Hi,

Please find the latest report on new defect(s) introduced to coreboot found 
with Coverity Scan.

32 new defect(s) introduced to coreboot found with Coverity Scan.
11 defect(s), reported by Coverity Scan earlier, were marked fixed in the 
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 32 defect(s)


** CID 1663898:       Resource leaks  (RESOURCE_LEAK)
/src/commonlib/device_tree.c: 1092           in _dt_find_node()


_____________________________________________________________________________________________
*** CID 1663898:         Resource leaks  (RESOURCE_LEAK)
/src/commonlib/device_tree.c: 1092             in _dt_find_node()
1086                    if (!create)
1087                            return NULL;
1088     
1089                    found = alloc_node();
1090                    found->name = strdup(*path);
1091                    if (!found->name)
>>>     CID 1663898:         Resource leaks  (RESOURCE_LEAK)
>>>     Variable "found" going out of scope leaks the storage it points to.
1092                            return NULL;
1093     
1094                    list_insert_after(&found->list_node, &parent->children);
1095            }
1096     
1097            return _dt_find_node(found, path + 1, addrcp, sizecp, create);

** CID 1663896:       Memory - illegal accesses  (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 746           in xhci_bulk_timeout()


_____________________________________________________________________________________________
*** CID 1663896:         Memory - illegal accesses  (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 746             in xhci_bulk_timeout()
740                       int timeout_us)
741     {
742             u8 *data = src;
743             xhci_t *const xhci = XHCI_INST(ep->dev->controller);
744             const int slot_id = ep->dev->address;
745             const int ep_id = xhci_ep_id(ep);
>>>     CID 1663896:         Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "xhci->dev[slot_id].ctx.ep" of 32 8-byte elements at 
>>> element index 255 (byte offset 2047) using index "ep_id" (which evaluates 
>>> to 255).
746             epctx_t *const epctx = xhci->dev[slot_id].ctx.ep[ep_id];
747             transfer_ring_t *const tr = 
xhci->dev[slot_id].transfer_rings[ep_id];
748     
749             const size_t off = (size_t)data & 0xffff;
750             if ((off + size) > ((TRANSFER_RING_SIZE - 2) << 16)) {
751                     xhci_debug("Unsupported transfer size\n");

** CID 1663895:       Resource leaks  (RESOURCE_LEAK)
/util/inteltool/memory.c: 131           in print_mchbar()


_____________________________________________________________________________________________
*** CID 1663895:         Resource leaks  (RESOURCE_LEAK)
/util/inteltool/memory.c: 131             in print_mchbar()
125                             pci_write_long(nb_device6, 0x04, pcicmd6 | (1 
<< 1));
126                             if (pci_read_long(nb_device6, 0x04) & (1 << 1)) 
{
127                                     printf("Enabled successfully.\n");
128                             }
129                             else {
130                                     printf("Enable FAILED!\n");
>>>     CID 1663895:         Resource leaks  (RESOURCE_LEAK)
>>>     Variable "nb_device6" going out of scope leaks the storage it points to.
131                                     return 1;
132                             }
133                     }
134                     mchbar_phys &= 0xfffff000; /* Bits 31:12 from BAR6 */
135                     break;
136             case PCI_DEVICE_ID_INTEL_82915:

** CID 1663894:         (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ohci.c: 631           in 
ohci_bulk_finalize_timeout()
/payloads/libpayload/drivers/usb/ohci.c: 546           in 
ohci_bulk_finalize_timeout()


