Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
32 new defect(s) introduced to coreboot found with Coverity Scan.
11 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 32 defect(s)
** CID 1663898: Resource leaks (RESOURCE_LEAK)
/src/commonlib/device_tree.c: 1092 in _dt_find_node()
_____________________________________________________________________________________________
*** CID 1663898: Resource leaks (RESOURCE_LEAK)
/src/commonlib/device_tree.c: 1092 in _dt_find_node()
1086 if (!create)
1087 return NULL;
1088
1089 found = alloc_node();
1090 found->name = strdup(*path);
1091 if (!found->name)
>>> CID 1663898: Resource leaks (RESOURCE_LEAK)
>>> Variable "found" going out of scope leaks the storage it points to.
1092 return NULL;
1093
1094 list_insert_after(&found->list_node, &parent->children);
1095 }
1096
1097 return _dt_find_node(found, path + 1, addrcp, sizecp, create);
** CID 1663896: Memory - illegal accesses (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 746 in xhci_bulk_timeout()
_____________________________________________________________________________________________
*** CID 1663896: Memory - illegal accesses (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 746 in xhci_bulk_timeout()
740 int timeout_us)
741 {
742 u8 *data = src;
743 xhci_t *const xhci = XHCI_INST(ep->dev->controller);
744 const int slot_id = ep->dev->address;
745 const int ep_id = xhci_ep_id(ep);
>>> CID 1663896: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "xhci->dev[slot_id].ctx.ep" of 32 8-byte elements at
>>> element index 255 (byte offset 2047) using index "ep_id" (which evaluates
>>> to 255).
746 epctx_t *const epctx = xhci->dev[slot_id].ctx.ep[ep_id];
747 transfer_ring_t *const tr =
xhci->dev[slot_id].transfer_rings[ep_id];
748
749 const size_t off = (size_t)data & 0xffff;
750 if ((off + size) > ((TRANSFER_RING_SIZE - 2) << 16)) {
751 xhci_debug("Unsupported transfer size\n");
** CID 1663895: Resource leaks (RESOURCE_LEAK)
/util/inteltool/memory.c: 131 in print_mchbar()
_____________________________________________________________________________________________
*** CID 1663895: Resource leaks (RESOURCE_LEAK)
/util/inteltool/memory.c: 131 in print_mchbar()
125 pci_write_long(nb_device6, 0x04, pcicmd6 | (1
<< 1));
126 if (pci_read_long(nb_device6, 0x04) & (1 << 1))
{
127 printf("Enabled successfully.\n");
128 }
129 else {
130 printf("Enable FAILED!\n");
>>> CID 1663895: Resource leaks (RESOURCE_LEAK)
>>> Variable "nb_device6" going out of scope leaks the storage it points to.
131 return 1;
132 }
133 }
134 mchbar_phys &= 0xfffff000; /* Bits 31:12 from BAR6 */
135 break;
136 case PCI_DEVICE_ID_INTEL_82915:
** CID 1663894: (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ohci.c: 631 in
ohci_bulk_finalize_timeout()
/payloads/libpayload/drivers/usb/ohci.c: 546 in
ohci_bulk_finalize_timeout()
_____________________________________________________________________________________________
*** CID 1663894: (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ohci.c: 631 in
ohci_bulk_finalize_timeout()
625 if (result >= 0) {
626 result = dalen - result;
627 if (ep->direction == IN && data != src)
628 memcpy(src, data, result);
629 }
630
>>> CID 1663894: (INTEGER_OVERFLOW)
>>> "result", which might have overflowed, is returned from the function.
631 return result;
632 }
633
634 static int
635 ohci_bulk_timeout(endpoint_t *ep, int dalen, u8 *src, int timeout_us)
636 {
/payloads/libpayload/drivers/usb/ohci.c: 546 in
ohci_bulk_finalize_timeout()
540 memset((void *)first_td, 0, sizeof(*first_td));
541 cur = next = first_td;
542
543 for (i = 0; i < td_count; ++i) {
544 /* Advance to next TD. */
545 cur = next;
>>> CID 1663894: (INTEGER_OVERFLOW)
>>> Expression "cur->config", where "((ep->direction == IN) ? 1048576 :
>>> 524288) | 0xe00000 | 0 | 0xffffffffe0000000" is known to be equal to
>>> -521666560, overflows the type of "cur->config", which is type "u32
>>> volatile".
