Open trufae opened 13 hours ago
running it thru coverity i get the following issues, so i'm lazily reporting them in here ^^
scan-admin@coverity.com 19:45 (19 minutes ago) to me Hi, Please find the latest report on new defect(s) introduced to radare2 found with Coverity Scan. 18 new defect(s) introduced to radare2 found with Coverity Scan. 4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 18 of 18 defect(s) ** CID 1563181: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1563181: Memory - corruptions (OVERRUN) /shlr/qjs/src/quickjs.c: 47178 in js_set_union() 47172 for (;;) { 47173 item = JS_IteratorNext(ctx, iter, next, 0, NULL, &done); 47174 if (JS_IsException(item)) 47175 goto exception; 47176 if (done) // item is JS_UNDEFINED 47177 break; >>> CID 1563181: Memory - corruptions (OVERRUN) >>> Overrunning struct type JSValue of 1 16-byte elements by passing it to a function which accesses it at element index 1 (byte offset 31). 47178 rv = js_map_set(ctx, newset, 1, &item, MAGIC_SET); 47179 JS_FreeValue(ctx, item); 47180 if (JS_IsException(rv)) 47181 goto exception; 47182 JS_FreeValue(ctx, rv); 47183 } ** CID 1563180: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /shlr/qjs/src/cutils.c: 768 in u64toa_radix() ________________________________________________________________________________________________________ *** CID 1563180: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /shlr/qjs/src/cutils.c: 768 in u64toa_radix() 762 if (shift) { 763 if (n < base) { 764 buf[0] = digits36[n]; 765 buf[1] = '\0'; 766 return 1; 767 } >>> CID 1563180: Integer handling issues (OVERFLOW_BEFORE_WIDEN) >>> Potentially overflowing expression "1 << shift" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned). 768 uint64_t mask = (1 << shift) - 1; 769 size_t len = (64 - clz64(n) + shift - 1) / shift; 770 size_t last = n & mask; 771 char *end = buf + len; 772 n >>= shift; 773 *end-- = '\0'; ** CID 1563179: Error handling issues (CHECKED_RETURN) /libr/lang/p/qjs.c: 665 in qjs_r2pipe_open() ________________________________________________________________________________________________________ *** CID 1563179: Error handling issues (CHECKED_RETURN) /libr/lang/p/qjs.c: 665 in qjs_r2pipe_open() 659 if (JS_IsArray (ctx, argv[1])) { 660 int i; 661 RStrBuf *sb = r_strbuf_new (""); 662 JSValue array = argv[1]; 663 ut32 array_length; 664 JSValue v = JS_GetPropertyStr (ctx, array, "length"); >>> CID 1563179: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ToUint32" without checking return value (as is done elsewhere 12 out of 15 times). 665 JS_ToUint32 (ctx, &array_length, v); 666 for (i = 0; i < array_length; i++) { 667 v = JS_GetPropertyUint32 (ctx, array, i); 668 size_t plen; 669 const char *n = JS_ToCStringLen2 (ctx, &plen, v, false); 670 r_strbuf_append (sb, n); ** CID 1563178: Insecure data handling (INTEGER_OVERFLOW) ________________________________________________________________________________________________________ *** CID 1563178: Insecure data handling (INTEGER_OVERFLOW) /shlr/qjs/src/quickjs.c: 11435 in js_dtoa() 11429 exp = quo; 11430 } 11431 start[i] = (char)('0' + exp); 11432 11433 done: 11434 start[-1] = '-'; /* prepend the sign if negative */ >>> CID 1563178: Insecure data handling (INTEGER_OVERFLOW) >>> "len + sign", which might have underflowed, is passed to "js_new_string8_len(ctx, start - sign, len + sign)". 