Coverity issues #559
Description
running it thru coverity i get the following issues, so i'm lazily reporting them in here ^^
[email protected]
19:45 (19 minutes ago)
to me
Hi,
Please find the latest report on new defect(s) introduced to radare2 found with Coverity Scan.
18 new defect(s) introduced to radare2 found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)
** CID 1563181: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1563181: Memory - corruptions (OVERRUN)
/shlr/qjs/src/quickjs.c: 47178 in js_set_union()
47172 for (;;) {
47173 item = JS_IteratorNext(ctx, iter, next, 0, NULL, &done);
47174 if (JS_IsException(item))
47175 goto exception;
47176 if (done) // item is JS_UNDEFINED
47177 break;
>>> CID 1563181: Memory - corruptions (OVERRUN)
>>> Overrunning struct type JSValue of 1 16-byte elements by passing it to a function which accesses it at element index 1 (byte offset 31).
47178 rv = js_map_set(ctx, newset, 1, &item, MAGIC_SET);
47179 JS_FreeValue(ctx, item);
47180 if (JS_IsException(rv))
47181 goto exception;
47182 JS_FreeValue(ctx, rv);
47183 }
** CID 1563180: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/shlr/qjs/src/cutils.c: 768 in u64toa_radix()
________________________________________________________________________________________________________
*** CID 1563180: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/shlr/qjs/src/cutils.c: 768 in u64toa_radix()
762 if (shift) {
763 if (n < base) {
764 buf[0] = digits36[n];
765 buf[1] = '\0';
766 return 1;
767 }
>>> CID 1563180: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "1 << shift" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
768 uint64_t mask = (1 << shift) - 1;
769 size_t len = (64 - clz64(n) + shift - 1) / shift;
770 size_t last = n & mask;
771 char *end = buf + len;
772 n >>= shift;
773 *end-- = '\0';
** CID 1563179: Error handling issues (CHECKED_RETURN)
/libr/lang/p/qjs.c: 665 in qjs_r2pipe_open()
________________________________________________________________________________________________________
*** CID 1563179: Error handling issues (CHECKED_RETURN)
/libr/lang/p/qjs.c: 665 in qjs_r2pipe_open()
659 if (JS_IsArray (ctx, argv[1])) {
660 int i;
661 RStrBuf *sb = r_strbuf_new ("");
662 JSValue array = argv[1];
663 ut32 array_length;
664 JSValue v = JS_GetPropertyStr (ctx, array, "length");
>>> CID 1563179: Error handling issues (CHECKED_RETURN)
>>> Calling "JS_ToUint32" without checking return value (as is done elsewhere 12 out of 15 times).
665 JS_ToUint32 (ctx, &array_length, v);
666 for (i = 0; i < array_length; i++) {
667 v = JS_GetPropertyUint32 (ctx, array, i);
668 size_t plen;
669 const char *n = JS_ToCStringLen2 (ctx, &plen, v, false);
670 r_strbuf_append (sb, n);
** CID 1563178: Insecure data handling (INTEGER_OVERFLOW)
________________________________________________________________________________________________________
*** CID 1563178: Insecure data handling (INTEGER_OVERFLOW)
/shlr/qjs/src/quickjs.c: 11435 in js_dtoa()
11429 exp = quo;
11430 }
11431 start[i] = (char)('0' + exp);
11432
11433 done:
11434 start[-1] = '-'; /* prepend the sign if negative */
>>> CID 1563178: Insecure data handling (INTEGER_OVERFLOW)
>>> "len + sign", which might have underflowed, is passed to "js_new_string8_len(ctx, start - sign, len + sign)".