546 cur->config = (ep->direction == IN ? TD_DIRECTION_IN :
TD_DIRECTION_OUT) |
547 TD_DELAY_INTERRUPT_NOINTR |
548 TD_TOGGLE_FROM_ED |
549 TD_CC_NOACCESS;
550 cur->current_buffer_pointer = virt_to_phys(data);
551 pages--;
** CID 1663892: Memory - illegal accesses (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 747 in xhci_bulk_timeout()
_____________________________________________________________________________________________
*** CID 1663892: Memory - illegal accesses (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 747 in xhci_bulk_timeout()
741 {
742 u8 *data = src;
743 xhci_t *const xhci = XHCI_INST(ep->dev->controller);
744 const int slot_id = ep->dev->address;
745 const int ep_id = xhci_ep_id(ep);
746 epctx_t *const epctx = xhci->dev[slot_id].ctx.ep[ep_id];
>>> CID 1663892: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "xhci->dev[slot_id].transfer_rings" of 32 8-byte
>>> elements at element index 255 (byte offset 2047) using index "ep_id" (which
>>> evaluates to 255).
747 transfer_ring_t *const tr =
xhci->dev[slot_id].transfer_rings[ep_id];
748
749 const size_t off = (size_t)data & 0xffff;
750 if ((off + size) > ((TRANSFER_RING_SIZE - 2) << 16)) {
751 xhci_debug("Unsupported transfer size\n");
752 return -1;
** CID 1663890: Resource leaks (RESOURCE_LEAK)
/util/amdfwtool/handle_file.c: 115 in write_blob()
_____________________________________________________________________________________________
*** CID 1663890: Resource leaks (RESOURCE_LEAK)
/util/amdfwtool/handle_file.c: 115 in write_blob()
109 return -1;
110 }
111
112 bytes = write_from_buf_to_file(fd, body_offset, body_size);
113 if (bytes != body_size) {
114 fprintf(stderr, "Error: Writing to file %s failed\n",
body_tmp_name);
>>> CID 1663890: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "fd" going out of scope leaks the handle.
115 return -1;
116 }
117 close(fd);
118
119 /* Rename the tmp file */
120 ret = snprintf(body_name, sizeof(body_name), "%s%s", output,
suffix);
** CID 1663889: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/acpi/acpi.c: 1159 in acpi_create_bdat()
_____________________________________________________________________________________________
*** CID 1663889: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/acpi/acpi.c: 1159 in acpi_create_bdat()
1153 return;
1154
1155 if (acpi_fill_header(header, "BDAT", BDAT, sizeof(acpi_bdat_t))
!= CB_SUCCESS)
1156 return;
1157
1158 bdat->bdat_gas.addrl = (uintptr_t)region & 0xffffffff;
>>> CID 1663889: Integer handling issues
>>> (CONSTANT_EXPRESSION_RESULT)
>>> "(uint64_t)(uintptr_t)region >> 32" is 0 regardless of the values of
>>> its operands. This occurs as the operand of assignment.
1159 bdat->bdat_gas.addrh = ((uint64_t)(uintptr_t)region) >> 32;
1160 }
1161
1162 __weak void arch_fill_fadt(acpi_fadt_t *fadt) { }
1163 __weak void soc_fill_fadt(acpi_fadt_t *fadt) { }
1164 __weak void mainboard_fill_fadt(acpi_fadt_t *fadt) { }
** CID 1663887: Security best practices violations (TOCTOU)
/util/cbfstool/common.c: 51 in buffer_from_file_aligned_size()
_____________________________________________________________________________________________
*** CID 1663887: Security best practices violations (TOCTOU)
/util/cbfstool/common.c: 51 in buffer_from_file_aligned_size()
45
46 int buffer_from_file_aligned_size(struct buffer *buffer, const char
*filename,
47 size_t size_granularity)
48 {
49 struct stat st;
50
>>> CID 1663887: Security best practices violations (TOCTOU)
>>> Calling function "stat" to perform check on "filename".
