----- Forwarded message from Tom Rini <tom.r...@gmail.com> ----- Date: Tue, 31 Jan 2023 07:30:23 -0500 From: Tom Rini <tom.r...@gmail.com> To: tr...@konsulko.com Subject: Fwd: New Defects reported by Coverity Scan for Das U-Boot
On Mon, Jan 30, 2023, 4:15 PM <scan-ad...@coverity.com> wrote:
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 18 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 9 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 18 of 18 defect(s)
>
>
> ** CID 435669: Control flow issues (MISSING_BREAK)
> /lib/vsprintf.c: 681 in vsnprintf_internal()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435669: Control flow issues (MISSING_BREAK)
> /lib/vsprintf.c: 681 in vsnprintf_internal()
> 675 case 'x':
> 676 flags |= SMALL;
> 677 case 'X':
> 678 base = 16;
> 679 break;
> 680
> >>> CID 435669: Control flow issues (MISSING_BREAK)
> >>> The case for value "'d'" is not terminated by a "break" statement.
> 681 case 'd':
> 682 if (fmt[1] == 'E')
> 683 flags |= ERRSTR;
> 684 case 'i':
> 685 flags |= SIGN;
> 686 case 'u':
>
> ** CID 435668: Insecure data handling (TAINTED_SCALAR)
> /boot/image-fdt.c: 397 in select_fdt()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435668: Insecure data handling (TAINTED_SCALAR)
> /boot/image-fdt.c: 397 in select_fdt()
> 391 return -EFAULT;
> 392 }
> 393
> 394 debug(" Loading FDT from 0x%08lx to
> 0x%08lx\n",
> 395 image_data, load);
> 396
> >>> CID 435668: Insecure data handling (TAINTED_SCALAR)
> >>> Passing tainted expression "image_get_data_size(fdt_hdr)" to
> "memmove", which uses it as an offset. [Note: The source code
> implementation of the function has been overridden by a builtin model.]
> 397 memmove((void *)load,
> 398 (void *)image_data,
> 399 image_get_data_size(fdt_hdr));
> 400
> 401 fdt_addr = load;
> 402 break;
>
> ** CID 435667: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435667: Memory - corruptions (OVERRUN)
> /lib/zstd/decompress/zstd_decompress.c: 88 in ZSTD_DDictHashSet_getIndex()
> 82 #define DDICT_HASHSET_RESIZE_FACTOR 2
> 83
> 84 /* Hash function to determine starting position of dict insertion
> within the table
> 85 * Returns an index between [0, hashSet->ddictPtrTableSize]
> 86 */
> 87 static size_t ZSTD_DDictHashSet_getIndex(const ZSTD_DDictHashSet*
> hashSet, U32 dictID) {
> >>> CID 435667: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "&dictID" of 4 bytes by passing
> it to a function which accesses it at byte offset 7.
> 88 const U64 hash = xxh64(&dictID, sizeof(U32), 0);
> 89 /* DDict ptr table size is a multiple of 2, use size - 1 as
> mask to get index within [0, hashSet->ddictPtrTableSize) */
> 90 return hash & (hashSet->ddictPtrTableSize - 1);
> 91 }
> 92
> 93 /* Adds DDict to a hashset without resizing it.
>
> ** CID 435666: Insecure data handling (TAINTED_SCALAR)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435666: Insecure data handling (TAINTED_SCALAR)
> /common/command.c: 674 in cmd_source_script()
> 668 ret = image_locate_script(buf, 0, fit_uname, confname,
> &data, &len);
> 669 unmap_sysmem(buf);
> 670 if (ret)
> 671 return CMD_RET_FAILURE;
> 672
> 673 debug("** Script length: %d\n", len);
> >>> CID 435666: Insecure data handling (TAINTED_SCALAR)
> >>> Passing tainted expression "len" to "run_command_list", which uses
> it as an offset.
