Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

last coverity bugs #1166

Closed
Tracked by #2029
radare opened this issue Jun 5, 2018 · 1 comment
Closed
Tracked by #2029

last coverity bugs #1166

radare opened this issue Jun 5, 2018 · 1 comment

Comments

@radare
Copy link
Contributor

radare commented Jun 5, 2018 

Hi,

Please find the latest report on new defect(s) introduced to radare2 found with Coverity Scan.

9 new defect(s) introduced to radare2 found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)


** CID 1384363:  Memory - corruptions  (ARRAY_VS_SINGLETON)


________________________________________________________________________________________________________
*** CID 1384363:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/shlr/capstone/arch/M680X/M680XDisassembler.c: 796 in is_sufficient_code_size()
790     		case idx09_hid:
791     			insn_description->insn_size += 1;
792     
793     			if (!read_byte(info, &ir, address++))
794     				retval = false;
795     			else
   CID 1384363:  Memory - corruptions  (ARRAY_VS_SINGLETON)
   Passing "&address" to function "is_indexed09_post_byte_valid" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
796     				retval = is_indexed09_post_byte_valid(info,
797     						&address, ir, insn_description);
798     
799     			break;
800     
801     		case idx12s_hid:

** CID 1374336:  Memory - illegal accesses  (OVERRUN)
/shlr/capstone/arch/TMS320C64x/TMS320C64xMapping.c: 1748 in TMS320C64x_insn_name()


________________________________________________________________________________________________________
*** CID 1374336:  Memory - illegal accesses  (OVERRUN)
/shlr/capstone/arch/TMS320C64x/TMS320C64xMapping.c: 1748 in TMS320C64x_insn_name()
1742     	// handle special alias first
1743     	for (i = 0; i < ARR_SIZE(alias_insn_names); i++) {
1744     		if (alias_insn_names[i].id == id)
1745     			return alias_insn_names[i].name;
1746     	}
1747     
   CID 1374336:  Memory - illegal accesses  (OVERRUN)
   Overrunning array "insn_name_maps" of 3 16-byte elements at element index 144 (byte offset 2304) using index "id" (which evaluates to 144).
1748     	return insn_name_maps[id].name;
1749     #else
1750     	return NULL;
1751     #endif
1752     }
1753     

** CID 1374332:  Memory - illegal accesses  (OVERRUN)
/shlr/capstone/arch/TMS320C64x/TMS320C64xMapping.c: 1779 in TMS320C64x_group_name()


________________________________________________________________________________________________________
*** CID 1374332:  Memory - illegal accesses  (OVERRUN)
/shlr/capstone/arch/TMS320C64x/TMS320C64xMapping.c: 1779 in TMS320C64x_group_name()
1773     
1774     	for (i = 0; i < ARR_SIZE(group_name_maps); i++) {
1775     		if (group_name_maps[i].id == id)
1776     			return group_name_maps[i].name;
1777     	}
1778     
   CID 1374332:  Memory - illegal accesses  (OVERRUN)
   Overrunning array "group_name_maps" of 7 16-byte elements at element index 132 (byte offset 2112) using index "id" (which evaluates to 132).
1779     	return group_name_maps[id].name;
1780     #else
1781     	return NULL;
1782     #endif
1783     }
1784     

** CID 1374330:  Control flow issues  (DEADCODE)
/shlr/capstone/arch/TMS320C64x/TMS320C64xDisassembler.c: 291 in DecodeMemOperandSc()