11435 return js_new_string8_len(ctx, start - sign, len + sign); 11436 } 11437 11438 /* `js_dtoa_radix`: convert a floating point number using a specific base 11439 - `d` must be finite 11440 - `radix` must be in range 2..36 ** CID 1563177: Memory - illegal accesses (INTEGER_OVERFLOW) /shlr/qjs/src/quickjs.c: 40769 in js_string_toWellFormed() ________________________________________________________________________________________________________ *** CID 1563177: Memory - illegal accesses (INTEGER_OVERFLOW) /shlr/qjs/src/quickjs.c: 40769 in js_string_toWellFormed() 40763 JS_FreeValue(ctx, str); 40764 if (JS_IsException(ret)) 40765 return JS_EXCEPTION; 40766 40767 p = JS_VALUE_GET_STRING(ret); 40768 for (i = 0, n = p->len; i < n; i++) { >>> CID 1563177: Memory - illegal accesses (INTEGER_OVERFLOW) >>> "i", which might have underflowed, is passed to "p->u.str16[i]". 40769 c = p->u.str16[i]; 40770 if (!is_surrogate(c)) 40771 continue; 40772 if (is_lo_surrogate(c) || i + 1 == n) { 40773 p->u.str16[i] = 0xFFFD; 40774 continue; ** CID 1563176: (TAINTED_SCALAR) /shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode() /shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode() /shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode() /shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode() ________________________________________________________________________________________________________ *** CID 1563176: (TAINTED_SCALAR) /shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode() 34597 if (is_be()) 34598 bc_byte_swap(bc_buf, bc_len); 34599 34600 pos = 0; 34601 while (pos < bc_len) { 34602 op = bc_buf[pos]; >>> CID 1563176: (TAINTED_SCALAR) >>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info". 34603 len = short_opcode_info(op).size; 34604 switch(short_opcode_info(op).fmt) { 34605 case OP_FMT_atom: 34606 case OP_FMT_atom_u8: 34607 case OP_FMT_atom_u16: 34608 case OP_FMT_atom_label_u8: /shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode() 34598 bc_byte_swap(bc_buf, bc_len); 34599 34600 pos = 0; 34601 while (pos < bc_len) { 34602 op = bc_buf[pos]; 34603 len = short_opcode_info(op).size; >>> CID 1563176: (TAINTED_SCALAR) >>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info". 34604 switch(short_opcode_info(op).fmt) { 34605 case OP_FMT_atom: 34606 case OP_FMT_atom_u8: 34607 case OP_FMT_atom_u16: 34608 case OP_FMT_atom_label_u8: 34609 case OP_FMT_atom_label_u16: /shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode() 34598 bc_byte_swap(bc_buf, bc_len); 34599 34600 pos = 0; 34601 while (pos < bc_len) { 34602 op = bc_buf[pos]; 34603 len = short_opcode_info(op).size; >>> CID 1563176: (TAINTED_SCALAR) >>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info". 34604 switch(short_opcode_info(op).fmt) { 34605 case OP_FMT_atom: 34606 case OP_FMT_atom_u8: 34607 case OP_FMT_atom_u16: 34608 case OP_FMT_atom_label_u8: 34609 case OP_FMT_atom_label_u16: /shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode() 34597 if (is_be()) 34598 bc_byte_swap(bc_buf, bc_len); 34599 34600 pos = 0; 34601 while (pos < bc_len) { 34602 op = bc_buf[pos]; >>> CID 1563176: (TAINTED_SCALAR) >>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info". 34603 len = short_opcode_info(op).size; 34604 switch(short_opcode_info(op).fmt) { 34605 case OP_FMT_atom: 34606 case OP_FMT_atom_u8: 34607 case OP_FMT_atom_u16: 34608 case OP_FMT_atom_label_u8: ** CID 1563175: Control flow issues (DEADCODE) /shlr/qjs/src/quickjs.c: 12226 in js_unary_arith_bigint() ________________________________________________________________________________________________________ *** CID 1563175: Control flow issues (DEADCODE) /shlr/qjs/src/quickjs.c: 12226 in js_unary_arith_bigint() 12220 switch(op) { 12221 case OP_inc: 12222 case OP_dec: 12223 v = 2 * (op - OP_dec) - 1; 12224 ret = bf_add_si(r, a, v, BF_PREC_INF, BF_RNDZ); 12225 break; >>> CID 1563175: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "case OP_plus:". 