> 674 return run_command_list(data, len, 0);
>
> ** CID 435665: (DEADCODE)
> /tools/fit_image.c: 342 in fit_write_images()
> /tools/fit_image.c: 322 in fit_write_images()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435665: (DEADCODE)
> /tools/fit_image.c: 342 in fit_write_images()
> 336 ret = fdt_property_file(params, fdt, FIT_DATA_PROP,
> 337 params->fit_ramdisk);
> 338 if (ret)
> 339 return ret;
> 340 fit_add_hash_or_sign(params, fdt, true);
> 341 if (ret)
> >>> CID 435665: (DEADCODE)
> >>> Execution cannot reach this statement: "return ret;".
> 342 return ret;
> 343 fdt_end_node(fdt);
> 344 }
> 345
> 346 fdt_end_node(fdt);
> 347
> /tools/fit_image.c: 322 in fit_write_images()
> 316 fdt_property_string(fdt, FIT_ARCH_PROP,
> 317
> genimg_get_arch_short_name(params->arch));
> 318 fdt_property_string(fdt, FIT_COMP_PROP,
> 319
> genimg_get_comp_short_name(IH_COMP_NONE));
> 320 fit_add_hash_or_sign(params, fdt, true);
> 321 if (ret)
> >>> CID 435665: (DEADCODE)
> >>> Execution cannot reach this statement: "return ret;".
> 322 return ret;
> 323 fdt_end_node(fdt);
> 324 }
> 325
> 326 /* And a ramdisk file if available */
> 327 if (params->fit_ramdisk) {
>
> ** CID 435664: Insecure data handling (TAINTED_SCALAR)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435664: Insecure data handling (TAINTED_SCALAR)
> /drivers/iommu/iommu-uclass.c: 71 in dev_pci_iommu_enable()
> 65 return ret;
> 66 }
> 67 dev->iommu = dev_iommu;
> 68 break;
> 69 }
> 70
> >>> CID 435664: Insecure data handling (TAINTED_SCALAR)
> >>> Passing tainted expression "*iommu_map" to "dlfree", which uses it
> as an offset.
> 71 free(iommu_map);
> 72 return 0;
> 73 }
> 74 #endif
> 75
> 76 int dev_iommu_enable(struct udevice *dev)
>
> ** CID 435663: Code maintainability issues (UNUSED_VALUE)
> /boot/bootdev-uclass.c: 703 in bootdev_setup_iter()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435663: Code maintainability issues (UNUSED_VALUE)
> /boot/bootdev-uclass.c: 703 in bootdev_setup_iter()
> 697 iter->labels = bootstd_get_bootdev_order(bootstd,
> &ok);
> 698 if (!ok)
> 699 return log_msg_ret("ord", -ENOMEM);
> 700 log_debug("setup labels %p\n", iter->labels);
> 701 if (iter->labels) {
> 702 iter->cur_label = -1;
> >>> CID 435663: Code maintainability issues (UNUSED_VALUE)
> >>> Assigning value from "bootdev_next_label(iter, &dev,
> &method_flags)" to "ret" here, but that stored value is overwritten before
> it can be used.
> 703 ret = bootdev_next_label(iter, &dev,
> &method_flags);
> 704 } else {
> 705 ret = bootdev_next_prio(iter, &dev);
> 706 method_flags = 0;
> 707 }
> 708 if (!dev)
>
> ** CID 435662: Null pointer dereferences (REVERSE_INULL)
> /boot/scene_menu.c: 385 in scene_menu_display()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435662: Null pointer dereferences (REVERSE_INULL)
> /boot/scene_menu.c: 385 in scene_menu_display()
> 379
> 380 desc = scene_obj_find(scn, item->desc_id,
> SCENEOBJT_TEXT);
> 381 if (desc)
> 382 dstr = expo_get_str(exp, desc->str_id);
> 383
> 384 printf("%3s %3s %-10s %s\n",
> >>> CID 435662: Null pointer dereferences (REVERSE_INULL)
> >>> Null-checking "pointer" suggests that it may be null, but it has
> already been dereferenced on all paths leading to the check.