_____________________________________________________________________________________________
*** CID 1663894:           (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ohci.c: 631             in 
ohci_bulk_finalize_timeout()
625             if (result >= 0) {
626                     result = dalen - result;
627                     if (ep->direction == IN && data != src)
628                             memcpy(src, data, result);
629             }
630     
>>>     CID 1663894:           (INTEGER_OVERFLOW)
>>>     "result", which might have overflowed, is returned from the function.
631             return result;
632     }
633     
634     static int
635     ohci_bulk_timeout(endpoint_t *ep, int dalen, u8 *src, int timeout_us)
636     {
/payloads/libpayload/drivers/usb/ohci.c: 546             in 
ohci_bulk_finalize_timeout()
540             memset((void *)first_td, 0, sizeof(*first_td));
541             cur = next = first_td;
542     
543             for (i = 0; i < td_count; ++i) {
544                     /* Advance to next TD. */
545                     cur = next;
>>>     CID 1663894:           (INTEGER_OVERFLOW)
>>>     Expression "cur->config", where "((ep->direction == IN) ? 1048576 : 
>>> 524288) | 0xe00000 | 0 | 0xffffffffe0000000" is known to be equal to 
>>> -521666560, overflows the type of "cur->config", which is type "u32 
>>> volatile".
546                     cur->config = (ep->direction == IN ? TD_DIRECTION_IN : 
TD_DIRECTION_OUT) |
547                             TD_DELAY_INTERRUPT_NOINTR |
548                             TD_TOGGLE_FROM_ED |
549                             TD_CC_NOACCESS;
550                     cur->current_buffer_pointer = virt_to_phys(data);
551                     pages--;

** CID 1663892:       Memory - illegal accesses  (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 747           in xhci_bulk_timeout()


_____________________________________________________________________________________________
*** CID 1663892:         Memory - illegal accesses  (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 747             in xhci_bulk_timeout()
741     {
742             u8 *data = src;
743             xhci_t *const xhci = XHCI_INST(ep->dev->controller);
744             const int slot_id = ep->dev->address;
745             const int ep_id = xhci_ep_id(ep);
746             epctx_t *const epctx = xhci->dev[slot_id].ctx.ep[ep_id];
>>>     CID 1663892:         Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "xhci->dev[slot_id].transfer_rings" of 32 8-byte 
>>> elements at element index 255 (byte offset 2047) using index "ep_id" (which 
>>> evaluates to 255).
747             transfer_ring_t *const tr = 
xhci->dev[slot_id].transfer_rings[ep_id];
748     
749             const size_t off = (size_t)data & 0xffff;
750             if ((off + size) > ((TRANSFER_RING_SIZE - 2) << 16)) {
751                     xhci_debug("Unsupported transfer size\n");
752                     return -1;

** CID 1663890:       Resource leaks  (RESOURCE_LEAK)
/util/amdfwtool/handle_file.c: 115           in write_blob()


_____________________________________________________________________________________________
*** CID 1663890:         Resource leaks  (RESOURCE_LEAK)
/util/amdfwtool/handle_file.c: 115             in write_blob()
109                     return -1;
110             }
111     
112             bytes = write_from_buf_to_file(fd, body_offset, body_size);
113             if (bytes != body_size) {
114                     fprintf(stderr, "Error: Writing to file %s failed\n", 
body_tmp_name);
>>>     CID 1663890:         Resource leaks  (RESOURCE_LEAK)
>>>     Handle variable "fd" going out of scope leaks the handle.
115                     return -1;
116             }
117             close(fd);
118     
119             /* Rename the tmp file */
120             ret = snprintf(body_name, sizeof(body_name), "%s%s", output, 
suffix);

** CID 1663889:       Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/acpi/acpi.c: 1159           in acpi_create_bdat()


_____________________________________________________________________________________________
*** CID 1663889:         Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/acpi/acpi.c: 1159             in acpi_create_bdat()
1153                    return;
1154     
1155            if (acpi_fill_header(header, "BDAT", BDAT, sizeof(acpi_bdat_t)) 
!= CB_SUCCESS)
1156                    return;
1157     
1158            bdat->bdat_gas.addrl = (uintptr_t)region & 0xffffffff;
>>>     CID 1663889:         Integer handling issues  
>>> (CONSTANT_EXPRESSION_RESULT)
>>>     "(uint64_t)(uintptr_t)region >> 32" is 0 regardless of the values of 
>>> its operands. This occurs as the operand of assignment.
1159            bdat->bdat_gas.addrh = ((uint64_t)(uintptr_t)region) >> 32;
1160     }
1161     
1162     __weak void arch_fill_fadt(acpi_fadt_t *fadt) { }
1163     __weak void soc_fill_fadt(acpi_fadt_t *fadt) { }
1164     __weak void mainboard_fill_fadt(acpi_fadt_t *fadt) { }