51 if (stat(filename, &st) == -1) {
52 perror(filename);
53 return -1;
54 }
55
56 if (!S_ISREG(st.st_mode)) {
** CID 1663886: Resource leaks (RESOURCE_LEAK)
/util/amdfwtool/data_parse.c: 597 in process_config()
_____________________________________________________________________________________________
*** CID 1663886: Resource leaks (RESOURCE_LEAK)
/util/amdfwtool/data_parse.c: 597 in process_config()
591 if (strcmp(&(oneline[match[FW_TYPE].rm_so]),
FW_LOCATION) == 0) {
592 dir_len = match[FW_FILE].rm_eo -
match[FW_FILE].rm_so;
593 assert(dir_len < MAX_LINE_SIZE);
594 snprintf(dir, MAX_LINE_SIZE, "%.*s",
dir_len,
595
&(oneline[match[FW_FILE].rm_so]));
596 } else if
(strcmp(&(oneline[match[FW_TYPE].rm_so]), SOC_NAME) == 0) {
>>> CID 1663886: Resource leaks (RESOURCE_LEAK)
>>> Overwriting "platform_name" in "platform_name =
>>> strdup(&oneline[match[FW_FILE].rm_so])" leaks the storage that
>>> "platform_name" points to.
597 platform_name =
strdup(&(oneline[match[FW_FILE].rm_so]));
598 cb_config->soc_id =
platform_identify(platform_name);
599 }
600 }
601 }
602
** CID 1663885: (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ehci.c: 406 in ehci_bulk_timeout()
/payloads/libpayload/drivers/usb/ehci.c: 419 in ehci_bulk_timeout()
_____________________________________________________________________________________________
*** CID 1663885: (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ehci.c: 406 in ehci_bulk_timeout()
400 (endp << QH_EP_SHIFT) |
401 (ep->dev->speed << QH_EPS_SHIFT) |
402 (0 << QH_DTC_SHIFT) |
403 (1 << QH_RECLAIM_HEAD_SHIFT) |
404 (ep->maxpacketsize << QH_MPS_SHIFT) |
405 (0 << QH_NAK_CNT_SHIFT);
>>> CID 1663885: (INTEGER_OVERFLOW)
>>> Expression "qh->epcaps", where "0xffffffffc0000000 | (hubport << 23) |
>>> (hubaddr << 16)" is known to be equal to -1073741824, overflows the type of
>>> "qh->epcaps", which is type "u32 volatile".
406 qh->epcaps = (3 << QH_PIPE_MULTIPLIER_SHIFT) |
407 (hubport << QH_PORT_NUMBER_SHIFT) |
408 (hubaddr << QH_HUB_ADDRESS_SHIFT);
409
410 qh->td.next_qtd = virt_to_phys(head);
411 qh->td.token |= (ep->toggle?QTD_TOGGLE_DATA1:0);
/payloads/libpayload/drivers/usb/ehci.c: 419 in ehci_bulk_timeout()
413
414 result = ehci_process_async_schedule(
415 EHCI_INST(ep->dev->controller), qh, head,
timeout_us);
416 if (result >= 0) {
417 result = size - result;
418 if (pid == EHCI_IN && end != src + size)
>>> CID 1663885: (INTEGER_OVERFLOW)
>>> "result", which might be negative, is passed to "memcpy(src, end -
>>> size, result)". [Note: The source code implementation of the function has
>>> been overridden by a builtin model.]
419 memcpy(src, end - size, result);
420 }
421
422 ep->toggle = (cur->token & QTD_TOGGLE_MASK) >> QTD_TOGGLE_SHIFT;
423
424 free_qh_and_tds(qh, head);
** CID 1663884: Memory - illegal accesses (USE_AFTER_FREE)
/util/amdfwtool/amdfwread.c: 230 in read_soft_fuse()
_____________________________________________________________________________________________
*** CID 1663884: Memory - illegal accesses (USE_AFTER_FREE)
/util/amdfwtool/amdfwread.c: 230 in read_soft_fuse()
224 while (1) {
225 uint32_t l2_dir_offset = 0;
226 uint32_t ish_dir_offset;
227 ish_directory_table ish_dir;
228
229 for (size_t i = 0; i < num_current_entries; i++) {
>>> CID 1663884: Memory - illegal accesses (USE_AFTER_FREE)
>>> Using freed pointer "current_entries".