11435 return js_new_string8_len(ctx, start - sign, len + sign);
11436 }
11437
11438 /* `js_dtoa_radix`: convert a floating point number using a specific base
11439 - `d` must be finite
11440 - `radix` must be in range 2..36
** CID 1563177: Memory - illegal accesses (INTEGER_OVERFLOW)
/shlr/qjs/src/quickjs.c: 40769 in js_string_toWellFormed()
________________________________________________________________________________________________________
*** CID 1563177: Memory - illegal accesses (INTEGER_OVERFLOW)
/shlr/qjs/src/quickjs.c: 40769 in js_string_toWellFormed()
40763 JS_FreeValue(ctx, str);
40764 if (JS_IsException(ret))
40765 return JS_EXCEPTION;
40766
40767 p = JS_VALUE_GET_STRING(ret);
40768 for (i = 0, n = p->len; i < n; i++) {
>>> CID 1563177: Memory - illegal accesses (INTEGER_OVERFLOW)
>>> "i", which might have underflowed, is passed to "p->u.str16[i]".
40769 c = p->u.str16[i];
40770 if (!is_surrogate(c))
40771 continue;
40772 if (is_lo_surrogate(c) || i + 1 == n) {
40773 p->u.str16[i] = 0xFFFD;
40774 continue;
** CID 1563176: (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode()
/shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode()
/shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode()
/shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode()
________________________________________________________________________________________________________
*** CID 1563176: (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode()
34597 if (is_be())
34598 bc_byte_swap(bc_buf, bc_len);
34599
34600 pos = 0;
34601 while (pos < bc_len) {
34602 op = bc_buf[pos];
>>> CID 1563176: (TAINTED_SCALAR)
>>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
34603 len = short_opcode_info(op).size;
34604 switch(short_opcode_info(op).fmt) {
34605 case OP_FMT_atom:
34606 case OP_FMT_atom_u8:
34607 case OP_FMT_atom_u16:
34608 case OP_FMT_atom_label_u8:
/shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode()
34598 bc_byte_swap(bc_buf, bc_len);
34599
34600 pos = 0;
34601 while (pos < bc_len) {
34602 op = bc_buf[pos];
34603 len = short_opcode_info(op).size;
>>> CID 1563176: (TAINTED_SCALAR)
>>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
34604 switch(short_opcode_info(op).fmt) {
34605 case OP_FMT_atom:
34606 case OP_FMT_atom_u8:
34607 case OP_FMT_atom_u16:
34608 case OP_FMT_atom_label_u8:
34609 case OP_FMT_atom_label_u16:
/shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode()
34598 bc_byte_swap(bc_buf, bc_len);
34599
34600 pos = 0;
34601 while (pos < bc_len) {
34602 op = bc_buf[pos];
34603 len = short_opcode_info(op).size;
>>> CID 1563176: (TAINTED_SCALAR)
>>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
34604 switch(short_opcode_info(op).fmt) {
34605 case OP_FMT_atom:
34606 case OP_FMT_atom_u8:
34607 case OP_FMT_atom_u16:
34608 case OP_FMT_atom_label_u8:
34609 case OP_FMT_atom_label_u16:
/shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode()
34597 if (is_be())
34598 bc_byte_swap(bc_buf, bc_len);
34599
34600 pos = 0;
34601 while (pos < bc_len) {
34602 op = bc_buf[pos];
>>> CID 1563176: (TAINTED_SCALAR)
>>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
34603 len = short_opcode_info(op).size;
34604 switch(short_opcode_info(op).fmt) {
34605 case OP_FMT_atom:
34606 case OP_FMT_atom_u8:
34607 case OP_FMT_atom_u16:
34608 case OP_FMT_atom_label_u8:
** CID 1563175: Control flow issues (DEADCODE)
/shlr/qjs/src/quickjs.c: 12226 in js_unary_arith_bigint()
________________________________________________________________________________________________________
*** CID 1563175: Control flow issues (DEADCODE)
/shlr/qjs/src/quickjs.c: 12226 in js_unary_arith_bigint()
12220 switch(op) {
12221 case OP_inc:
12222 case OP_dec:
12223 v = 2 * (op - OP_dec) - 1;
12224 ret = bf_add_si(r, a, v, BF_PREC_INF, BF_RNDZ);
12225 break;
>>> CID 1563175: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "case OP_plus:".