________________________________________________________________________________________________________
*** CID 1374330:  Control flow issues  (DEADCODE)
/shlr/capstone/arch/TMS320C64x/TMS320C64xDisassembler.c: 291 in DecodeMemOperandSc()
285     		case 12:
286     		case 13:
287     		case 14:
288     		case 15:
289     			if((offset >= TMS320C64X_REG_A0) && (offset <= TMS320C64X_REG_A31))
290     				offset = (offset - TMS320C64X_REG_A0 + TMS320C64X_REG_B0);
   CID 1374330:  Control flow issues  (DEADCODE)
   Execution cannot reach the expression "offset <= TMS320C64X_REG_B31" inside this statement: "if (offset >= TMS320C64X_RE...".
291     			else if((offset >= TMS320C64X_REG_B0) && (offset <= TMS320C64X_REG_B31))
292     				offset = (offset - TMS320C64X_REG_B0 + TMS320C64X_REG_A0);
293     			offsetreg = getReg(GPRegsDecoderTable, offset);
294     			MCOperand_CreateImm0(Inst, (scaled << 19) | (basereg << 12) | (offsetreg << 5) | (mode << 1) | unit);
295     			break;
296     		default:

** CID 1374328:  Control flow issues  (DEADCODE)
/shlr/capstone/arch/TMS320C64x/TMS320C64xDisassembler.c: 270 in DecodeMemOperandSc()


________________________________________________________________________________________________________
*** CID 1374328:  Control flow issues  (DEADCODE)
/shlr/capstone/arch/TMS320C64x/TMS320C64xDisassembler.c: 270 in DecodeMemOperandSc()
264     	offset = (Val >> 5) & 0x1f;
265     	mode = (Val >> 1) & 0xf;
266     	unit = Val & 1;
267     
268     	if((base >= TMS320C64X_REG_A0) && (base <= TMS320C64X_REG_A31))
269     		base = (base - TMS320C64X_REG_A0 + TMS320C64X_REG_B0);
   CID 1374328:  Control flow issues  (DEADCODE)
   Execution cannot reach the expression "base <= TMS320C64X_REG_B31" inside this statement: "if (base >= TMS320C64X_REG_...".
270     	else if((base >= TMS320C64X_REG_B0) && (base <= TMS320C64X_REG_B31))
271     		base = (base - TMS320C64X_REG_B0 + TMS320C64X_REG_A0);
272     	basereg = getReg(GPRegsDecoderTable, base);
273     
274     	switch(mode) {
275     		case 0:

** CID 1232750:  API usage errors  (SWAPPED_ARGUMENTS)


________________________________________________________________________________________________________
*** CID 1232750:  API usage errors  (SWAPPED_ARGUMENTS)
/shlr/capstone/arch/XCore/XCoreDisassembler.c: 338 in DecodeR2RInstruction()
332     }
333     
334     static DecodeStatus DecodeR2RInstruction(MCInst *Inst, unsigned Insn, uint64_t Address,
335     		void *Decoder)
336     {
337     	unsigned Op1, Op2;
   CID 1232750:  API usage errors  (SWAPPED_ARGUMENTS)
   The positions of arguments in the call to "Decode2OpInstruction" do not match the ordering of the parameters:
* "&Op2" is passed to "Op1"
* "&Op1" is passed to "Op2"
338     	DecodeStatus S = Decode2OpInstruction(Insn, &Op2, &Op1);
339     	if (S != MCDisassembler_Success)
340     		return Decode2OpInstructionFail(Inst, Insn, Address, Decoder);
341     
342     	DecodeGRRegsRegisterClass(Inst, Op1, Address, Decoder);
343     	DecodeGRRegsRegisterClass(Inst, Op2, Address, Decoder);

** CID 1222735:  Incorrect expression  (MIXED_ENUMS)
/shlr/capstone/arch/ARM/ARMInstPrinter.c: 1025 in printAM2PreOrOffsetIndexOp()


________________________________________________________________________________________________________
*** CID 1222735:  Incorrect expression  (MIXED_ENUMS)
/shlr/capstone/arch/ARM/ARMInstPrinter.c: 1025 in printAM2PreOrOffsetIndexOp()
1019     			SStream_concat0(O, ", ");
1020     			if (tmp > HEX_THRESHOLD)
1021     				SStream_concat(O, "#%s0x%x", ARM_AM_getAddrOpcStr(subtracted), tmp);
1022     			else
1023     				SStream_concat(O, "#%s%u", ARM_AM_getAddrOpcStr(subtracted), tmp);
1024     			if (MI->csh->detail) {
   CID 1222735:  Incorrect expression  (MIXED_ENUMS)
   Mixing enum types "enum arm_shifter" and "enum ARM_AM_AddrOpc" for "type".
1025     				MI->flat_insn->detail->arm.operands[MI->flat_insn->detail->arm.op_count].shift.type = (arm_shifter)getAM2Op((unsigned int)MCOperand_getImm(MO3));
1026     				MI->flat_insn->detail->arm.operands[MI->flat_insn->detail->arm.op_count].shift.value = tmp;
1027     				MI->flat_insn->detail->arm.operands[MI->flat_insn->detail->arm.op_count].subtracted = subtracted == ARM_AM_sub;
1028     			}
1029     		}
1030     		SStream_concat0(O, "]");