230 uint32_t type = current_entries[i].type;
231 uint64_t mode = current_entries[i].address_mode;
232 uint64_t addr = current_entries[i].addr;
233 uint64_t fuse;
234
235 switch (type) {
** CID 1663883: (RESOURCE_LEAK)
/util/inteltool/spi.c: 399 in get_espibar_phys()
/util/inteltool/spi.c: 396 in get_espibar_phys()
_____________________________________________________________________________________________
*** CID 1663883: (RESOURCE_LEAK)
/util/inteltool/spi.c: 399 in get_espibar_phys()
393 *addr = pci_read_long(spidev, offset) & mask;
394 if (!*addr) {
395 fprintf(stderr, "Error: no valid bar 0 of device
0:31.%x found %x\n", func, *addr);
396 return 1;
397 }
398
>>> CID 1663883: (RESOURCE_LEAK)
>>> Variable "spidev" going out of scope leaks the storage it points to.
399 return 0;
400 }
401
402 static int print_spibar(struct pci_dev *sb, struct pci_access *pacc) {
403 int i, size = 0, rcba_size = 0x4000;
404 volatile uint8_t *rcba;
/util/inteltool/spi.c: 396 in get_espibar_phys()
390 return 1;
391 }
392
393 *addr = pci_read_long(spidev, offset) & mask;
394 if (!*addr) {
395 fprintf(stderr, "Error: no valid bar 0 of device
0:31.%x found %x\n", func, *addr);
>>> CID 1663883: (RESOURCE_LEAK)
>>> Variable "spidev" going out of scope leaks the storage it points to.
396 return 1;
397 }
398
399 return 0;
400 }
401
** CID 1663882: Control flow issues (UNREACHABLE)
/src/commonlib/bsd/zstd/compress/zstd_preSplit.c: 187 in
ZSTD_splitBlock_byChunks()
_____________________________________________________________________________________________
*** CID 1663882: Control flow issues (UNREACHABLE)
/src/commonlib/bsd/zstd/compress/zstd_preSplit.c: 187 in
ZSTD_splitBlock_byChunks()
181 mergeEvents(&fpstats->pastEvents, &fpstats->newEvents);
182 if (penalty > 0) penalty--;
183 }
184 }
185 assert(pos == blockSize);
186 return blockSize;
>>> CID 1663882: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "(void)flushEvents;".
187 (void)flushEvents; (void)removeEvents;
188 }
189
190 /* ZSTD_splitBlock_fromBorders(): very fast strategy :
191 * compare fingerprint from beginning and end of the block,
192 * derive from their difference if it's preferable to split in the
middle,
** CID 1619923: Memory - illegal accesses (OVERRUN)
/src/commonlib/bsd/zstd/compress/zstd_opt.c: 347 in
ZSTD_getMatchPrice()
_____________________________________________________________________________________________
*** CID 1619923: Memory - illegal accesses (OVERRUN)
/src/commonlib/bsd/zstd/compress/zstd_opt.c: 347 in
ZSTD_getMatchPrice()
341 price = (offCode * BITCOST_MULTIPLIER) +
(optPtr->offCodeSumBasePrice - WEIGHT(optPtr->offCodeFreq[offCode], optLevel));
342 if ((optLevel<2) /*static*/ && offCode >= 20)
343 price += (offCode-19)*2 * BITCOST_MULTIPLIER; /* handicap for
long distance offsets, favor decompression speed */
344
345 /* match Length */
346 { U32 const mlCode = ZSTD_MLcode(mlBase);
>>> CID 1619923: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "ML_bits" of 53 bytes at byte offset 67 using index
>>> "mlCode" (which evaluates to 67).
347 price += (ML_bits[mlCode] * BITCOST_MULTIPLIER) +
(optPtr->matchLengthSumBasePrice - WEIGHT(optPtr->matchLengthFreq[mlCode],
optLevel));
348 }
349
350 price += BITCOST_MULTIPLIER / 5; /* heuristic : make matches a
bit more costly to favor less sequences -> faster decompression speed */
351
352 DEBUGLOG(8, "ZSTD_getMatchPrice(ml:%u) = %u", matchLength, price);
** CID 1619840: (TAINTED_SCALAR)
/src/commonlib/bsd/zstd/compress/zstd_lazy.c: 1231 in
ZSTD_RowFindBestMatch()
/src/commonlib/bsd/zstd/compress/zstd_lazy.c: 1302 in
ZSTD_RowFindBestMatch()
_____________________________________________________________________________________________
*** CID 1619840: (TAINTED_SCALAR)
/src/commonlib/bsd/zstd/compress/zstd_lazy.c: 1231 in
ZSTD_RowFindBestMatch()
1225 U32 matchBuffer[ZSTD_ROW_HASH_MAX_ENTRIES];
1226 size_t numMatches = 0;
1227 size_t currMatch = 0;
1228 ZSTD_VecMask matches = ZSTD_row_getMatchMask(tagRow,
(BYTE)tag, headGrouped, rowEntries);
1229
1230 /* Cycle through the matches and prefetch */
>>> CID 1619840: (TAINTED_SCALAR)
>>> Using tainted variable "matches" as a loop boundary.