> 385 pointer && menu->cur_item_id == item->id ?
> pstr : "",
> 386 kstr, lstr, dstr);
> 387 }
> 388
> 389 return -ENOTSUPP;
>
> ** CID 435661: (TAINTED_SCALAR)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435661: (TAINTED_SCALAR)
> /lib/zstd/decompress/huf_decompress.c: 591 in
> HUF_decompress4X1_usingDTable_internal_body()
> 585 DTableDesc const dtd = HUF_getDTableDesc(DTable);
> 586 U32 const dtLog = dtd.tableLog;
> 587 U32 endSignal = 1;
> 588
> 589 if (length4 > cSrcSize) return
> ERROR(corruption_detected); /* overflow */
> 590 if (opStart4 > oend) return ERROR(corruption_detected);
> /* overflow */
> >>> CID 435661: (TAINTED_SCALAR)
> >>> Passing tainted expression "length1" to "BIT_initDStream", which
> uses it as an offset.
> 591 CHECK_F( BIT_initDStream(&bitD1, istart1, length1) );
> 592 CHECK_F( BIT_initDStream(&bitD2, istart2, length2) );
> 593 CHECK_F( BIT_initDStream(&bitD3, istart3, length3) );
> 594 CHECK_F( BIT_initDStream(&bitD4, istart4, length4) );
> 595
> 596 /* up to 16 symbols per loop (4 symbols per stream) in
> 64-bit mode */
> /lib/zstd/decompress/huf_decompress.c: 593 in
> HUF_decompress4X1_usingDTable_internal_body()
> 587 U32 endSignal = 1;
> 588
> 589 if (length4 > cSrcSize) return
> ERROR(corruption_detected); /* overflow */
> 590 if (opStart4 > oend) return ERROR(corruption_detected);
> /* overflow */
> 591 CHECK_F( BIT_initDStream(&bitD1, istart1, length1) );
> 592 CHECK_F( BIT_initDStream(&bitD2, istart2, length2) );
> >>> CID 435661: (TAINTED_SCALAR)
> >>> Passing tainted expression "length3" to "BIT_initDStream", which
> uses it as an offset.
> 593 CHECK_F( BIT_initDStream(&bitD3, istart3, length3) );
> 594 CHECK_F( BIT_initDStream(&bitD4, istart4, length4) );
> 595
> 596 /* up to 16 symbols per loop (4 symbols per stream) in
> 64-bit mode */
> 597 if ((size_t)(oend - op4) >= sizeof(size_t)) {
> 598 for ( ; (endSignal) & (op4 < olimit) ; ) {
> /lib/zstd/decompress/huf_decompress.c: 592 in
> HUF_decompress4X1_usingDTable_internal_body()
> 586 U32 const dtLog = dtd.tableLog;
> 587 U32 endSignal = 1;
> 588
> 589 if (length4 > cSrcSize) return
> ERROR(corruption_detected); /* overflow */
> 590 if (opStart4 > oend) return ERROR(corruption_detected);
> /* overflow */
> 591 CHECK_F( BIT_initDStream(&bitD1, istart1, length1) );
> >>> CID 435661: (TAINTED_SCALAR)
> >>> Passing tainted expression "length2" to "BIT_initDStream", which
> uses it as an offset.
