Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
122 new defect(s) introduced to coreboot found with Coverity Scan.
20 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 122 defect(s)
** CID 1612098: Insecure data handling (INTEGER_OVERFLOW)
/util/amdfwtool/handle_file.c: 32 in read_from_file_to_buf()
_____________________________________________________________________________________________
*** CID 1612098: Insecure data handling (INTEGER_OVERFLOW)
/util/amdfwtool/handle_file.c: 32 in read_from_file_to_buf()
26 ssize_t read_from_file_to_buf(int fd, void *buf, size_t buf_size)
27 {
28 ssize_t bytes;
29 size_t total_bytes = 0;
30
31 do {
>>> CID 1612098: Insecure data handling (INTEGER_OVERFLOW)
>>> "buf_size - total_bytes", which might have underflowed, is passed to
>>> "read(fd, buf + total_bytes, buf_size - total_bytes)".
32 bytes = read(fd, buf + total_bytes, buf_size - total_bytes);
33 if (bytes == 0) {
34 fprintf(stderr, "Reached EOF probably\n");
35 break;
36 }
37
** CID 1612097: Integer handling issues (INTEGER_OVERFLOW)
/src/lib/gcov-io.c: 362 in __gcov_write_summary()
_____________________________________________________________________________________________
*** CID 1612097: Integer handling issues (INTEGER_OVERFLOW)
/src/lib/gcov-io.c: 362 in __gcov_write_summary()
356 {
357 unsigned int ix;
358 const struct gcov_ctr_summary *csum;
359
360 gcov_write_tag_length(tag, GCOV_TAG_SUMMARY_LENGTH);
361 gcov_write_unsigned(summary->checksum);
>>> CID 1612097: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "ix--", where "ix" is known to be equal to 0, underflows the
>>> type of "ix--", which is type "unsigned int".
362 for (csum = summary->ctrs, ix = GCOV_COUNTERS_SUMMABLE; ix--;
csum++) {
363 gcov_write_unsigned(csum->num);
364 gcov_write_unsigned(csum->runs);
365 gcov_write_counter(csum->sum_all);
366 gcov_write_counter(csum->run_max);
367 gcov_write_counter(csum->sum_max);
** CID 1612096: (RESOURCE_LEAK)
/util/cbfstool/amdcompress.c: 85 in parse_elf_to_xip_ram()
/util/cbfstool/amdcompress.c: 89 in parse_elf_to_xip_ram()
_____________________________________________________________________________________________
*** CID 1612096: (RESOURCE_LEAK)
/util/cbfstool/amdcompress.c: 85 in parse_elf_to_xip_ram()
79 {
80 struct parsed_elf pelf;
81
82 if (parse_elf(input, &pelf, ELF_PARSE_ALL))
83 return 1;
84 if (buffer_create(output, pelf.phdr->p_filesz, "") != 0)
>>> CID 1612096: (RESOURCE_LEAK)
>>> Variable "pelf" going out of scope leaks the storage "pelf.relocs"
>>> points to.
85 return 1;
86
87 memcpy(output->data, input->data + pelf.phdr->p_offset, output->size);
88
89 return 0;
90 }
/util/cbfstool/amdcompress.c: 89 in parse_elf_to_xip_ram()
83 return 1;
84 if (buffer_create(output, pelf.phdr->p_filesz, "") != 0)
85 return 1;
86
87 memcpy(output->data, input->data + pelf.phdr->p_offset, output->size);
88
>>> CID 1612096: (RESOURCE_LEAK)
>>> Variable "pelf" going out of scope leaks the storage "pelf.relocs"
>>> points to.
89 return 0;
90 }
91
92 static int convert_elf(struct buffer *buf)
93 {
94 struct buffer out;
** CID 1612094: Integer handling issues (INTEGER_OVERFLOW)
/src/cpu/x86/mtrr/mtrr.c: 440 in calc_var_mtrr_range()
_____________________________________________________________________________________________
*** CID 1612094: Integer handling issues (INTEGER_OVERFLOW)
/src/cpu/x86/mtrr/mtrr.c: 440 in calc_var_mtrr_range()
434 /* All MTRR entries need to have their base aligned to
the mask
435 * size. The maximum size is calculated by a function
of the
436 * min base bit set and maximum size bit set. */
437 if (addr_lsb > size_msb)
438 mtrr_size = 1ULL << size_msb;
439 else
>>> CID 1612094: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "1ULL << addr_lsb", where "addr_lsb" is known to be equal to
>>> 4294967295, overflows the type of "1ULL << addr_lsb", which is type
>>> "unsigned long long".