12226 case OP_plus: 12227 ret = bf_set(r, a); 12228 break; 12229 case OP_neg: 12230 ret = bf_set(r, a); 12231 bf_neg(r); ** CID 1563174: Insecure data handling (TAINTED_SCALAR) /shlr/qjs/src/libregexp.c: 2583 in lre_byte_swap() ________________________________________________________________________________________________________ *** CID 1563174: Insecure data handling (TAINTED_SCALAR) /shlr/qjs/src/libregexp.c: 2583 in lre_byte_swap() 2577 inplace_bswap32(&p[9]); 2578 inplace_bswap32(&p[13]); 2579 break; 2580 default: 2581 abort(); 2582 } >>> CID 1563174: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "n" as an index to pointer "p". 2583 p = &p[n]; 2584 } 2585 } 2586 2587 #ifdef TEST 2588 ** CID 1563173: Memory - illegal accesses (OVERRUN) ________________________________________________________________________________________________________ *** CID 1563173: Memory - illegal accesses (OVERRUN) /shlr/qjs/src/quickjs.c: 53785 in JS_IsEqual() 53779 } 53780 53781 /* Equality comparisons and sameness */ 53782 int JS_IsEqual(JSContext *ctx, JSValue op1, JSValue op2) 53783 { 53784 JSValue sp[2] = { js_dup(op1), js_dup(op2) }; >>> CID 1563173: Memory - illegal accesses (OVERRUN) >>> Overrunning array of 32 bytes at byte offset 32 by dereferencing pointer "sp + 2UL". 53785 if (js_eq_slow(ctx, endof(sp), 0)) 53786 return -1; 53787 return JS_VALUE_GET_BOOL(sp[0]); 53788 } 53789 53790 JS_BOOL JS_IsStrictEqual(JSContext *ctx, JSValue op1, JSValue op2) ** CID 1563172: Control flow issues (DEADCODE) /shlr/qjs/src/cutils.c: 672 in u64toa() ________________________________________________________________________________________________________ *** CID 1563172: Control flow issues (DEADCODE) /shlr/qjs/src/cutils.c: 672 in u64toa() 666 len = u07toa_shift(buf, n1, len); 667 } else { 668 len = u7toa_shift(buf, n1); 669 } 670 return u07toa_shift(buf, n, len); 671 } >>> CID 1563172: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return u7toa_shift(buf, n);". 672 return u7toa_shift(buf, n); 673 } 674 675 size_t i32toa(char buf[minimum_length(12)], int32_t n) 676 { 677 if (likely(n >= 0)) ** CID 1563171: Resource leaks (RESOURCE_LEAK) /libr/lang/p/qjs.c: 615 in qjs_r2pipe_instance_cmd() ________________________________________________________________________________________________________ *** CID 1563171: Resource leaks (RESOURCE_LEAK) /libr/lang/p/qjs.c: 615 in qjs_r2pipe_instance_cmd() 609 R2Pipe *r2p = JS_GetOpaque (this_val, 0); 610 size_t plen; 611 if (r2p) { 612 const char *cmd = JS_ToCStringLen2 (ctx, &plen, argv[0], false); 613 char *s = r2pipe_cmd (r2p, cmd); 614 if (s) { >>> CID 1563171: Resource leaks (RESOURCE_LEAK) >>> Variable "s" going out of scope leaks the storage it points to. 615 return QJS_STRING (s); 616 } 617 return JS_ThrowRangeError (ctx, "Empty command returns undefined"); 618 } 619 return JS_ThrowRangeError (ctx, "Only one argument permitted"); 620 } ** CID 1563170: Control flow issues (UNREACHABLE) /shlr/qjs/src/quickjs.c: 30456 in resolve_variables() ________________________________________________________________________________________________________ *** CID 1563170: Control flow issues (UNREACHABLE) /shlr/qjs/src/quickjs.c: 30456 in resolve_variables() 30450 dbuf_putc(&bc_out, OP_source_loc); 30451 dbuf_put_u32(&bc_out, line_num); 30452 dbuf_put_u32(&bc_out, col_num); 30453 } 30454 break; 30455 } >>> CID 1563170: Control flow issues (UNREACHABLE) >>> This code cannot be reached: "goto no_change;". 30456 goto no_change; 30457 30458 case OP_label: 30459 { 30460 int label; 30461 LabelSlot *ls; ** CID 1563169: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1563169: (TAINTED_SCALAR) /shlr/qjs/src/quickjs.c: 35566 in JS_ReadObject2() 35560 s->first_atom = JS_ATOM_END; 35561 else 35562 s->first_atom = 1; 35563 if (JS_ReadObjectAtoms(s)) { 35564 obj = JS_EXCEPTION; 35565 } else { >>> CID 1563169: (TAINTED_SCALAR) >>> Passing tainted expression "*s->idx_to_atom" to "JS_ReadObjectRec", which uses it as an offset. 