> 592 CHECK_F( BIT_initDStream(&bitD2, istart2, length2) );
> 593 CHECK_F( BIT_initDStream(&bitD3, istart3, length3) );
> 594 CHECK_F( BIT_initDStream(&bitD4, istart4, length4) );
> 595
> 596 /* up to 16 symbols per loop (4 symbols per stream) in
> 64-bit mode */
> 597 if ((size_t)(oend - op4) >= sizeof(size_t)) {
>
> ** CID 435660: (PRINTF_ARGS)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435660: (PRINTF_ARGS)
> /test/cmd/exit.c: 69 in cmd_exit_test()
> 63 ut_assertok(run_commandf("setenv foo 'echo bar ; exit ; echo baz'
> ; run foo ; echo $?", i));
> 64 ut_assert_nextline("bar");
> 65 ut_assert_nextline("0");
> 66 ut_assertok(ut_check_console_end(uts));
> 67
> 68 ut_assertok(console_record_reset_enable());
> >>> CID 435660: (PRINTF_ARGS)
> >>> This argument was not used by the format string: "i".
> 69 ut_assertok(run_commandf("setenv foo 'echo bar ; exit ; echo baz'
> ; run foo && echo quux ; echo $?", i));
> 70 ut_assert_nextline("bar");
> 71 ut_assert_nextline("quux");
> 72 ut_assert_nextline("0");
> 73 ut_assertok(ut_check_console_end(uts));
> 74
> /test/cmd/exit.c: 104 in cmd_exit_test()
> 98 ut_assert_nextline("bar");
> 99 /* The 'true' returns 0 */
> 100 ut_assert_nextline("0");
> 101 ut_assertok(ut_check_console_end(uts));
> 102
> 103 ut_assertok(console_record_reset_enable());
> >>> CID 435660: (PRINTF_ARGS)
> >>> This argument was not used by the format string: "i".
> 104 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ;
> run foo ; echo $?", i));
> 105 ut_assert_nextline("bar");
> 106 ut_assert_nextline("1");
> 107 ut_assertok(ut_check_console_end(uts));
> 108
> 109 ut_assertok(console_record_reset_enable());
> /test/cmd/exit.c: 110 in cmd_exit_test()
> 104 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ;
> run foo ; echo $?", i));
> 105 ut_assert_nextline("bar");
> 106 ut_assert_nextline("1");
> 107 ut_assertok(ut_check_console_end(uts));
> 108
> 109 ut_assertok(console_record_reset_enable());
> >>> CID 435660: (PRINTF_ARGS)
> >>> This argument was not used by the format string: "i".
> 110 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ;
> run foo && echo quux ; echo $?", i));
> 111 ut_assert_nextline("bar");
> 112 ut_assert_nextline("1");
> 113 ut_assertok(ut_check_console_end(uts));
> 114
> 115 ut_assertok(console_record_reset_enable());
> /test/cmd/exit.c: 63 in cmd_exit_test()
> 57 ut_assert_nextline("0");
> 58 ut_assertok(ut_check_console_end(uts));
> 59 }
> 60
> 61 /* Validate that 'exit' behaves the same way as 'exit 0' */
> 62 ut_assertok(console_record_reset_enable());
> >>> CID 435660: (PRINTF_ARGS)
> >>> This argument was not used by the format string: "i".
> 63 ut_assertok(run_commandf("setenv foo 'echo bar ; exit ; echo baz'
> ; run foo ; echo $?", i));
> 64 ut_assert_nextline("bar");
> 65 ut_assert_nextline("0");
> 66 ut_assertok(ut_check_console_end(uts));
> 67
> 68 ut_assertok(console_record_reset_enable());
> /test/cmd/exit.c: 84 in cmd_exit_test()
> 78 /* Either 'exit' returns 0, or 'echo quux' returns 0 */
> 79 ut_assert_nextline("0");
> 80 ut_assertok(ut_check_console_end(uts));
> 81
> 82 /* Validate that return value still propagates from 'run' command
> */
> 83 ut_assertok(console_record_reset_enable());
> >>> CID 435660: (PRINTF_ARGS)
> >>> This argument was not used by the format string: "i".