440 mtrr_size = 1ULL << addr_lsb;
441
442 if (var_state->prepare_msrs)
443 prep_var_mtrr(var_state, base, mtrr_size,
mtrr_type);
444
445 size -= mtrr_size;
** CID 1612093: Error handling issues (CHECKED_RETURN)
/src/mainboard/google/skywalker/mainboard.c: 95 in mainboard_init()
_____________________________________________________________________________________________
*** CID 1612093: Error handling issues (CHECKED_RETURN)
/src/mainboard/google/skywalker/mainboard.c: 95 in mainboard_init()
89 if (mainboard_get_storage_type() == STORAGE_EMMC)
90 mtk_msdc_configure_emmc(true);
91
92 dpm_init();
93 setup_usb_host();
94 setup_usb_secondary_host();
>>> CID 1612093: Error handling issues (CHECKED_RETURN)
>>> Calling "spm_init" without checking return value (as is done elsewhere
>>> 6 out of 7 times).
95 spm_init();
96 power_on_fpmcu();
97 configure_audio();
98
99 if (CONFIG(SKYWALKER_SDCARD_INIT))
100 mtk_msdc_configure_sdcard();
** CID 1612092: Integer handling issues (INTEGER_OVERFLOW)
/src/northbridge/intel/gm45/raminit_read_write_training.c: 401 in
program_write_timing()
_____________________________________________________________________________________________
*** CID 1612092: Integer handling issues (INTEGER_OVERFLOW)
/src/northbridge/intel/gm45/raminit_read_write_training.c: 401 in
program_write_timing()
395 (t <= d_bounds[memclk1067][0]) ? CxWRTy_BELOW_D :
396 ((t > d_bounds[memclk1067][1]) ? CxWRTy_ABOVE_D : 0);
397
398 u32 reg = mchbar_read32(CxWRTy_MCHBAR(ch, group));
399 reg &= ~(CxWRTy_T_MASK | CxWRTy_P_MASK | CxWRTy_F_MASK);
400 reg &= ~CxWRTy_D_MASK;
>>> CID 1612092: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "t << 28", where "t" is known to be equal to 9, overflows
>>> the type of "t << 28", which is type "int".
401 reg |= CxWRTy_T(t) | CxWRTy_P(p) | CxWRTy_F(f) | d;
402 mchbar_write32(CxWRTy_MCHBAR(ch, group), reg);
403
404 return 0;
405 }
406 /* Returns 1 on success, 0 on failure. */
** CID 1612091: Insecure data handling (INTEGER_OVERFLOW)
/src/mainboard/intel/mtlrvp/romstage.c: 20 in get_spd_index()
_____________________________________________________________________________________________
*** CID 1612091: Insecure data handling (INTEGER_OVERFLOW)
/src/mainboard/intel/mtlrvp/romstage.c: 20 in get_spd_index()
14
15 printk(BIOS_INFO, "Board id is 0x%x\n", board_id);
16
17 spd_index = board_id & SPD_ID_MASK;
18
19 printk(BIOS_INFO, "SPD index is 0x%x\n", (unsigned int)spd_index);
>>> CID 1612091: Insecure data handling (INTEGER_OVERFLOW)
>>> "spd_index", which might have underflowed, is returned from the
>>> function.
20 return spd_index;
21 }
22
23 void mainboard_memory_init_params(FSPM_UPD *memupd)
24 {
25 const struct mb_cfg *mem_config = variant_memory_params();
** CID 1612090: Integer handling issues (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ohci.c: 661 in ohci_fill_intrq_td()
_____________________________________________________________________________________________
*** CID 1612090: Integer handling issues (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ohci.c: 661 in ohci_fill_intrq_td()
655
656 static void
657 ohci_fill_intrq_td(intrq_td_t *const td, intr_queue_t *const intrq,
658 u8 *const data)
659 {
660 memset(td, 0, sizeof(*td));
>>> CID 1612090: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "td->td.config", where "1 | ((intrq->endp->direction == IN)
>>> ? 1048576 : 524288) | 0 | 0 | 0xffffffffe0000000" is known to be equal to
>>> -535822335, overflows the type of "td->td.config", which is type "u32
>>> volatile".