12226 case OP_plus:
12227 ret = bf_set(r, a);
12228 break;
12229 case OP_neg:
12230 ret = bf_set(r, a);
12231 bf_neg(r);
** CID 1563174: Insecure data handling (TAINTED_SCALAR)
/shlr/qjs/src/libregexp.c: 2583 in lre_byte_swap()
________________________________________________________________________________________________________
*** CID 1563174: Insecure data handling (TAINTED_SCALAR)
/shlr/qjs/src/libregexp.c: 2583 in lre_byte_swap()
2577 inplace_bswap32(&p[9]);
2578 inplace_bswap32(&p[13]);
2579 break;
2580 default:
2581 abort();
2582 }
>>> CID 1563174: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "n" as an index to pointer "p".
2583 p = &p[n];
2584 }
2585 }
2586
2587 #ifdef TEST
2588
** CID 1563173: Memory - illegal accesses (OVERRUN)
________________________________________________________________________________________________________
*** CID 1563173: Memory - illegal accesses (OVERRUN)
/shlr/qjs/src/quickjs.c: 53785 in JS_IsEqual()
53779 }
53780
53781 /* Equality comparisons and sameness */
53782 int JS_IsEqual(JSContext *ctx, JSValue op1, JSValue op2)
53783 {
53784 JSValue sp[2] = { js_dup(op1), js_dup(op2) };
>>> CID 1563173: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 32 bytes at byte offset 32 by dereferencing pointer "sp + 2UL".
53785 if (js_eq_slow(ctx, endof(sp), 0))
53786 return -1;
53787 return JS_VALUE_GET_BOOL(sp[0]);
53788 }
53789
53790 JS_BOOL JS_IsStrictEqual(JSContext *ctx, JSValue op1, JSValue op2)
** CID 1563172: Control flow issues (DEADCODE)
/shlr/qjs/src/cutils.c: 672 in u64toa()
________________________________________________________________________________________________________
*** CID 1563172: Control flow issues (DEADCODE)
/shlr/qjs/src/cutils.c: 672 in u64toa()
666 len = u07toa_shift(buf, n1, len);
667 } else {
668 len = u7toa_shift(buf, n1);
669 }
670 return u07toa_shift(buf, n, len);
671 }
>>> CID 1563172: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return u7toa_shift(buf, n);".
672 return u7toa_shift(buf, n);
673 }
674
675 size_t i32toa(char buf[minimum_length(12)], int32_t n)
676 {
677 if (likely(n >= 0))
** CID 1563171: Resource leaks (RESOURCE_LEAK)
/libr/lang/p/qjs.c: 615 in qjs_r2pipe_instance_cmd()
________________________________________________________________________________________________________
*** CID 1563171: Resource leaks (RESOURCE_LEAK)
/libr/lang/p/qjs.c: 615 in qjs_r2pipe_instance_cmd()
609 R2Pipe *r2p = JS_GetOpaque (this_val, 0);
610 size_t plen;
611 if (r2p) {
612 const char *cmd = JS_ToCStringLen2 (ctx, &plen, argv[0], false);
613 char *s = r2pipe_cmd (r2p, cmd);
614 if (s) {
>>> CID 1563171: Resource leaks (RESOURCE_LEAK)
>>> Variable "s" going out of scope leaks the storage it points to.
615 return QJS_STRING (s);
616 }
617 return JS_ThrowRangeError (ctx, "Empty command returns undefined");
618 }
619 return JS_ThrowRangeError (ctx, "Only one argument permitted");
620 }
** CID 1563170: Control flow issues (UNREACHABLE)
/shlr/qjs/src/quickjs.c: 30456 in resolve_variables()
________________________________________________________________________________________________________
*** CID 1563170: Control flow issues (UNREACHABLE)
/shlr/qjs/src/quickjs.c: 30456 in resolve_variables()
30450 dbuf_putc(&bc_out, OP_source_loc);
30451 dbuf_put_u32(&bc_out, line_num);
30452 dbuf_put_u32(&bc_out, col_num);
30453 }
30454 break;
30455 }
>>> CID 1563170: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "goto no_change;".