> 84 ut_assertok(run_commandf("setenv foo 'echo bar ; true' ; run foo ;
> echo $?", i));
> 85 ut_assert_nextline("bar");
> 86 ut_assert_nextline("0");
> 87 ut_assertok(ut_check_console_end(uts));
> 88
> 89 ut_assertok(console_record_reset_enable());
> /test/cmd/exit.c: 116 in cmd_exit_test()
> 110 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ;
> run foo && echo quux ; echo $?", i));
> 111 ut_assert_nextline("bar");
> 112 ut_assert_nextline("1");
> 113 ut_assertok(ut_check_console_end(uts));
> 114
> 115 ut_assertok(console_record_reset_enable());
> >>> CID 435660: (PRINTF_ARGS)
> >>> This argument was not used by the format string: "i".
> 116 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ;
> run foo || echo quux ; echo $?", i));
> 117 ut_assert_nextline("bar");
> 118 ut_assert_nextline("quux");
> 119 /* The 'echo quux' returns 0 */
> 120 ut_assert_nextline("0");
> 121 ut_assertok(ut_check_console_end(uts));
> /test/cmd/exit.c: 76 in cmd_exit_test()
> 70 ut_assert_nextline("bar");
> 71 ut_assert_nextline("quux");
> 72 ut_assert_nextline("0");
> 73 ut_assertok(ut_check_console_end(uts));
> 74
> 75 ut_assertok(console_record_reset_enable());
> >>> CID 435660: (PRINTF_ARGS)
> >>> This argument was not used by the format string: "i".
> 76 ut_assertok(run_commandf("setenv foo 'echo bar ; exit ; echo baz'
> ; run foo || echo quux ; echo $?", i));
> 77 ut_assert_nextline("bar");
> 78 /* Either 'exit' returns 0, or 'echo quux' returns 0 */
> 79 ut_assert_nextline("0");
> 80 ut_assertok(ut_check_console_end(uts));
> 81
> /test/cmd/exit.c: 90 in cmd_exit_test()
> 84 ut_assertok(run_commandf("setenv foo 'echo bar ; true' ; run foo ;
> echo $?", i));
> 85 ut_assert_nextline("bar");
> 86 ut_assert_nextline("0");
> 87 ut_assertok(ut_check_console_end(uts));
> 88
> 89 ut_assertok(console_record_reset_enable());
> >>> CID 435660: (PRINTF_ARGS)
> >>> This argument was not used by the format string: "i".
> 90 ut_assertok(run_commandf("setenv foo 'echo bar ; true' ; run foo
> && echo quux ; echo $?", i));
> 91 ut_assert_nextline("bar");
> 92 ut_assert_nextline("quux");
> 93 ut_assert_nextline("0");
> 94 ut_assertok(ut_check_console_end(uts));
> 95
> /test/cmd/exit.c: 97 in cmd_exit_test()
> 91 ut_assert_nextline("bar");
> 92 ut_assert_nextline("quux");
> 93 ut_assert_nextline("0");
> 94 ut_assertok(ut_check_console_end(uts));
> 95
> 96 ut_assertok(console_record_reset_enable());
> >>> CID 435660: (PRINTF_ARGS)
> >>> This argument was not used by the format string: "i".
> 97 ut_assertok(run_commandf("setenv foo 'echo bar ; true' ; run foo
> || echo quux ; echo $?", i));
> 98 ut_assert_nextline("bar");
> 99 /* The 'true' returns 0 */
> 100 ut_assert_nextline("0");
> 101 ut_assertok(ut_check_console_end(uts));
> 102
>
> ** CID 435659: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /cmd/eficonfig.c: 429 in eficonfig_process_common()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435659: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /cmd/eficonfig.c: 429 in eficonfig_process_common()
> 423 struct menu *menu;
> 424 void *choice = NULL;
> 425 struct list_head *pos, *n;
> 426 struct eficonfig_entry *entry;
> 427 efi_status_t ret = EFI_SUCCESS;
> 428
> >>> CID 435659: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> >>> "efi_menu->count > 2147483647 /* (int)(~0U >> 1) */" is always
> false regardless of the values of its operands. This occurs as the logical
> operand of "if".
