There are multiple defects in opencryptoki-3.23.0 found by covscan. It
could be that some of them are false positives.
Thanks!
Error: OVERRUN (CWE-119):
diffutils-3.10/lib/nstrftime.c:689:17: assignment: Assigning:
""width"" = ""2147483647"".
diffutils-3.10/lib/nstrftime.c:1009:11: alias: Assigning: ""bufp"" =
""buf + 23UL"". ""bufp"" now points to byte 23 of ""buf"" (which
consists of 23 bytes).
diffutils-3.10/lib/nstrftime.c:1019:15: ptr_decr: Decrementing
""bufp"". ""bufp"" now points to byte 22 of ""buf"" (which consists of
23 bytes).
diffutils-3.10/lib/nstrftime.c:1048:17: decr: Decrementing ""width"".
The value of ""width"" is now 2147483646.
diffutils-3.10/lib/nstrftime.c:1051:13: assignment: Assigning: ""_w""
= ""(pad == 45 || width < 0) ? 0 : width"". The value of ""_w"" is now
2147483646.
diffutils-3.10/lib/nstrftime.c:1051:13: cond_at_most: Checking ""_n <
_w"" implies that ""_n"" may be up to 2147483645 on the true branch.
diffutils-3.10/lib/nstrftime.c:1051:13: overrun-buffer-arg:
Overrunning buffer pointed to by ""(void const *)bufp"" of 23 bytes by
passing it to a function which accesses it at byte offset 2147483666
using argument ""_n"" (which evaluates to 2147483645). [Note: The
source code implementation of the function has been overridden by a
builtin model.]
# 1049| }
# 1050|
# 1051|-> cpy (numlen, bufp);
# 1052| }
# 1053| break;"
Error: UNINIT (CWE-457):
diffutils-3.10/lib/time_rz.c:294:11: var_decl: Declaring variable
""tm_1"" without initializer.
diffutils-3.10/lib/time_rz.c:310:15: uninit_use: Using uninitialized
value ""tm_1"". Field ""tm_1.tm_gmtoff"" is uninitialized.
# 308| if (revert_tz (old_tz) && ok)
# 309| {
# 310|-> *tm = tm_1;
# 311| return t;
# 312| }"
Error: RESOURCE_LEAK (CWE-772):
diffutils-3.10/lib/stdopen.c:51:11: open_fn: Returning handle opened
by ""open"". [Note: The source code implementation of the function has
been overridden by a user model.]
diffutils-3.10/lib/stdopen.c:51:11: var_assign: Assigning: ""full_fd""
= handle returned from ""open(""/dev/full"", mode)"".
diffutils-3.10/lib/stdopen.c:52:11: var_assign: Assigning: ""new_fd""
= ""full_fd"".
diffutils-3.10/lib/stdopen.c:62:9: leaked_handle: Handle variable
""new_fd"" going out of scope leaks the handle.
diffutils-3.10/lib/stdopen.c:62:9: leaked_handle: Handle variable
""full_fd"" going out of scope leaks the handle.
# 60| return 0;
# 61| }
# 62|-> }
# 63| }
# 64|"
Error: INTEGER_OVERFLOW (CWE-190):
diffutils-3.10/lib/stackvma.c:198:23: tainted_data_return: Called
function ""read(fd, rof->buffer + rof->filled, size - rof->filled)"",
and a possible return value may be less than zero.
diffutils-3.10/lib/stackvma.c:198:23: cast_overflow: An assign that
casts to a different type, which might trigger an overflow.
diffutils-3.10/lib/stackvma.c:213:23: overflow: The expression
""rof->filled"" is considered to have possibly overflowed.
diffutils-3.10/lib/stackvma.c:198:23: overflow: The expression ""size
- rof->filled"" is deemed overflowed because at least one of its
arguments has overflowed.
diffutils-3.10/lib/stackvma.c:198:23: overflow_sink: ""size -
rof->filled"", which might have underflowed, is passed to ""read(fd,
rof->buffer + rof->filled, size - rof->filled)"". [Note: The source
code implementation of the function has been overridden by a builtin
model.]