** CID 1663887:       Security best practices violations  (TOCTOU)
/util/cbfstool/common.c: 51           in buffer_from_file_aligned_size()


_____________________________________________________________________________________________
*** CID 1663887:         Security best practices violations  (TOCTOU)
/util/cbfstool/common.c: 51             in buffer_from_file_aligned_size()
45     
46     int buffer_from_file_aligned_size(struct buffer *buffer, const char 
*filename,
47                                size_t size_granularity)
48     {
49      struct stat st;
50     
>>>     CID 1663887:         Security best practices violations  (TOCTOU)
>>>     Calling function "stat" to perform check on "filename".
51      if (stat(filename, &st) == -1) {
52              perror(filename);
53              return -1;
54      }
55     
56      if (!S_ISREG(st.st_mode)) {

** CID 1663886:       Resource leaks  (RESOURCE_LEAK)
/util/amdfwtool/data_parse.c: 597           in process_config()


_____________________________________________________________________________________________
*** CID 1663886:         Resource leaks  (RESOURCE_LEAK)
/util/amdfwtool/data_parse.c: 597             in process_config()
591                             if (strcmp(&(oneline[match[FW_TYPE].rm_so]), 
FW_LOCATION) == 0) {
592                                     dir_len = match[FW_FILE].rm_eo - 
match[FW_FILE].rm_so;
593                                     assert(dir_len < MAX_LINE_SIZE);
594                                     snprintf(dir, MAX_LINE_SIZE, "%.*s", 
dir_len,
595                                             
&(oneline[match[FW_FILE].rm_so]));
596                             } else if 
(strcmp(&(oneline[match[FW_TYPE].rm_so]), SOC_NAME) == 0) {
>>>     CID 1663886:         Resource leaks  (RESOURCE_LEAK)
>>>     Overwriting "platform_name" in "platform_name = 
>>> strdup(&oneline[match[FW_FILE].rm_so])" leaks the storage that 
>>> "platform_name" points to.
597                                     platform_name = 
strdup(&(oneline[match[FW_FILE].rm_so]));
598                                     cb_config->soc_id = 
platform_identify(platform_name);
599                             }
600                     }
601             }
602     

** CID 1663885:         (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ehci.c: 406           in ehci_bulk_timeout()
/payloads/libpayload/drivers/usb/ehci.c: 419           in ehci_bulk_timeout()


_____________________________________________________________________________________________
*** CID 1663885:           (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ehci.c: 406             in ehci_bulk_timeout()
400                     (endp << QH_EP_SHIFT) |
401                     (ep->dev->speed << QH_EPS_SHIFT) |
402                     (0 << QH_DTC_SHIFT) |
403                     (1 << QH_RECLAIM_HEAD_SHIFT) |
404                     (ep->maxpacketsize << QH_MPS_SHIFT) |
405                     (0 << QH_NAK_CNT_SHIFT);
>>>     CID 1663885:           (INTEGER_OVERFLOW)
>>>     Expression "qh->epcaps", where "0xffffffffc0000000 | (hubport << 23) | 
>>> (hubaddr << 16)" is known to be equal to -1073741824, overflows the type of 
>>> "qh->epcaps", which is type "u32 volatile".
406             qh->epcaps = (3 << QH_PIPE_MULTIPLIER_SHIFT) |
407                     (hubport << QH_PORT_NUMBER_SHIFT) |
408                     (hubaddr << QH_HUB_ADDRESS_SHIFT);
409     
410             qh->td.next_qtd = virt_to_phys(head);
411             qh->td.token |= (ep->toggle?QTD_TOGGLE_DATA1:0);
/payloads/libpayload/drivers/usb/ehci.c: 419             in ehci_bulk_timeout()
413     
414             result = ehci_process_async_schedule(
415                             EHCI_INST(ep->dev->controller), qh, head, 
timeout_us);
416             if (result >= 0) {
417                     result = size - result;
418                     if (pid == EHCI_IN && end != src + size)
>>>     CID 1663885:           (INTEGER_OVERFLOW)
>>>     "result", which might be negative, is passed to "memcpy(src, end - 
>>> size, result)". [Note: The source code implementation of the function has 
>>> been overridden by a builtin model.]
419                             memcpy(src, end - size, result);
420             }
421     
422             ep->toggle = (cur->token & QTD_TOGGLE_MASK) >> QTD_TOGGLE_SHIFT;
423     
424             free_qh_and_tds(qh, head);