35566 obj = JS_ReadObjectRec(s); 35567 } 35568 if (psab_tab) { 35569 psab_tab->tab = s->sab_tab; 35570 psab_tab->len = s->sab_tab_len; 35571 } else { /shlr/qjs/src/quickjs.c: 35574 in JS_ReadObject2() 35568 if (psab_tab) { 35569 psab_tab->tab = s->sab_tab; 35570 psab_tab->len = s->sab_tab_len; 35571 } else { 35572 js_free(ctx, s->sab_tab); 35573 } >>> CID 1563169: (TAINTED_SCALAR) >>> Passing tainted expression "*s->idx_to_atom" to "bc_reader_free", which uses it as an offset. 35574 bc_reader_free(s); 35575 return obj; 35576 } 35577 35578 JSValue JS_ReadObject(JSContext *ctx, const uint8_t *buf, size_t buf_len, 35579 int flags) ** CID 1563168: Error handling issues (CHECKED_RETURN) /shlr/qjs/src/quickjs.c: 8425 in set_array_length() ________________________________________________________________________________________________________ *** CID 1563168: Error handling issues (CHECKED_RETURN) /shlr/qjs/src/quickjs.c: 8425 in set_array_length() 8419 p->u.array.count = len; 8420 } 8421 p->prop[0].u.value = js_uint32(len); 8422 } else { 8423 /* Note: length is always a uint32 because the object is an 8424 array */ >>> CID 1563168: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ToUint32" without checking return value (as is done elsewhere 12 out of 15 times). 8425 JS_ToUint32(ctx, &cur_len, p->prop[0].u.value); 8426 if (len < cur_len) { 8427 uint32_t d; 8428 JSShape *sh; 8429 JSShapeProperty *pr; 8430 ** CID 1563167: Incorrect expression (UNINTENDED_INTEGER_DIVISION) /shlr/qjs/src/quickjs.c: 11491 in js_dtoa_radix() ________________________________________________________________________________________________________ *** CID 1563167: Incorrect expression (UNINTENDED_INTEGER_DIVISION) /shlr/qjs/src/quickjs.c: 11491 in js_dtoa_radix() 11485 digit = trunc(frac); 11486 frac -= digit; 11487 *ptr2++ = digits36[digit]; 11488 n0 = n0 * radix + digit; 11489 prec -= log2_radix; 11490 } >>> CID 1563167: Incorrect expression (UNINTENDED_INTEGER_DIVISION) >>> Dividing integer expressions "radix" and "2", and then converting the integer quotient to type "double". Any remainder, or fractional part of the quotient, is ignored. 11491 if (frac * radix >= radix / 2) { 11492 /* round up the string representation manually */ 11493 char nine = digits36[radix - 1]; 11494 while (ptr2[-1] == nine) { 11495 /* strip trailing '9' or equivalent digits */ 11496 ptr2--; ** CID 1563166: Error handling issues (CHECKED_RETURN) /libr/lang/p/qjs.c: 627 in qjs_r2pipe_instance_cmdj() ________________________________________________________________________________________________________ *** CID 1563166: Error handling issues (CHECKED_RETURN) /libr/lang/p/qjs.c: 627 in qjs_r2pipe_instance_cmdj() 621 622 static JSValue qjs_r2pipe_instance_cmdj(JSContext *ctx, JSValueConst this_val, int argc, JSValueConst *argv) { 623 JSValue arg0 = qjs_r2pipe_instance_cmd (ctx, this_val, argc, argv); 624 const char jp[] = "JSON.parse"; 625 JSValue json_parse = JS_Eval (ctx, jp, strlen (jp), "-", JS_EVAL_TYPE_GLOBAL); 626 JSValue args = JS_NewArray (ctx); >>> CID 1563166: Error handling issues (CHECKED_RETURN) >>> Calling "JS_SetPropertyUint32" without checking return value (as is done elsewhere 6 out of 7 times). 627 JS_SetPropertyUint32 (ctx, args, 0, arg0); 628 return JS_Call (ctx, json_parse, this_val, 1, &args); 629 } 630 631 static JSValue qjs_r2pipe_instance_quit(JSContext *ctx, JSValueConst this_val, int argc, JSValueConst *argv) { 632 R2Pipe *r2p = JS_GetOpaque (this_val, 0); ** CID 1563165: (DEADCODE) /shlr/qjs/src/quickjs.c: 37478 in js_function_toString() /shlr/qjs/src/quickjs.c: 37475 in js_function_toString() /shlr/qjs/src/quickjs.c: 37481 in js_function_toString() ________________________________________________________________________________________________________ *** CID 1563165: (DEADCODE) /shlr/qjs/src/quickjs.c: 37478 in js_function_toString() 37472 case JS_FUNC_NORMAL: 37473 pref = "function "; 37474 break; 37475 case JS_FUNC_GENERATOR: 37476 pref = "function *"; 37477 break; >>> CID 1563165: (DEADCODE) >>> Execution cannot reach this statement: "case JS_FUNC_ASYNC:". 