30456 goto no_change;
30457
30458 case OP_label:
30459 {
30460 int label;
30461 LabelSlot *ls;
** CID 1563169: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1563169: (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 35566 in JS_ReadObject2()
35560 s->first_atom = JS_ATOM_END;
35561 else
35562 s->first_atom = 1;
35563 if (JS_ReadObjectAtoms(s)) {
35564 obj = JS_EXCEPTION;
35565 } else {
>>> CID 1563169: (TAINTED_SCALAR)
>>> Passing tainted expression "*s->idx_to_atom" to "JS_ReadObjectRec", which uses it as an offset.
35566 obj = JS_ReadObjectRec(s);
35567 }
35568 if (psab_tab) {
35569 psab_tab->tab = s->sab_tab;
35570 psab_tab->len = s->sab_tab_len;
35571 } else {
/shlr/qjs/src/quickjs.c: 35574 in JS_ReadObject2()
35568 if (psab_tab) {
35569 psab_tab->tab = s->sab_tab;
35570 psab_tab->len = s->sab_tab_len;
35571 } else {
35572 js_free(ctx, s->sab_tab);
35573 }
>>> CID 1563169: (TAINTED_SCALAR)
>>> Passing tainted expression "*s->idx_to_atom" to "bc_reader_free", which uses it as an offset.
35574 bc_reader_free(s);
35575 return obj;
35576 }
35577
35578 JSValue JS_ReadObject(JSContext *ctx, const uint8_t *buf, size_t buf_len,
35579 int flags)
** CID 1563168: Error handling issues (CHECKED_RETURN)
/shlr/qjs/src/quickjs.c: 8425 in set_array_length()
________________________________________________________________________________________________________
*** CID 1563168: Error handling issues (CHECKED_RETURN)
/shlr/qjs/src/quickjs.c: 8425 in set_array_length()
8419 p->u.array.count = len;
8420 }
8421 p->prop[0].u.value = js_uint32(len);
8422 } else {
8423 /* Note: length is always a uint32 because the object is an
8424 array */
>>> CID 1563168: Error handling issues (CHECKED_RETURN)
>>> Calling "JS_ToUint32" without checking return value (as is done elsewhere 12 out of 15 times).
8425 JS_ToUint32(ctx, &cur_len, p->prop[0].u.value);
8426 if (len < cur_len) {
8427 uint32_t d;
8428 JSShape *sh;
8429 JSShapeProperty *pr;
8430
** CID 1563167: Incorrect expression (UNINTENDED_INTEGER_DIVISION)
/shlr/qjs/src/quickjs.c: 11491 in js_dtoa_radix()
________________________________________________________________________________________________________
*** CID 1563167: Incorrect expression (UNINTENDED_INTEGER_DIVISION)
/shlr/qjs/src/quickjs.c: 11491 in js_dtoa_radix()
11485 digit = trunc(frac);
11486 frac -= digit;
11487 *ptr2++ = digits36[digit];
11488 n0 = n0 * radix + digit;
11489 prec -= log2_radix;
11490 }
>>> CID 1563167: Incorrect expression (UNINTENDED_INTEGER_DIVISION)
>>> Dividing integer expressions "radix" and "2", and then converting the integer quotient to type "double". Any remainder, or fractional part of the quotient, is ignored.