** CID 1663884:       Memory - illegal accesses  (USE_AFTER_FREE)
/util/amdfwtool/amdfwread.c: 230           in read_soft_fuse()


_____________________________________________________________________________________________
*** CID 1663884:         Memory - illegal accesses  (USE_AFTER_FREE)
/util/amdfwtool/amdfwread.c: 230             in read_soft_fuse()
224             while (1) {
225                     uint32_t l2_dir_offset = 0;
226                     uint32_t ish_dir_offset;
227                     ish_directory_table ish_dir;
228     
229                     for (size_t i = 0; i < num_current_entries; i++) {
>>>     CID 1663884:         Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Using freed pointer "current_entries".
230                             uint32_t type = current_entries[i].type;
231                             uint64_t mode = current_entries[i].address_mode;
232                             uint64_t addr = current_entries[i].addr;
233                             uint64_t fuse;
234     
235                             switch (type) {

** CID 1663883:         (RESOURCE_LEAK)
/util/inteltool/spi.c: 399           in get_espibar_phys()
/util/inteltool/spi.c: 396           in get_espibar_phys()


_____________________________________________________________________________________________
*** CID 1663883:           (RESOURCE_LEAK)
/util/inteltool/spi.c: 399             in get_espibar_phys()
393             *addr = pci_read_long(spidev, offset) & mask;
394             if (!*addr) {
395                     fprintf(stderr, "Error: no valid bar 0 of device 
0:31.%x found %x\n", func, *addr);
396                     return 1;
397             }
398     
>>>     CID 1663883:           (RESOURCE_LEAK)
>>>     Variable "spidev" going out of scope leaks the storage it points to.
399             return 0;
400     }
401     
402     static int print_spibar(struct pci_dev *sb, struct pci_access *pacc) {
403             int i, size = 0, rcba_size = 0x4000;
404             volatile uint8_t *rcba;
/util/inteltool/spi.c: 396             in get_espibar_phys()
390                     return 1;
391             }
392     
393             *addr = pci_read_long(spidev, offset) & mask;
394             if (!*addr) {
395                     fprintf(stderr, "Error: no valid bar 0 of device 
0:31.%x found %x\n", func, *addr);
>>>     CID 1663883:           (RESOURCE_LEAK)
>>>     Variable "spidev" going out of scope leaks the storage it points to.
396                     return 1;
397             }
398     
399             return 0;
400     }
401     

** CID 1663882:       Control flow issues  (UNREACHABLE)
/src/commonlib/bsd/zstd/compress/zstd_preSplit.c: 187           in 
ZSTD_splitBlock_byChunks()


_____________________________________________________________________________________________
*** CID 1663882:         Control flow issues  (UNREACHABLE)
/src/commonlib/bsd/zstd/compress/zstd_preSplit.c: 187             in 
ZSTD_splitBlock_byChunks()
181                 mergeEvents(&fpstats->pastEvents, &fpstats->newEvents);
182                 if (penalty > 0) penalty--;
183             }
184         }
185         assert(pos == blockSize);
186         return blockSize;
>>>     CID 1663882:         Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "(void)flushEvents;".
187         (void)flushEvents; (void)removeEvents;
188     }
189     
190     /* ZSTD_splitBlock_fromBorders(): very fast strategy :
191      * compare fingerprint from beginning and end of the block,
192      * derive from their difference if it's preferable to split in the 
middle,