661 td->td.config = TD_QUEUETYPE_INTR |
662 (intrq->endp->direction == IN
663 ? TD_DIRECTION_IN : TD_DIRECTION_OUT) |
664 TD_DELAY_INTERRUPT_ZERO |
665 TD_TOGGLE_FROM_ED |
666 TD_CC_NOACCESS;
** CID 1612089: Integer handling issues (INTEGER_OVERFLOW)
/src/drivers/aspeed/common/ast_post.c: 2042 in ast_dram_init_2500()
_____________________________________________________________________________________________
*** CID 1612089: Integer handling issues (INTEGER_OVERFLOW)
/src/drivers/aspeed/common/ast_post.c: 2042 in ast_dram_init_2500()
2036 static bool ast_dram_init_2500(struct ast_private *ast)
2037 {
2038 u32 data;
2039 u32 max_tries = 5;
2040
2041 do {
>>> CID 1612089: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "max_tries--", where "max_tries" is known to be equal to 0,
>>> underflows the type of "max_tries--", which is type "u32".
2042 if (max_tries-- == 0)
2043 return false;
2044 set_mpll_2500(ast);
2045 reset_mmc_2500(ast);
2046 ddr_init_common_2500(ast);
2047
** CID 1612087: Integer handling issues (INTEGER_OVERFLOW)
/src/vendorcode/wuffs/wuffs-v0.4.c: 50956 in
wuffs_jpeg__decoder__decode_mcu_progressive_ac_low_bit()
_____________________________________________________________________________________________
*** CID 1612087: Integer handling issues (INTEGER_OVERFLOW)
/src/vendorcode/wuffs/wuffs-v0.4.c: 50956 in
wuffs_jpeg__decoder__decode_mcu_progressive_ac_low_bit()
50950 v_bits |=
(wuffs_base__peek_u64be__no_bounds_check(iop_v_r) >> (v_n_bits & 63u));
50951 iop_v_r += ((63u - (v_n_bits & 63u)) >> 3u);
50952 v_n_bits |= 56u;
50953 }
50954 v_bit = ((v_bits >> 63u) > 0u);
50955 v_bits <<= 1u;
>>> CID 1612087: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "v_n_bits", underflows the type of "v_n_bits", which is type
>>> "uint32_t".
50956 v_n_bits -= 1u;
50957 if (v_bit) {
50958 if (self->private_data.f_mcu_blocks[0u][v_unzig] <
32768u) {
50959 #if defined(__GNUC__)
50960 #pragma GCC diagnostic push
50961 #pragma GCC diagnostic ignored "-Wconversion"
** CID 1612086: Integer handling issues (INTEGER_OVERFLOW)
/src/southbridge/intel/bd82x6x/me_8.x.c: 411 in intel_me_read_mbp()
_____________________________________________________________________________________________
*** CID 1612086: Integer handling issues (INTEGER_OVERFLOW)
/src/southbridge/intel/bd82x6x/me_8.x.c: 411 in intel_me_read_mbp()
405 if (buffer_room != copy_size) {
406 printk(BIOS_ERR, "ME: buffer room %d != %d copy
size"
407 " for item 0x%x!!!\n",
408 buffer_room, copy_size, mbp_item_id);
409 return -1;
410 }
>>> CID 1612086: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "copy_size--", where "copy_size" is known to be equal to 0,
>>> underflows the type of "copy_size--", which is type "u32".