> 429 if (efi_menu->count > EFICONFIG_ENTRY_NUM_MAX)
> 430 return EFI_OUT_OF_RESOURCES;
> 431
> 432 efi_menu->delay = -1;
> 433 efi_menu->active = 0;
> 434 efi_menu->start = 0;
>
> ** CID 435658: Insecure data handling (TAINTED_SCALAR)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435658: Insecure data handling (TAINTED_SCALAR)
> /cmd/ximg.c: 256 in do_imgextract()
> 250 puts("OK\n");
> 251 }
> 252
> 253 flush_cache(dest, ALIGN(len, ARCH_DMA_MINALIGN));
> 254
> 255 env_set_hex("fileaddr", data);
> >>> CID 435658: Insecure data handling (TAINTED_SCALAR)
> >>> Passing tainted expression "len" to "env_set_hex", which uses it
> as an offset.
> 256 env_set_hex("filesize", len);
> 257
> 258 return 0;
> 259 }
> 260
> 261 #ifdef CONFIG_SYS_LONGHELP
>
> ** CID 435657: Integer handling issues (NEGATIVE_RETURNS)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435657: Integer handling issues (NEGATIVE_RETURNS)
> /fs/squashfs/sqfs_decompressor.c: 146 in sqfs_decompress()
> 140 break;
> 141 #endif
> 142 #if IS_ENABLED(CONFIG_ZSTD)
> 143 case SQFS_COMP_ZSTD:
> 144 ret = sqfs_zstd_decompress(ctxt, dest, *dest_len,
> source, src_len);
> 145 if (ret) {
> >>> CID 435657: Integer handling issues (NEGATIVE_RETURNS)
> >>> "ret" is passed to a parameter that cannot be negative.
> 146 printf("ZSTD Error code: %d\n",
> zstd_get_error_code(ret));
> 147 return -EINVAL;
> 148 }
> 149
> 150 break;
> 151 #endif
>
> ** CID 435656: Code maintainability issues (UNUSED_VALUE)
> /boot/bootdev-uclass.c: 705 in bootdev_setup_iter()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435656: Code maintainability issues (UNUSED_VALUE)
> /boot/bootdev-uclass.c: 705 in bootdev_setup_iter()
> 699 return log_msg_ret("ord", -ENOMEM);
> 700 log_debug("setup labels %p\n", iter->labels);
> 701 if (iter->labels) {
> 702 iter->cur_label = -1;
> 703 ret = bootdev_next_label(iter, &dev,
> &method_flags);
> 704 } else {
> >>> CID 435656: Code maintainability issues (UNUSED_VALUE)
> >>> Assigning value from "bootdev_next_prio(iter, &dev)" to "ret"
> here, but that stored value is overwritten before it can be used.
> 705 ret = bootdev_next_prio(iter, &dev);
> 706 method_flags = 0;
> 707 }
> 708 if (!dev)
> 709 return log_msg_ret("fin", -ENOENT);
> 710 log_debug("Selected bootdev: %s\n", dev->name);
>
> ** CID 435655: Error handling issues (CHECKED_RETURN)
> /boot/scene.c: 219 in scene_obj_set_pos()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435655: Error handling issues (CHECKED_RETURN)
> /boot/scene.c: 219 in scene_obj_set_pos()
> 213 obj = scene_obj_find(scn, id, SCENEOBJT_NONE);
> 214 if (!obj)
> 215 return log_msg_ret("find", -ENOENT);
> 216 obj->x = x;
> 217 obj->y = y;
> 218 if (obj->type == SCENEOBJT_MENU)
> >>> CID 435655: Error handling issues (CHECKED_RETURN)
> >>> Calling "scene_menu_arrange" without checking return value (as is
> done elsewhere 4 out of 5 times).