** CID 1619923:       Memory - illegal accesses  (OVERRUN)
/src/commonlib/bsd/zstd/compress/zstd_opt.c: 347           in 
ZSTD_getMatchPrice()


_____________________________________________________________________________________________
*** CID 1619923:         Memory - illegal accesses  (OVERRUN)
/src/commonlib/bsd/zstd/compress/zstd_opt.c: 347             in 
ZSTD_getMatchPrice()
341         price = (offCode * BITCOST_MULTIPLIER) + 
(optPtr->offCodeSumBasePrice - WEIGHT(optPtr->offCodeFreq[offCode], optLevel));
342         if ((optLevel<2) /*static*/ && offCode >= 20)
343             price += (offCode-19)*2 * BITCOST_MULTIPLIER; /* handicap for 
long distance offsets, favor decompression speed */
344     
345         /* match Length */
346         {   U32 const mlCode = ZSTD_MLcode(mlBase);
>>>     CID 1619923:         Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "ML_bits" of 53 bytes at byte offset 67 using index 
>>> "mlCode" (which evaluates to 67).
347             price += (ML_bits[mlCode] * BITCOST_MULTIPLIER) + 
(optPtr->matchLengthSumBasePrice - WEIGHT(optPtr->matchLengthFreq[mlCode], 
optLevel));
348         }
349     
350         price += BITCOST_MULTIPLIER / 5;   /* heuristic : make matches a 
bit more costly to favor less sequences -> faster decompression speed */
351     
352         DEBUGLOG(8, "ZSTD_getMatchPrice(ml:%u) = %u", matchLength, price);

** CID 1619840:         (TAINTED_SCALAR)
/src/commonlib/bsd/zstd/compress/zstd_lazy.c: 1231           in 
ZSTD_RowFindBestMatch()
/src/commonlib/bsd/zstd/compress/zstd_lazy.c: 1302           in 
ZSTD_RowFindBestMatch()


_____________________________________________________________________________________________
*** CID 1619840:           (TAINTED_SCALAR)
/src/commonlib/bsd/zstd/compress/zstd_lazy.c: 1231             in 
ZSTD_RowFindBestMatch()
1225             U32 matchBuffer[ZSTD_ROW_HASH_MAX_ENTRIES];
1226             size_t numMatches = 0;
1227             size_t currMatch = 0;
1228             ZSTD_VecMask matches = ZSTD_row_getMatchMask(tagRow, 
(BYTE)tag, headGrouped, rowEntries);
1229     
1230             /* Cycle through the matches and prefetch */
>>>     CID 1619840:           (TAINTED_SCALAR)
>>>     Using tainted variable "matches" as a loop boundary.
1231             for (; (matches > 0) && (nbAttempts > 0); matches &= (matches 
- 1)) {
1232                 U32 const matchPos = ((headGrouped + 
ZSTD_VecMask_next(matches)) / groupWidth) & rowMask;
1233                 U32 const matchIndex = row[matchPos];
1234                 if(matchPos == 0) continue;
1235                 assert(numMatches < rowEntries);
1236                 if (matchIndex < lowLimit)
/src/commonlib/bsd/zstd/compress/zstd_lazy.c: 1302             in 
ZSTD_RowFindBestMatch()
1296             {   U32 const headGrouped = (*dmsTagRow & rowMask) * 
groupWidth;
1297                 U32 matchBuffer[ZSTD_ROW_HASH_MAX_ENTRIES];
1298                 size_t numMatches = 0;
1299                 size_t currMatch = 0;
1300                 ZSTD_VecMask matches = ZSTD_row_getMatchMask(dmsTagRow, 
(BYTE)dmsTag, headGrouped, rowEntries);
1301     
>>>     CID 1619840:           (TAINTED_SCALAR)
>>>     Using tainted variable "matches" as a loop boundary.
1302                 for (; (matches > 0) && (nbAttempts > 0); matches &= 
(matches - 1)) {
1303                     U32 const matchPos = ((headGrouped + 
ZSTD_VecMask_next(matches)) / groupWidth) & rowMask;
1304                     U32 const matchIndex = dmsRow[matchPos];
1305                     if(matchPos == 0) continue;
1306                     if (matchIndex < dmsLowestIndex)
1307                         break;

