IGNORE );
102054 if( rcauth==SQLITE_DENY ){
** CID 1192842: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 95430 in analyzeTable()
________________________________________________________________________________________________________
*** CID 1192842: Integer handling issues (NEGATIVE_RETURNS)
/external/public-domain/sqlite/dist/sqlite3.c: 95430 in analyzeTable()
95424 static void analyzeTable(Parse *pParse, Table *pTab, Index *pOnlyIdx){
95425 int iDb;
95426 int iStatCur;
95427
95428 assert( pTab!=0 );
95429 assert( sqlite3BtreeHoldsAllMutexes(pParse->db) );
>>> CID 1192842: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "iDb" = "sqlite3SchemaToIndex".
95430 iDb = sqlite3SchemaToIndex(pParse->db, pTab->pSchema);
95431 sqlite3BeginWriteOperation(pParse, 0, iDb);
95432 iStatCur = pParse->nTab;
95433 pParse->nTab += 3;
95434 if( pOnlyIdx ){
95435 openStatTable(pParse, iDb, iStatCur, pOnlyIdx->zName, "idx");
** CID 1225452: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/sqlite/dist/sqlite3.c: 24678 in sqlite3VXPrintf()
________________________________________________________________________________________________________
*** CID 1225452: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/sqlite/dist/sqlite3.c: 24678 in sqlite3VXPrintf()
24672 etByte flag_dp; /* True if decimal point should be shown */
24673 etByte flag_rtz; /* True if trailing zeros should be removed */
24674 #endif
24675 PrintfArguments *pArgList = 0; /* Arguments for SQLITE_PRINTF_SQLFUNC */
24676 char buf[etBUFSIZE]; /* Conversion buffer */
24677
>>> CID 1225452: Null pointer dereferences (FORWARD_NULL)
>>> Assigning: "bufpt" = "NULL".
24678 bufpt = 0;
24679 if( pAccum->printfFlags ){
24680 if( (bArgList = (pAccum->printfFlags & SQLITE_PRINTF_SQLFUNC))!=0 ){
24681 pArgList = va_arg(ap, PrintfArguments*);
24682 }
24683 useIntern = pAccum->printfFlags & SQLITE_PRINTF_INTERNAL;
** CID 1244611: Memory - illegal accesses (REVERSE_NEGATIVE)
/external/public-domain/sqlite/dist/sqlite3.c: 159095 in sqlite3FtsUnicodeFold()
________________________________________________________________________________________________________
*** CID 1244611: Memory - illegal accesses (REVERSE_NEGATIVE)
/external/public-domain/sqlite/dist/sqlite3.c: 159095 in sqlite3FtsUnicodeFold()
159089 }else{
159090 iHi = iTest-1;
159091 }
159092 }
159093 assert( iRes<0 || c>=aEntry[iRes].iCode );
159094
>>> CID 1244611: Memory - illegal accesses (REVERSE_NEGATIVE)
>>> You might be using variable "iRes" before verifying that it is >= 0.
159095 if( iRes>=0 ){
159096 const struct TableEntry *p = &aEntry[iRes];
159097 if( c<(p->iCode + p->nRange) && 0==(0x01 & p->flags & (p->iCode ^ c)) ){
159098 ret = (c + (aiOff[p->flags>>1])) & 0x0000FFFF;
159099 assert( ret>0 );
159100 }
** CID 1250739: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/external/public-domain/sqlite/dist/sqlite3.c: 136367 in setupLookaside()
________________________________________________________________________________________________________
*** CID 1250739: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/external/public-domain/sqlite/dist/sqlite3.c: 136367 in setupLookaside()
136361 if( cnt<0 ) cnt = 0;
136362 if( sz==0 || cnt==0 ){
136363 sz = 0;
136364 pStart = 0;
136365 }else if( pBuf==0 ){
136366 sqlite3BeginBenignMalloc();
>>> CID 1250739: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "sz * cnt" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
136367 pStart = sqlite3Malloc( sz*cnt ); /* IMP: R-61949-35727 */
136368 sqlite3EndBenignMalloc();
136369 if( pStart ) cnt = sqlite3MallocSize(pStart)/sz;
136370 }else{
136371 pStart = pBuf;
136372 }
** CID 1250741: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/external/public-domain/sqlite/dist/sqlite3.c: 100394 in sqlite3ArrayAllocate()
________________________________________________________________________________________________________
*** CID 1250741: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/external/public-domain/sqlite/dist/sqlite3.c: 100394 in sqlite3ArrayAllocate()
100388 int *pIdx /* Write the index of a new slot here */