411 while (copy_size--)
412 *copy_addr++ = read_cb();
413 }
414
415 read_host_csr(&host);
416 host.interrupt_generate = 1;
** CID 1612085: (INTEGER_OVERFLOW)
/src/soc/nvidia/tegra210/addressmap.c: 349 in vpr_region_init()
/src/soc/nvidia/tegra210/addressmap.c: 346 in vpr_region_init()
_____________________________________________________________________________________________
*** CID 1612085: (INTEGER_OVERFLOW)
/src/soc/nvidia/tegra210/addressmap.c: 349 in vpr_region_init()
343
344 /* Get memory layout below 4GiB */
345 memory_in_range(&vpr_base_mib, &end, CARVEOUT_VPR);
346 vpr_base_mib = end - vpr_size_mib;
347
348 /* Set the carveout base address and size */
>>> CID 1612085: (INTEGER_OVERFLOW)
>>> Expression "vpr_base_mib << 20", where "vpr_base_mib" is known to be
>>> equal to 18446744073709551488, overflows the type of "vpr_base_mib << 20",
>>> which is type "uintptr_t".
349 write32(&mc->video_protect_bom, vpr_base_mib << 20);
350 write32(&mc->video_protect_bom_adr_hi, 0);
351 write32(&mc->video_protect_size_mb, vpr_size_mib);
352
353 /* Set the locked bit. This will lock out any other writes! */
354 write32(&mc->video_protect_reg_ctrl, MC_VPR_WR_ACCESS_DISABLE);
/src/soc/nvidia/tegra210/addressmap.c: 346 in vpr_region_init()
340 struct tegra_mc_regs * const mc = (void
*)(uintptr_t)TEGRA_MC_BASE;
341 uintptr_t vpr_base_mib = 0, end = 4096;
342 size_t vpr_size_mib = VPR_CARVEOUT_SIZE_MB;
343
344 /* Get memory layout below 4GiB */
345 memory_in_range(&vpr_base_mib, &end, CARVEOUT_VPR);
>>> CID 1612085: (INTEGER_OVERFLOW)
>>> Expression "end - vpr_size_mib", where "end" is known to be equal to 0,
>>> and "vpr_size_mib" is known to be equal to 128, underflows the type of
>>> "end - vpr_size_mib", which is type "unsigned long".
346 vpr_base_mib = end - vpr_size_mib;
347
348 /* Set the carveout base address and size */
349 write32(&mc->video_protect_bom, vpr_base_mib << 20);
350 write32(&mc->video_protect_bom_adr_hi, 0);
351 write32(&mc->video_protect_size_mb, vpr_size_mib);
352
353 /* Set the locked bit. This will lock out any other writes! */
354 write32(&mc->video_protect_reg_ctrl, MC_VPR_WR_ACCESS_DISABLE);
** CID 1612083: Integer handling issues (INTEGER_OVERFLOW)
/src/vendorcode/amd/opensil/genoa_poc/opensil/xUSL/CCX/Common/CcxCacheInit.c:
78 in InitializeVariableMtrrs()
_____________________________________________________________________________________________
*** CID 1612083: Integer handling issues (INTEGER_OVERFLOW)
/src/vendorcode/amd/opensil/genoa_poc/opensil/xUSL/CCX/Common/CcxCacheInit.c:
78 in InitializeVariableMtrrs()
72 xUslWrMsr (CurAddr, LocalMsrRegister);
73
74 // prog. MTRR with current region Mask
75 CurAddr++; // other half of MSR pair
76 Value32 = CurSize - (uint32_t) 1;
77 Value32 = ~Value32;
>>> CID 1612083: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "Value32 << 16", where "Value32" is known to be equal to
>>> 2147483648, overflows the type of "Value32 << 16", which is type "uint32_t".
78 LocalMsrRegister = 0xFFFF00000000ull | (Value32 << 16) | ((uint32_t)
1 << 11);
79 xUslWrMsr (CurAddr, LocalMsrRegister);
80
81 CurBase = CurLimit;
82 CurAddr++; // next MSR pair
83 }
** CID 1612082: Integer handling issues (INTEGER_OVERFLOW)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1809 in
dbi_switchover_interface()
_____________________________________________________________________________________________
*** CID 1612082: Integer handling issues (INTEGER_OVERFLOW)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1809 in
dbi_switchover_interface()
1803 old_cl = -1;
1804 new_cl = -1;
1805 break;
1806 }
1807 ddr_print("N%d.LMC%d: DBI switchover: CL ADJ: old_cl 0x%x,
old_cwl 0x%x, new_cl 0x%x.\n",
1808 node, lmc, old_cl, old_cwl, new_cl);
>>> CID 1612082: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "modereg_params0.s.cl", where "new_cl" is known to be equal
>>> to -1, overflows the type of "modereg_params0.s.cl", which is type
>>> "uint64_t:4".