** CID 1619817:       Memory - illegal accesses  (OVERRUN)
/src/commonlib/bsd/zstd/compress/zstd_opt.c: 313           in 
ZSTD_litLengthPrice()


_____________________________________________________________________________________________
*** CID 1619817:         Memory - illegal accesses  (OVERRUN)
/src/commonlib/bsd/zstd/compress/zstd_opt.c: 313             in 
ZSTD_litLengthPrice()
307          */
308         if (litLength == ZSTD_BLOCKSIZE_MAX)
309             return BITCOST_MULTIPLIER + 
ZSTD_litLengthPrice(ZSTD_BLOCKSIZE_MAX - 1, optPtr, optLevel);
310     
311         /* dynamic statistics */
312         {   U32 const llCode = ZSTD_LLcode(litLength);
>>>     CID 1619817:         Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "LL_bits" of 36 bytes at byte offset 50 using index 
>>> "llCode" (which evaluates to 50).
313             return (LL_bits[llCode] * BITCOST_MULTIPLIER)
314                  + optPtr->litLengthSumBasePrice
315                  - WEIGHT(optPtr->litLengthFreq[llCode], optLevel);
316         }
317     }
318     

** CID 1619779:         (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/decompress/huf_decompress.c: 1249           in 
HUF_readDTableX2_wksp()
/src/commonlib/bsd/zstd/decompress/huf_decompress.c: 1213           in 
HUF_readDTableX2_wksp()


_____________________________________________________________________________________________
*** CID 1619779:           (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/decompress/huf_decompress.c: 1249             in 
HUF_readDTableX2_wksp()
1243                     nextRankVal += wksp->rankStats[w] << (w+rescale);
1244                     rankVal0[w] = curr;
1245             }   }
1246             {   U32 const minBits = tableLog+1 - maxW;
1247                 U32 consumed;
1248                 for (consumed = minBits; consumed < maxTableLog - minBits 
+ 1; consumed++) {
>>>     CID 1619779:           (INTEGER_OVERFLOW)
>>>     "consumed", which might have underflowed, is passed to 
>>> "wksp->rankVal[consumed]".
1249                     U32* const rankValPtr = wksp->rankVal[consumed];
1250                     U32 w;
1251                     for (w = 1; w < maxW+1; w++) {
1252                         rankValPtr[w] = rankVal0[w] >> consumed;
1253         }   }   }   }
1254     
/src/commonlib/bsd/zstd/decompress/huf_decompress.c: 1213             in 
HUF_readDTableX2_wksp()
1207     
1208         /* check result */
1209         if (tableLog > maxTableLog) return ERROR(tableLog_tooLarge);   /* 
DTable can't fit code depth */
1210         if (tableLog <= HUF_DECODER_FAST_TABLELOG && maxTableLog > 
HUF_DECODER_FAST_TABLELOG) maxTableLog = HUF_DECODER_FAST_TABLELOG;
1211     
1212         /* find maxWeight */
>>>     CID 1619779:           (INTEGER_OVERFLOW)
>>>     "maxW", which might have underflowed, is passed to 
>>> "wksp->rankStats[maxW]".
1213         for (maxW = tableLog; wksp->rankStats[maxW]==0; maxW--) {}  /* 
necessarily finds a solution before 0 */
1214     
1215         /* Get start index of each weight */
1216         {   U32 w, nextRankStart = 0;
1217             for (w=1; w<maxW+1; w++) {
1218                 U32 curr = nextRankStart;