# 196| for (;;)
# 197| {
# 198|-> n = read (fd, rof->buffer +
rof->filled, size - rof->filled);
# 199| if (n < 0 && errno == EINTR)
# 200| goto retry;"
Error: UNINIT (CWE-457):
diffutils-3.10/src/sdiff.c:867:7: var_decl: Declaring variable
""cmd1"" without initializer.
diffutils-3.10/src/sdiff.c:964:13: uninit_use: Using uninitialized
value ""cmd1"".
# 962| perror_fatal (tmpname);
# 963|
# 964|-> switch (cmd1)
# 965| {
# 966| case 'd':"
Error: UNINIT (CWE-457):
diffutils-3.10/lib/sigsegv.c:1460:5: var_decl: Declaring variable
""ss"" without initializer.
diffutils-3.10/lib/sigsegv.c:1462:5: uninit_use_in_call: Using
uninitialized value ""ss"". Field ""ss.ss_sp"" is uninitialized when
calling ""sigaltstack"".
# 1460| stack_t ss;
# 1461| ss.ss_flags = SS_DISABLE;
# 1462|-> if (sigaltstack (&ss, (stack_t *) 0) < 0)
# 1463| perror (""gnulib sigsegv (stackoverflow_deinstall_handler)"");
# 1464| }"
Error: OVERRUN (CWE-119):
diffutils-3.10/src/diff.c:426:6: strlen_assign: Setting variable
""alloc"" to the return value of strlen called with argument
""optarg"".
diffutils-3.10/src/diff.c:432:6: alloc_strlen: Allocating insufficient
memory for the terminating null of the string. [Note: The source code
implementation of the function has been overridden by a builtin
model.]
# 430| &alloc))
# 431| xalloc_die ();
# 432|-> char *b = xmalloc (alloc);
# 433| char *base = b;
# 434| int changes = 0;"
Error: RESOURCE_LEAK (CWE-772):
diffutils-3.10/src/diff3.c:786:3: alloc_fn: Storage is returned from
allocation function ""create_diff3_block"".
diffutils-3.10/src/diff3.c:786:3: var_assign: Assigning: ""result"" =
storage returned from ""create_diff3_block(low[0], high[0], low[1],
high[1], lowc, highc)"".
diffutils-3.10/src/diff3.c:801:11: leaked_storage: Variable ""result""
going out of scope leaks the storage it points to.
# 799| D_LENARRAY (result, FILEC) +
result_offset,
# 800| D_NUMLINES (ptr, FC)))
# 801|-> return 0;
# 802| }
# 803|"
Error: RESOURCE_LEAK (CWE-772):
diffutils-3.10/src/util.c:687:3: alloc_fn: Storage is returned from
allocation function ""xstrdup"".
diffutils-3.10/src/util.c:687:3: var_assign: Assigning: ""color_buf""
= storage returned from ""xstrdup(p)"".
diffutils-3.10/src/util.c:687:3: var_assign: Assigning: ""buf"" = ""color_buf"".
diffutils-3.10/src/util.c:795:1: leaked_storage: Variable ""buf""
going out of scope leaks the storage it points to.
diffutils-3.10/src/util.c:795:1: leaked_storage: Variable
""color_buf"" going out of scope leaks the storage it points to.
# 793| colors_enabled = false;
# 794| }
# 795|-> }
# 796|
# 797| static void"
Error: UNINIT (CWE-457):
diffutils-3.10/lib/time_rz.c:294:11: var_decl: Declaring variable
""tm_1"" without initializer.
diffutils-3.10/lib/time_rz.c:306:11: uninit_use_in_call: Using
uninitialized value ""tm_1.tm_zone"" when calling ""save_abbr"".
# 304| bool ok = 0 <= tm_1.tm_yday;
# 305| #if HAVE_STRUCT_TM_TM_ZONE || HAVE_TZNAME
# 306|-> ok = ok && save_abbr (tz, &tm_1);
# 307| #endif
# 308| if (revert_tz (old_tz) && ok)"
Error: BAD_FREE (CWE-763):
diffutils-3.10/src/analyze.c:692:11: offset_free: ""free"" frees
address offset from ""cmp->file[f].linbuf"".