1231 for (; (matches > 0) && (nbAttempts > 0); matches &= (matches
- 1)) {
1232 U32 const matchPos = ((headGrouped +
ZSTD_VecMask_next(matches)) / groupWidth) & rowMask;
1233 U32 const matchIndex = row[matchPos];
1234 if(matchPos == 0) continue;
1235 assert(numMatches < rowEntries);
1236 if (matchIndex < lowLimit)
/src/commonlib/bsd/zstd/compress/zstd_lazy.c: 1302 in
ZSTD_RowFindBestMatch()
1296 { U32 const headGrouped = (*dmsTagRow & rowMask) *
groupWidth;
1297 U32 matchBuffer[ZSTD_ROW_HASH_MAX_ENTRIES];
1298 size_t numMatches = 0;
1299 size_t currMatch = 0;
1300 ZSTD_VecMask matches = ZSTD_row_getMatchMask(dmsTagRow,
(BYTE)dmsTag, headGrouped, rowEntries);
1301
>>> CID 1619840: (TAINTED_SCALAR)
>>> Using tainted variable "matches" as a loop boundary.
1302 for (; (matches > 0) && (nbAttempts > 0); matches &=
(matches - 1)) {
1303 U32 const matchPos = ((headGrouped +
ZSTD_VecMask_next(matches)) / groupWidth) & rowMask;
1304 U32 const matchIndex = dmsRow[matchPos];
1305 if(matchPos == 0) continue;
1306 if (matchIndex < dmsLowestIndex)
1307 break;
** CID 1619817: Memory - illegal accesses (OVERRUN)
/src/commonlib/bsd/zstd/compress/zstd_opt.c: 313 in
ZSTD_litLengthPrice()
_____________________________________________________________________________________________
*** CID 1619817: Memory - illegal accesses (OVERRUN)
/src/commonlib/bsd/zstd/compress/zstd_opt.c: 313 in
ZSTD_litLengthPrice()
307 */
308 if (litLength == ZSTD_BLOCKSIZE_MAX)
309 return BITCOST_MULTIPLIER +
ZSTD_litLengthPrice(ZSTD_BLOCKSIZE_MAX - 1, optPtr, optLevel);
310
311 /* dynamic statistics */
312 { U32 const llCode = ZSTD_LLcode(litLength);
>>> CID 1619817: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "LL_bits" of 36 bytes at byte offset 50 using index
>>> "llCode" (which evaluates to 50).
313 return (LL_bits[llCode] * BITCOST_MULTIPLIER)
314 + optPtr->litLengthSumBasePrice
315 - WEIGHT(optPtr->litLengthFreq[llCode], optLevel);
316 }
317 }
318
** CID 1619779: (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/decompress/huf_decompress.c: 1249 in
HUF_readDTableX2_wksp()
/src/commonlib/bsd/zstd/decompress/huf_decompress.c: 1213 in
HUF_readDTableX2_wksp()
_____________________________________________________________________________________________
*** CID 1619779: (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/decompress/huf_decompress.c: 1249 in
HUF_readDTableX2_wksp()
1243 nextRankVal += wksp->rankStats[w] << (w+rescale);
1244 rankVal0[w] = curr;
1245 } }
1246 { U32 const minBits = tableLog+1 - maxW;
1247 U32 consumed;
1248 for (consumed = minBits; consumed < maxTableLog - minBits
+ 1; consumed++) {
>>> CID 1619779: (INTEGER_OVERFLOW)
>>> "consumed", which might have underflowed, is passed to
>>> "wksp->rankVal[consumed]".