100389 ){
100390 char *z;
100391 int n = *pnEntry;
100392 if( (n & (n-1))==0 ){
100393 int sz = (n==0) ? 1 : 2*n;
>>> CID 1250741: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "sz * szEntry" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
100394 void *pNew = sqlite3DbRealloc(db, pArray, sz*szEntry);
100395 if( pNew==0 ){
100396 *pIdx = -1;
100397 return pArray;
100398 }
100399 pArray = pNew;
** CID 1250746: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/external/public-domain/sqlite/dist/sqlite3.c: 94960 in statGet()
________________________________________________________________________________________________________
*** CID 1250746: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/external/public-domain/sqlite/dist/sqlite3.c: 94960 in statGet()
94954 **
94955 ** I = (K+D-1)/D
94956 */
94957 char *z;
94958 int i;
94959
>>> CID 1250746: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "(p->nKeyCol + 1) * 25" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
94960 char *zRet = sqlite3MallocZero( (p->nKeyCol+1)*25 );
94961 if( zRet==0 ){
94962 sqlite3_result_error_nomem(context);
94963 return;
94964 }
94965
** CID 1250748: Error handling issues (CHECKED_RETURN)
/external/public-domain/sqlite/dist/sqlite3.c: 75339 in createAggContext()
________________________________________________________________________________________________________
*** CID 1250748: Error handling issues (CHECKED_RETURN)
/external/public-domain/sqlite/dist/sqlite3.c: 75339 in createAggContext()
75333 Mem *pMem = p->pMem;
75334 assert( (pMem->flags & MEM_Agg)==0 );
75335 if( nByte<=0 ){
75336 sqlite3VdbeMemSetNull(pMem);
75337 pMem->z = 0;
75338 }else{
>>> CID 1250748: Error handling issues (CHECKED_RETURN)
>>> Calling "sqlite3VdbeMemClearAndResize" without checking return value (as is done elsewhere 7 out of 8 times).
75339 sqlite3VdbeMemClearAndResize(pMem, nByte);
75340 pMem->flags = MEM_Agg;
75341 pMem->u.pDef = p->pFunc;
75342 if( pMem->z ){
75343 memset(pMem->z, 0, nByte);
75344 }
** CID 1256501: Error handling issues (CHECKED_RETURN)
/external/public-domain/sqlite/dist/sqlite3.c: 110682 in sqlite3Pragma()
________________________________________________________________________________________________________
*** CID 1256501: Error handling issues (CHECKED_RETURN)
/external/public-domain/sqlite/dist/sqlite3.c: 110682 in sqlite3Pragma()
110676 ** Get or set the size limit on rollback journal files.
110677 */
110678 case PragTyp_JOURNAL_SIZE_LIMIT: {
110679 Pager *pPager = sqlite3BtreePager(pDb->pBt);
110680 i64 iLimit = -2;
110681 if( zRight ){
>>> CID 1256501: Error handling issues (CHECKED_RETURN)
>>> Calling "sqlite3DecOrHexToI64" without checking return value (as is done elsewhere 4 out of 5 times).
110682 sqlite3DecOrHexToI64(zRight, &iLimit);
110683 if( iLimit<-1 ) iLimit = -1;
110684 }
110685 iLimit = sqlite3PagerJournalSizeLimit(pPager, iLimit);
110686 returnSingleInt(v, "journal_size_limit", iLimit);
110687 break;
** CID 1270242: Insecure data handling (TAINTED_SCALAR)
/external/public-domain/sqlite/dist/sqlite3.c: 64235 in rebuildPage()
________________________________________________________________________________________________________
*** CID 1270242: Insecure data handling (TAINTED_SCALAR)
/external/public-domain/sqlite/dist/sqlite3.c: 64235 in rebuildPage()
64229 int i;
64230 u8 *pCellptr = pPg->aCellIdx;
64231 u8 *pTmp = sqlite3PagerTempSpace(pPg->pBt->pPager);
64232 u8 *pData;
64233
64234 i = get2byte(&aData[hdr+5]);
>>> CID 1270242: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "usableSize - i" to a tainted sink.
64235 memcpy(&pTmp[i], &aData[i], usableSize - i);
64236
64237 pData = pEnd;
64238 for(i=0; i<nCell; i++){
64239 u8 *pCell = apCell[i];
64240 if( SQLITE_WITHIN(pCell,aData,pEnd) ){
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-amd64-user?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782
Home |
Main Index |
Thread Index |
Old Index