** CID 1557246:       Insecure data handling  (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/zstd_compress.c: 3987           in 
ZSTD_compressSeqStore_singleBlock()


_____________________________________________________________________________________________
*** CID 1557246:         Insecure data handling  (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/zstd_compress.c: 3987             in 
ZSTD_compressSeqStore_singleBlock()
3981             DEBUGLOG(5, "Writing out compressed block, size: %zu", cSize);
3982         }
3983     
3984         if (zc->blockState.prevCBlock->entropy.fse.offcode_repeatMode == 
FSE_repeat_valid)
3985             zc->blockState.prevCBlock->entropy.fse.offcode_repeatMode = 
FSE_repeat_check;
3986     
>>>     CID 1557246:         Insecure data handling  (INTEGER_OVERFLOW)
>>>     "cSize", which might have overflowed, is returned from the function.
3987         return cSize;
3988     }
3989     
3990     /* Struct to keep track of where we are in our recursive calls. */
3991     typedef struct {
3992         U32* splitLocations;    /* Array of split indices */

** CID 1555298:       Integer handling issues  (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/zstd_compress_sequences.c: 211           in 
ZSTD_selectEncodingType()


_____________________________________________________________________________________________
*** CID 1555298:         Integer handling issues  (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/zstd_compress_sequences.c: 211             in 
ZSTD_selectEncodingType()
205                 }
206             }
207         } else {
208             size_t const basicCost = isDefaultAllowed ? 
ZSTD_crossEntropyCost(defaultNorm, defaultNormLog, count, max) : ERROR(GENERIC);
209             size_t const repeatCost = *repeatMode != FSE_repeat_none ? 
ZSTD_fseBitCost(prevCTable, count, max) : ERROR(GENERIC);
210             size_t const NCountCost = ZSTD_NCountCost(count, max, nbSeq, 
FSELog);
>>>     CID 1555298:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "NCountCost << 3", where "NCountCost" is known to be equal 
>>> to 18446744073709551615, overflows the type of "NCountCost << 3", which is 
>>> type "size_t".
211             size_t const compressedCost = (NCountCost << 3) + 
ZSTD_entropyCost(count, max, nbSeq);
212     
213             if (isDefaultAllowed) {
214                 assert(!ZSTD_isError(basicCost));
215                 assert(!(*repeatMode == FSE_repeat_valid && 
ZSTD_isError(repeatCost)));
216             }

** CID 1552754:       Memory - corruptions  (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/huf_compress.c: 336           in 
HUF_readCTable()


_____________________________________________________________________________________________
*** CID 1552754:         Memory - corruptions  (INTEGER_OVERFLOW)
/src/commonlib/bsd/zstd/compress/huf_compress.c: 336             in 
HUF_readCTable()
330             U16 valPerRank[HUF_TABLELOG_MAX+2] = {0};
331             { U32 n; for (n=0; n<nbSymbols; n++) 
nbPerRank[HUF_getNbBits(ct[n])]++; }
332             /* determine stating value per rank */
333             valPerRank[tableLog+1] = 0;   /* for w==0 */
334             {   U16 min = 0;
335                 U32 n; for (n=tableLog; n>0; n--) {  /* start at n=tablelog 
<-> w=1 */
>>>     CID 1552754:         Memory - corruptions  (INTEGER_OVERFLOW)
>>>     "n", which might have underflowed, is passed to "valPerRank[n]".
336                     valPerRank[n] = min;     /* get starting value within 
each rank */
337                     min += nbPerRank[n];
338                     min >>= 1;
339             }   }
340             /* assign value within rank, symbol order */
341             { U32 n; for (n=0; n<nbSymbols; n++) HUF_setValue(ct + n, 
valPerRank[HUF_getNbBits(ct[n])]++); }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, 
https://scan.coverity.com/projects/coreboot?tab=overview

_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to