1249 U32* const rankValPtr = wksp->rankVal[consumed];
1250 U32 w;
1251 for (w = 1; w < maxW+1; w++) {
1252 rankValPtr[w] = rankVal0[w] >> consumed;
1253 } } } }
1254
/src/commonlib/bsd/zstd/decompress/huf_decompress.c: 1213 in
HUF_readDTableX2_wksp()
1207
1208 /* check result */
1209 if (tableLog > maxTableLog) return ERROR(tableLog_tooLarge); /*
DTable can't fit code depth */
1210 if (tableLog <= HUF_DECODER_FAST_TABLELOG && maxTableLog >
HUF_DECODER_FAST_TABLELOG) maxTableLog = HUF_DECODER_FAST_TABLELOG;
1211
1212 /* find maxWeight */
>>> CID 1619779: (INTEGER_OVERFLOW)
>>> "maxW", which might have underflowed, is passed to
>>> "wksp->rankStats[maxW]".
1213 for (maxW = tableLog; wksp->rankStats[maxW]==0; maxW--) {} /*
necessarily finds a solution before 0 */
1214
1215 /* Get start index of each weight */
1216 { U32 w, nextRankStart = 0;
1217 for (w=1; w<maxW+1; w++) {
1218 U32 curr = nextRankStart;
** CID 1557246: Insecure data handling (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/zstd_compress.c: 3987 in
ZSTD_compressSeqStore_singleBlock()
_____________________________________________________________________________________________
*** CID 1557246: Insecure data handling (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/zstd_compress.c: 3987 in
ZSTD_compressSeqStore_singleBlock()
3981 DEBUGLOG(5, "Writing out compressed block, size: %zu", cSize);
3982 }
3983
3984 if (zc->blockState.prevCBlock->entropy.fse.offcode_repeatMode ==
FSE_repeat_valid)
3985 zc->blockState.prevCBlock->entropy.fse.offcode_repeatMode =
FSE_repeat_check;
3986
>>> CID 1557246: Insecure data handling (INTEGER_OVERFLOW)
>>> "cSize", which might have overflowed, is returned from the function.
3987 return cSize;
3988 }
3989
3990 /* Struct to keep track of where we are in our recursive calls. */
3991 typedef struct {
3992 U32* splitLocations; /* Array of split indices */
** CID 1555298: Integer handling issues (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/zstd_compress_sequences.c: 211 in
ZSTD_selectEncodingType()
_____________________________________________________________________________________________
*** CID 1555298: Integer handling issues (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/zstd_compress_sequences.c: 211 in
ZSTD_selectEncodingType()
205 }
206 }
207 } else {
208 size_t const basicCost = isDefaultAllowed ?
ZSTD_crossEntropyCost(defaultNorm, defaultNormLog, count, max) : ERROR(GENERIC);
209 size_t const repeatCost = *repeatMode != FSE_repeat_none ?
ZSTD_fseBitCost(prevCTable, count, max) : ERROR(GENERIC);
210 size_t const NCountCost = ZSTD_NCountCost(count, max, nbSeq,
FSELog);
>>> CID 1555298: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "NCountCost << 3", where "NCountCost" is known to be equal
>>> to 18446744073709551615, overflows the type of "NCountCost << 3", which is
>>> type "size_t".
211 size_t const compressedCost = (NCountCost << 3) +
ZSTD_entropyCost(count, max, nbSeq);
212
213 if (isDefaultAllowed) {
214 assert(!ZSTD_isError(basicCost));
215 assert(!(*repeatMode == FSE_repeat_valid &&
ZSTD_isError(repeatCost)));
216 }
** CID 1552754: Memory - corruptions (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/huf_compress.c: 336 in
HUF_readCTable()
_____________________________________________________________________________________________
*** CID 1552754: Memory - corruptions (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/huf_compress.c: 336 in
HUF_readCTable()
330 U16 valPerRank[HUF_TABLELOG_MAX+2] = {0};
331 { U32 n; for (n=0; n<nbSymbols; n++)
nbPerRank[HUF_getNbBits(ct[n])]++; }
332 /* determine stating value per rank */
333 valPerRank[tableLog+1] = 0; /* for w==0 */
334 { U16 min = 0;
335 U32 n; for (n=tableLog; n>0; n--) { /* start at n=tablelog
<-> w=1 */
>>> CID 1552754: Memory - corruptions (INTEGER_OVERFLOW)
>>> "n", which might have underflowed, is passed to "valPerRank[n]".
336 valPerRank[n] = min; /* get starting value within
each rank */
337 min += nbPerRank[n];
338 min >>= 1;
339 } }
340 /* assign value within rank, symbol order */
341 { U32 n; for (n=0; n<nbSymbols; n++) HUF_setValue(ct + n,
valPerRank[HUF_getNbBits(ct[n])]++); }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/coreboot?tab=overview
_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]