> 219 scene_menu_arrange(scn, (struct scene_obj_menu
> *)obj);
> 220
> 221 return 0;
> 222 }
> 223
> 224 int scene_obj_set_hide(struct scene *scn, uint id, bool hide)
>
> ** CID 435654: Null pointer dereferences (NULL_RETURNS)
> /boot/scene_menu.c: 365 in scene_menu_display()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435654: Null pointer dereferences (NULL_RETURNS)
> /boot/scene_menu.c: 365 in scene_menu_display()
> 359 }
> 360
> 361 if (list_empty(&menu->item_head))
> 362 return 0;
> 363
> 364 pointer = scene_obj_find(scn, menu->pointer_id,
> SCENEOBJT_TEXT);
> >>> CID 435654: Null pointer dereferences (NULL_RETURNS)
> >>> Dereferencing "pointer", which is known to be "NULL".
> 365 pstr = expo_get_str(scn->expo, pointer->str_id);
> 366
> 367 list_for_each_entry(item, &menu->item_head, sibling) {
> 368 struct scene_obj_txt *key = NULL, *label = NULL;
> 369 struct scene_obj_txt *desc = NULL;
> 370 const char *kstr = NULL, *lstr = NULL, *dstr =
> NULL;
>
> ** CID 435653: Code maintainability issues (UNUSED_VALUE)
> /boot/scene.c: 290 in scene_obj_render()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 435653: Code maintainability issues (UNUSED_VALUE)
> /boot/scene.c: 290 in scene_obj_render()
> 284 struct expo *exp = scn->expo;
> 285 struct udevice *cons, *dev = exp->display;
> 286 int x, y, ret;
> 287
> 288 cons = NULL;
> 289 if (!text_mode) {
> >>> CID 435653: Code maintainability issues (UNUSED_VALUE)
> >>> Assigning value from "device_find_first_child_by_uclass(dev,
> UCLASS_VIDEO_CONSOLE, &cons)" to "ret" here, but that stored value is
> overwritten before it can be used.
> 290 ret = device_find_first_child_by_uclass(dev,
> 291
> UCLASS_VIDEO_CONSOLE,
> 292 &cons);
> 293 }
> 294
> 295 x = obj->x;
>
> ** CID 188663: Control flow issues (DEADCODE)
> /lib/zstd/decompress/zstd_decompress_block.c: 1989 in
> ZSTD_decompressBlock_internal()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 188663: Control flow issues (DEADCODE)
> /lib/zstd/decompress/zstd_decompress_block.c: 1989 in
> ZSTD_decompressBlock_internal()
> 1983 /* isLongOffset must be true if there are long offsets.
> 1984 * Offsets are long if they are larger than
> 2^STREAM_ACCUMULATOR_MIN.
> 1985 * We don't expect that to be the case in 64-bit mode.
> 1986 * In block mode, window size is not known, so we have to be
> conservative.
> 1987 * (note: but it could be evaluated from current-lowLimit)
> 1988 */
> >>> CID 188663: Control flow issues (DEADCODE)
> >>> Execution cannot reach the expression "57" inside this statement:
> "isLongOffset = (ZSTD_longOf...".
> 1989 ZSTD_longOffset_e const isLongOffset =
> (ZSTD_longOffset_e)(MEM_32bits() && (!frame || (dctx->fParams.windowSize >
> (1ULL << STREAM_ACCUMULATOR_MIN))));
> 1990 DEBUGLOG(5, "ZSTD_decompressBlock_internal (size : %u)",
> (U32)srcSize);
> 1991
> 1992 RETURN_ERROR_IF(srcSize >= ZSTD_BLOCKSIZE_MAX, srcSize_wrong,
> "");
> 1993
> 1994 /* Decode literals section */
>
>
>
----- End forwarded message -----
--
Tom
signature.asc
Description: PGP signature