1809 modereg_params0.s.cl = new_cl;
1810 DRAM_CSR_WRITE(node, BDK_LMCX_MODEREG_PARAMS0(lmc),
modereg_params0.u);
1811 }
1812
1813 /*
1814 4. issue MRW to MR0 (CL) and MR5 (DBI), using LMC sequence
SEQ_CTL[SEQ_SEL] = MRW.
** CID 1612081: Insecure data handling (INTEGER_OVERFLOW)
/util/amdfwtool/handle_file.c: 63 in write_from_buf_to_file()
_____________________________________________________________________________________________
*** CID 1612081: Insecure data handling (INTEGER_OVERFLOW)
/util/amdfwtool/handle_file.c: 63 in write_from_buf_to_file()
57 ssize_t write_from_buf_to_file(int fd, const void *buf, size_t buf_size)
58 {
59 ssize_t bytes;
60 size_t total_bytes = 0;
61
62 do {
>>> CID 1612081: Insecure data handling (INTEGER_OVERFLOW)
>>> "buf_size - total_bytes", which might have underflowed, is passed to
>>> "write(fd, buf + total_bytes, buf_size - total_bytes)".
63 bytes = write(fd, buf + total_bytes, buf_size - total_bytes);
64 if (bytes < 0 && errno == EAGAIN)
65 bytes = 0;
66
67 if (bytes < 0) {
68 fprintf(stderr, "Write failure %s\n", strerror(errno));
** CID 1612080: (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ehci.c: 404 in ehci_bulk()
/payloads/libpayload/drivers/usb/ehci.c: 417 in ehci_bulk()
_____________________________________________________________________________________________
*** CID 1612080: (INTEGER_OVERFLOW)
/payloads/libpayload/drivers/usb/ehci.c: 404 in ehci_bulk()
398 (endp << QH_EP_SHIFT) |
399 (ep->dev->speed << QH_EPS_SHIFT) |
400 (0 << QH_DTC_SHIFT) |
401 (1 << QH_RECLAIM_HEAD_SHIFT) |
402 (ep->maxpacketsize << QH_MPS_SHIFT) |
403 (0 << QH_NAK_CNT_SHIFT);
>>> CID 1612080: (INTEGER_OVERFLOW)
>>> Expression "qh->epcaps", where "0xffffffffc0000000 | (hubport << 23) |
>>> (hubaddr << 16)" is known to be equal to -1073741824, overflows the type of
>>> "qh->epcaps", which is type "u32 volatile".
404 qh->epcaps = (3 << QH_PIPE_MULTIPLIER_SHIFT) |
405 (hubport << QH_PORT_NUMBER_SHIFT) |
406 (hubaddr << QH_HUB_ADDRESS_SHIFT);
407
408 qh->td.next_qtd = virt_to_phys(head);
409 qh->td.token |= (ep->toggle?QTD_TOGGLE_DATA1:0);
/payloads/libpayload/drivers/usb/ehci.c: 417 in ehci_bulk()
411
412 result = ehci_process_async_schedule(
413 EHCI_INST(ep->dev->controller), qh, head);
414 if (result >= 0) {
415 result = size - result;
416 if (pid == EHCI_IN && end != src + size)
>>> CID 1612080: (INTEGER_OVERFLOW)
>>> "result", which might be negative, is passed to "memcpy(src, end -
>>> size, result)". [Note: The source code implementation of the function has
>>> been overridden by a builtin model.]
417 memcpy(src, end - size, result);
418 }
419
420 ep->toggle = (cur->token & QTD_TOGGLE_MASK) >> QTD_TOGGLE_SHIFT;
421
422 free_qh_and_tds(qh, head);
** CID 1612079: Insecure data handling (TAINTED_SCALAR)
/src/soc/intel/xeon_sp/uncore_acpi.c: 149 in acpi_fill_srat()
_____________________________________________________________________________________________
*** CID 1612079: Insecure data handling (TAINTED_SCALAR)
/src/soc/intel/xeon_sp/uncore_acpi.c: 149 in acpi_fill_srat()
143 printk(BIOS_DEBUG, "SRAT: memory_map: %p\n", memory_map);
144
145 /* create all subtables for processors */
146 current = acpi_create_srat_lapics(current);
147 acpi_srat = (acpi_srat_mem_t *)current;
148
>>> CID 1612079: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "memory_map->numberEntries" as a loop boundary.