** CID 1216470:  Security best practices violations  (STRING_OVERFLOW)
/shlr/capstone/arch/XCore/XCoreInstPrinter.c: 54 in XCore_insn_extract()


________________________________________________________________________________________________________
*** CID 1216470:  Security best practices violations  (STRING_OVERFLOW)
/shlr/capstone/arch/XCore/XCoreInstPrinter.c: 54 in XCore_insn_extract()
48     void XCore_insn_extract(MCInst *MI, const char *code)
49     {
50     	int id;
51     	char *p, *p2;
52     	char tmp[128];
53     
   CID 1216470:  Security best practices violations  (STRING_OVERFLOW)
   You might overrun the 128-character fixed-size string "tmp" by copying "code" without checking the length.
54     	strcpy(tmp, code); // safe because code is way shorter than 128 bytes
55     
56     	// find the first space
57     	p = strchr(tmp, ' ');
58     	if (p) {
59     		p++;

** CID 1196399:  Control flow issues  (DEADCODE)
/shlr/capstone/arch/ARM/ARMInstPrinter.c: 2087 in printAddrModeImm12Operand()


________________________________________________________________________________________________________
*** CID 1196399:  Control flow issues  (DEADCODE)
/shlr/capstone/arch/ARM/ARMInstPrinter.c: 2087 in printAddrModeImm12Operand()
2081     		if (OffImm >= 0) {
2082     			if (OffImm > HEX_THRESHOLD)
2083     				SStream_concat(O, ", #0x%x", OffImm);
2084     			else
2085     				SStream_concat(O, ", #%u", OffImm);
2086     		} else {
   CID 1196399:  Control flow issues  (DEADCODE)
   Execution cannot reach this statement: "if (OffImm < -9)
 SStream_...".
2087     			if (OffImm < -HEX_THRESHOLD)
2088     				SStream_concat(O, ", #-0x%x", -OffImm);
2089     			else
2090     				SStream_concat(O, ", #-%u", -OffImm);
2091     		}
2092     	}
@tmfink tmfink mentioned this issue Mar 5, 2019
Closed
aladur added a commit to aladur/capstone that referenced this issue Mar 20, 2019
@aladur
Fix coverity bug capstone-engine#1166
a67a9c4 
- Avoid address increment by pass-by-pointer parameter.
- Code cleanup: single responsibility where and who
  calculates the instruction byte size.
aquynh pushed a commit that referenced this issue Mar 21, 2019
@aladur @aquynh
Fix coverity bug #1166 (#1436)
889ae45 
- Avoid address increment by pass-by-pointer parameter.
- Code cleanup: single responsibility where and who
  calculates the instruction byte size.
aquynh pushed a commit that referenced this issue Mar 21, 2019
@aladur @aquynh
Fix coverity bug #1166 (#1436)
a7360f5 
- Avoid address increment by pass-by-pointer parameter.
- Code cleanup: single responsibility where and who
  calculates the instruction byte size.
@riptl riptl mentioned this issue Jul 22, 2022
Merged
6 tasks
@XVilka XVilka mentioned this issue May 22, 2023
Closed
3 tasks
@Rot127
Copy link
Collaborator

Rot127 commented Aug 13, 2024

With #2437 merged I close this. Since we get another bunch of defects to fix now.
Tracking them now in #2438

@Rot127 Rot127 closed this as completed Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@radare @Rot127