37478 case JS_FUNC_ASYNC: 37479 pref = "async function "; 37480 break; 37481 case JS_FUNC_ASYNC_GENERATOR: 37482 pref = "async function *"; 37483 break; /shlr/qjs/src/quickjs.c: 37475 in js_function_toString() 37469 37470 switch(func_kind) { 37471 default: 37472 case JS_FUNC_NORMAL: 37473 pref = "function "; 37474 break; >>> CID 1563165: (DEADCODE) >>> Execution cannot reach this statement: "case JS_FUNC_GENERATOR:". 37475 case JS_FUNC_GENERATOR: 37476 pref = "function *"; 37477 break; 37478 case JS_FUNC_ASYNC: 37479 pref = "async function "; 37480 break; /shlr/qjs/src/quickjs.c: 37481 in js_function_toString() 37475 case JS_FUNC_GENERATOR: 37476 pref = "function *"; 37477 break; 37478 case JS_FUNC_ASYNC: 37479 pref = "async function "; 37480 break; >>> CID 1563165: (DEADCODE) >>> Execution cannot reach this statement: "case JS_FUNC_ASYNC_GENERATOR:". 37481 case JS_FUNC_ASYNC_GENERATOR: 37482 pref = "async function *"; 37483 break; 37484 } 37485 suff = "() {\n [native code]\n}"; 37486 name = JS_GetProperty(ctx, this_val, JS_ATOM_name); ** CID 1563164: (TAINTED_SCALAR) /shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap() /shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap() /shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap() /shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap() ________________________________________________________________________________________________________ *** CID 1563164: (TAINTED_SCALAR) /shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap() 33578 int pos, len, op, fmt; 33579 33580 pos = 0; 33581 while (pos < bc_len) { 33582 op = bc_buf[pos]; 33583 len = short_opcode_info(op).size; >>> CID 1563164: (TAINTED_SCALAR) >>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info". 33584 fmt = short_opcode_info(op).fmt; 33585 switch(fmt) { 33586 case OP_FMT_u16: 33587 case OP_FMT_i16: 33588 case OP_FMT_label16: 33589 case OP_FMT_npop: /shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap() 33577 { 33578 int pos, len, op, fmt; 33579 33580 pos = 0; 33581 while (pos < bc_len) { 33582 op = bc_buf[pos]; >>> CID 1563164: (TAINTED_SCALAR) >>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info". 33583 len = short_opcode_info(op).size; 33584 fmt = short_opcode_info(op).fmt; 33585 switch(fmt) { 33586 case OP_FMT_u16: 33587 case OP_FMT_i16: 33588 case OP_FMT_label16: /shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap() 33578 int pos, len, op, fmt; 33579 33580 pos = 0; 33581 while (pos < bc_len) { 33582 op = bc_buf[pos]; 33583 len = short_opcode_info(op).size; >>> CID 1563164: (TAINTED_SCALAR) >>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info". 33584 fmt = short_opcode_info(op).fmt; 33585 switch(fmt) { 33586 case OP_FMT_u16: 33587 case OP_FMT_i16: 33588 case OP_FMT_label16: 33589 case OP_FMT_npop: /shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap() 33577 { 33578 int pos, len, op, fmt; 33579 33580 pos = 0; 33581 while (pos < bc_len) { 33582 op = bc_buf[pos]; >>> CID 1563164: (TAINTED_SCALAR) >>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info". 33583 len = short_opcode_info(op).size; 33584 fmt = short_opcode_info(op).fmt; 33585 switch(fmt) { 33586 case OP_FMT_u16: 33587 case OP_FMT_i16: 33588 case OP_FMT_label16:
Thanks! Is there any way we can run those tests?
I don’t think coverity accept new opensource projects for free. I was subscribed at the time and get free reports for all the dependencies i use in radare2.
running it thru coverity i get the following issues, so i'm lazily reporting them in here ^^