# 690| {
# 691| free (cmp->file[f].equivs);
# 692|-> free (cmp->file[f].linbuf + cmp->file[f].linbuf_base);
# 693| }
# 694|"
Error: OVERRUN (CWE-119):
diffutils-3.10/lib/nstrftime.c:689:17: assignment: Assigning:
""width"" = ""2147483647"".
diffutils-3.10/lib/nstrftime.c:885:15: assignment: Assigning: ""_w"" =
""(pad == 45 || width < 0) ? 0 : width"". The value of ""_w"" is now
2147483647.
diffutils-3.10/lib/nstrftime.c:885:15: cond_between: Checking ""_n <
_w"" implies that ""_n"" is between 0 and 2147483646 (inclusive) on
the true branch.
diffutils-3.10/lib/nstrftime.c:885:15: overrun-buffer-arg: Overrunning
buffer pointed to by ""(void const *)(ubuf + 1)"" of 1024 bytes by
passing it to a function which accesses it at byte offset 2147483646
using argument ""_n"" (which evaluates to 2147483646). [Note: The
source code implementation of the function has been overridden by a
builtin model.]
# 883| len = strftime (ubuf, sizeof ubuf, ufmt, tp);
# 884| if (len != 0)
# 885|-> cpy (len - 1, ubuf + 1);
# 886| }
# 887| break;"
Error: BAD_ALLOC_ARITHMETIC (CWE-131):
diffutils-3.10/src/ifdef.c:364:28: bad_alloc_arithmetic: Adding an
offset to the result of a call to ""__builtin_alloca"" might indicate
an under-allocation.
diffutils-3.10/src/ifdef.c:364:28: remediation: Did you intend for the
size argument to be ""spec_prefix_len + pI_len + 2UL + 32UL - 1UL +
31UL""?
# 362| size_t spec_prefix_len = f - spec - 2;
# 363| size_t pI_len = sizeof pI - 1;
# 364|-> char *format = xmalloca (spec_prefix_len + pI_len + 2);
# 365| char *p = mempcpy (format, spec, spec_prefix_len);
# 366| p = stpcpy (p, pI);"
Error: UNINIT (CWE-457):
diffutils-3.10/lib/diffseq.h:388:11: var_decl: Declaring variable
""bxbest"" without initializer.
diffutils-3.10/lib/diffseq.h:436:15: uninit_use: Using uninitialized
value ""bxbest"".
# 434| else
# 435| {
# 436|-> part->xmid = bxbest;
# 437| part->ymid = bxybest - bxbest;
# 438| part->lo_minimal = false;"
Error: UNINIT (CWE-457):
diffutils-3.10/lib/diffseq.h:386:11: var_decl: Declaring variable
""fxbest"" without initializer.
diffutils-3.10/lib/diffseq.h:429:15: uninit_use: Using uninitialized
value ""fxbest"".
# 427| if ((xlim + ylim) - bxybest < fxybest - (xoff + yoff))
# 428| {
# 429|-> part->xmid = fxbest;
# 430| part->ymid = fxybest - fxbest;
# 431| part->lo_minimal = true;"
Error: RESOURCE_LEAK (CWE-772):
diffutils-3.10/src/diff3.c:786:3: alloc_fn: Storage is returned from
allocation function ""create_diff3_block"".
diffutils-3.10/src/diff3.c:786:3: var_assign: Assigning: ""result"" =
storage returned from ""create_diff3_block(low[0], high[0], low[1],
high[1], lowc, highc)"".
diffutils-3.10/src/diff3.c:830:13: leaked_storage: Variable ""result""
going out of scope leaks the storage it points to.
# 828| D_LENARRAY (result, FILE0 +
d) + result_offset,
# 829| D_NUMLINES (ptr, FO)))
# 830|-> return 0;
# 831|
# 832| /* Catch the lines between here and the next diff */"