149 for (int i = 0; i < memory_map->numberEntries; ++i) {
150 const struct SystemMemoryMapElement *e =
&memory_map->Element[i];
151 acpi_fill_srat_memory(&cnt, &acpi_srat[cnt], e);
152 }
153 printk(BIOS_DEBUG, "SRAT: Added %d memory entries\n", cnt);
154
** CID 1612078: Insecure data handling (INTEGER_OVERFLOW)
_____________________________________________________________________________________________
*** CID 1612078: Insecure data handling (INTEGER_OVERFLOW)
/src/mainboard/emulation/qemu-i440fx/mainboard.c: 21 in
qemu_nb_init()
15 static void qemu_nb_init(struct device *dev)
16 {
17 /* Map memory at 0xc0000 - 0xfffff */
18 int i;
19 pci_or_config8(dev, D0F0_PAM(0), 0x30);
20 for (i = 1; i <= 6; i++)
>>> CID 1612078: Insecure data handling (INTEGER_OVERFLOW)
>>> "89 + i", which might have overflowed, is passed to
>>> "pci_write_config8(dev, 89 + i, 51)".
21 pci_write_config8(dev, D0F0_PAM(i), 0x33);
22
23 /* This sneaked in here, because Qemu does not emulate a SuperIO chip.
*/
24 pc_keyboard_init(NO_AUX_DEVICE);
25
26 /* setup IRQ routing */
** CID 1612075: Integer handling issues (BAD_SHIFT)
/src/cpu/x86/mtrr/mtrr.c: 438 in calc_var_mtrr_range()
_____________________________________________________________________________________________
*** CID 1612075: Integer handling issues (BAD_SHIFT)
/src/cpu/x86/mtrr/mtrr.c: 438 in calc_var_mtrr_range()
432 size_msb = __fls64(size);
433
434 /* All MTRR entries need to have their base aligned to
the mask
435 * size. The maximum size is calculated by a function
of the
436 * min base bit set and maximum size bit set. */
437 if (addr_lsb > size_msb)
>>> CID 1612075: Integer handling issues (BAD_SHIFT)
>>> In expression "1ULL << size_msb", left shifting by more than 63 bits
>>> has undefined behavior. The shift amount, "size_msb", is as much as
>>> 4294967294.
438 mtrr_size = 1ULL << size_msb;
439 else
440 mtrr_size = 1ULL << addr_lsb;
441
442 if (var_state->prepare_msrs)
443 prep_var_mtrr(var_state, base, mtrr_size,
mtrr_type);
** CID 1612074: Memory - illegal accesses (OVERRUN)
/util/cbfstool/lzma/C/LzmaEnc.c: 1325 in GetOptimum()
_____________________________________________________________________________________________
*** CID 1612074: Memory - illegal accesses (OVERRUN)
/util/cbfstool/lzma/C/LzmaEnc.c: 1325 in GetOptimum()
1319 for (lenTest = /*2*/ startLen; ; lenTest++)
1320 {
1321 uint32_t curAndLenPrice = normalMatchPrice +
p->lenEnc.prices[posState][lenTest - LZMA_MATCH_LEN_MIN];
1322 uint32_t lenToPosState = GetLenToPosState(lenTest);
1323 struct COptimal *opt;
1324 if (curBack < kNumFullDistances)
>>> CID 1612074: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "p->distancesPrices" of 4 512-byte elements at
>>> element index 4294967294 (byte offset 2199023255039) using index
>>> "lenToPosState" (which evaluates to 4294967294).
1325 curAndLenPrice += p->distancesPrices[lenToPosState][curBack];
1326 else
1327 curAndLenPrice += p->posSlotPrices[lenToPosState][posSlot] +
p->alignPrices[curBack & kAlignMask];
1328
1329 opt = &p->opt[cur + lenTest];
1330 if (curAndLenPrice < opt->price)
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/coreboot?tab=overview
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org
