Fwd: New Defects reported by Coverity Scan for Das U-Boot

Tue, 29 Jul 2025 09:32:18 -0700 

So I ran Coverity with the newest scan version and this is good news.
Only a few newly found issues in existing code.

---------- Forwarded message ---------
From: <scan-ad...@coverity.com>
Date: Tue, Jul 29, 2025 at 10:04 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.r...@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 3
   - 12 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 3 of 3 defect(s)

Defect Details

** CID 583415:       Integer handling issues  (INTEGER_OVERFLOW)
/cmd/i2c.c: 369           in do_i2c_write()


_____________________________________________________________________________________________
*** CID 583415:         Integer handling issues  (INTEGER_OVERFLOW)
/cmd/i2c.c: 369             in do_i2c_write()
363                             return i2c_report_err(ret, I2C_ERR_WRITE);
364             } else {
365                     /*
366                      * Repeated addressing - perform <length> separate
367                      * write transactions of one byte each
368                      */
>>>     CID 583415:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "length--", where "length" is known to be equal to 0, 
>>> underflows the type of "length--", which is type "uint".
369                     while (length-- > 0) {
370     #if CONFIG_IS_ENABLED(DM_I2C)
371                             i2c_chip->flags |= DM_I2C_CHIP_WR_ADDRESS;
372                             ret = dm_i2c_write(dev, devaddr++, memaddr++, 
1);
373     #else
374                             ret = i2c_write(chip, devaddr++, alen, 
memaddr++, 1);

** CID 583414:       Memory - corruptions  (OVERRUN)
/cmd/eficonfig.c: 334           in eficonfig_append_menu_entry()


_____________________________________________________________________________________________
*** CID 583414:         Memory - corruptions  (OVERRUN)
/cmd/eficonfig.c: 334             in eficonfig_append_menu_entry()
328
329             entry = calloc(1, sizeof(struct eficonfig_entry));
330             if (!entry)
331                     return EFI_OUT_OF_RESOURCES;
332
333             entry->title = title;
>>>     CID 583414:         Memory - corruptions  (OVERRUN)
>>>     "sprintf" will overrun its first argument "entry->key" which can 
>>> accommodate 3 bytes.  The number of bytes written may be 11 bytes, 
>>> including the terminating null.
334             sprintf(entry->key, "%d", efi_menu->count);
335             entry->efi_menu = efi_menu;
336             entry->func = func;
337             entry->data = data;
338             entry->num = efi_menu->count++;
339             list_add_tail(&entry->list, &efi_menu->list);

** CID 583357:         (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714           in deflate_slow()
/lib/zlib/deflate.c: 1706           in deflate_slow()


_____________________________________________________________________________________________
*** CID 583357:           (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714             in deflate_slow()
1708
1709                 /* Insert in hash table all strings up to the end
of the match.
1710                  * strstart-1 and strstart are already inserted.
If there is not
1711                  * enough lookahead, the last two strings are not
inserted in
1712                  * the hash table.
1713                  */
>>>     CID 583357:           (INTEGER_OVERFLOW)
>>>     Expression "s->lookahead", where "s->prev_length - 1U" is known to be 
>>> equal to 4294967270, underflows the type of "s->lookahead", which is type 
>>> "uInt".
1714                 s->lookahead -= s->prev_length-1;
1715                 s->prev_length -= 2;
1716                 do {
1717                     if (++s->strstart <= max_insert) {
1718                         INSERT_STRING(s, s->strstart, hash_head);
1719                     }
/lib/zlib/deflate.c: 1706             in deflate_slow()
1700             if (s->prev_length >= MIN_MATCH && s->match_length <=
s->prev_length) {
1701                 uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;
1702                 /* Do not insert strings in hash table beyond this. */
1703
1704                 check_match(s, s->strstart-1, s->prev_match,
s->prev_length);
1705
>>>     CID 583357:           (INTEGER_OVERFLOW)
>>>     Expression "len", where "s->prev_length - 3U" is known to be equal to 
>>> 4294967267, overflows the type of "len", which is type "uch".
1706                 _tr_tally_dist(s, s->strstart -1 - s->prev_match,
1707                                s->prev_length - MIN_MATCH, bflush);
1708
1709                 /* Insert in hash table all strings up to the end
of the match.
1710                  * strstart-1 and strstart are already inserted.
If there is not
1711                  * enough lookahead, the last two strings are not
inserted in



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

Attachment: signature.asc
Description: PGP signature

Reply via email to