Hello,
We run the Coverity Prevent product on our code and since we use LibXML2
there are a number of issues reported in LibXML2 as well. I thought you
would be interested in knowing about these items. Here are a few of the
issues reported by Coverity. It includes the line number, the code, and
the events and assumptions made by the checker.
1) Coverity Check Type: UNUSED_VALUE - catalog.c
2728 sgml = xmlCatalogSGMLResolve(catal, NULL,
URI);
At conditional (5): "sgml != 0" taking true path
2729 if (sgml != NULL)
Event returned_pointer: Pointer "sgml" returned from "xmlStrdup" is
never used
2730 sgml =
xmlStrdup(sgml);
2) Coverity Check Type: UNUSED_VALUE - catalog.c
2430 if (ret != NULL)
2431 return(ret);
At conditional (4): "sysID != 0" taking true path
2432 if (sysID != NULL)
Event returned_pointer: Pointer "ret" returned from
"xmlCatalogGetSGMLSystem" is never used
2433 ret = xmlCatalogGetSGMLSystem(catal->sgml, sysID);
2434 return(NULL);
3) Coverity Check Type: Time-of-check-time-of-use (TOCTOU) -
catalog.c
898 if (filename == NULL)
899 return (NULL);
900
901 #ifdef HAVE_STAT
Event fs_check_call: Called "stat" to perform check on "filename"
At conditional (1): "stat < 0" taking false path
902 if (stat(filename, &info) < 0)
903 return (NULL);
904 #endif
905
906 #ifdef HAVE_STAT
Event toctou: Called use function "open" on "filename" after a check
function. This can cause a time-of-check, time-of-use race condition.
907 if ((fd = open(filename, O_RDONLY)) < 0)
4) Coverity Check Type: REVERSE_INULL - catalog.c. REVERSE_INULL
checker finds many instances of NULL checks after dereferences.
3054 cur = pathss;
Event check_after_deref: Pointer "cur" dereferenced before NULL check
3055 while ((cur != NULL) && (*cur != 0)) {
3056 while (xmlIsBlank_ch(*cur)) cur++;
3057 if (*cur != 0) {
3058 paths = cur;
3059 while ((*cur != 0) && (*cur != ':') &&
(!xmlIsBlank_ch(*cur)))
3060 cur++;
3061 path = xmlStrndup((const xmlChar *)paths,
cur - paths);
3062 if (path != NULL) {
3063 xmlLoadCatalog((const char *)
path);
3064 xmlFree(path);
3065 }
3066 }
Event deref_ptr: Directly dereferenced pointer "cur"
At conditional (1): "*cur == 58" taking false path
3067 while (*cur == ':')
3068 cur++;
5) Coverity Check Type: DEAD_CODE - catalog.c.
Event const: After this line, the value of "base" is equal to 0
Event assignment: Assigning "0" to "base"
1088 xmlChar *base = NULL;
Thank you.
Derrick L. Price
International Game Technology
Software Engineer Manager
1085 Palms Airport Drive
Las Vegas, NV 89119
(702) 616-7947
_______________________________________________
xml mailing list, project page http://xmlsoft.org/
[email protected]
http://mail.gnome.org/mailman/listinfo/xml