11491 if (frac * radix >= radix / 2) {
11492 /* round up the string representation manually */
11493 char nine = digits36[radix - 1];
11494 while (ptr2[-1] == nine) {
11495 /* strip trailing '9' or equivalent digits */
11496 ptr2--;
** CID 1563166: Error handling issues (CHECKED_RETURN)
/libr/lang/p/qjs.c: 627 in qjs_r2pipe_instance_cmdj()
________________________________________________________________________________________________________
*** CID 1563166: Error handling issues (CHECKED_RETURN)
/libr/lang/p/qjs.c: 627 in qjs_r2pipe_instance_cmdj()
621
622 static JSValue qjs_r2pipe_instance_cmdj(JSContext *ctx, JSValueConst this_val, int argc, JSValueConst *argv) {
623 JSValue arg0 = qjs_r2pipe_instance_cmd (ctx, this_val, argc, argv);
624 const char jp[] = "JSON.parse";
625 JSValue json_parse = JS_Eval (ctx, jp, strlen (jp), "-", JS_EVAL_TYPE_GLOBAL);
626 JSValue args = JS_NewArray (ctx);
>>> CID 1563166: Error handling issues (CHECKED_RETURN)
>>> Calling "JS_SetPropertyUint32" without checking return value (as is done elsewhere 6 out of 7 times).
627 JS_SetPropertyUint32 (ctx, args, 0, arg0);
628 return JS_Call (ctx, json_parse, this_val, 1, &args);
629 }
630
631 static JSValue qjs_r2pipe_instance_quit(JSContext *ctx, JSValueConst this_val, int argc, JSValueConst *argv) {
632 R2Pipe *r2p = JS_GetOpaque (this_val, 0);
** CID 1563165: (DEADCODE)
/shlr/qjs/src/quickjs.c: 37478 in js_function_toString()
/shlr/qjs/src/quickjs.c: 37475 in js_function_toString()
/shlr/qjs/src/quickjs.c: 37481 in js_function_toString()
________________________________________________________________________________________________________
*** CID 1563165: (DEADCODE)
/shlr/qjs/src/quickjs.c: 37478 in js_function_toString()
37472 case JS_FUNC_NORMAL:
37473 pref = "function ";
37474 break;
37475 case JS_FUNC_GENERATOR:
37476 pref = "function *";
37477 break;
>>> CID 1563165: (DEADCODE)
>>> Execution cannot reach this statement: "case JS_FUNC_ASYNC:".
37478 case JS_FUNC_ASYNC:
37479 pref = "async function ";
37480 break;
37481 case JS_FUNC_ASYNC_GENERATOR:
37482 pref = "async function *";
37483 break;
/shlr/qjs/src/quickjs.c: 37475 in js_function_toString()
37469
37470 switch(func_kind) {
37471 default:
37472 case JS_FUNC_NORMAL:
37473 pref = "function ";
37474 break;
>>> CID 1563165: (DEADCODE)
>>> Execution cannot reach this statement: "case JS_FUNC_GENERATOR:".
37475 case JS_FUNC_GENERATOR:
37476 pref = "function *";
37477 break;
37478 case JS_FUNC_ASYNC:
37479 pref = "async function ";
37480 break;
/shlr/qjs/src/quickjs.c: 37481 in js_function_toString()
37475 case JS_FUNC_GENERATOR:
37476 pref = "function *";
37477 break;
37478 case JS_FUNC_ASYNC:
37479 pref = "async function ";
37480 break;
>>> CID 1563165: (DEADCODE)
>>> Execution cannot reach this statement: "case JS_FUNC_ASYNC_GENERATOR:".
37481 case JS_FUNC_ASYNC_GENERATOR:
37482 pref = "async function *";
37483 break;
37484 }
37485 suff = "() {\n [native code]\n}";
37486 name = JS_GetProperty(ctx, this_val, JS_ATOM_name);
** CID 1563164: (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap()
/shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap()
/shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap()
/shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap()
________________________________________________________________________________________________________
*** CID 1563164: (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap()
33578 int pos, len, op, fmt;
33579
33580 pos = 0;
33581 while (pos < bc_len) {
33582 op = bc_buf[pos];
33583 len = short_opcode_info(op).size;
>>> CID 1563164: (TAINTED_SCALAR)
>>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
33584 fmt = short_opcode_info(op).fmt;
33585 switch(fmt) {
33586 case OP_FMT_u16:
33587 case OP_FMT_i16:
33588 case OP_FMT_label16:
33589 case OP_FMT_npop:
/shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap()
33577 {
33578 int pos, len, op, fmt;
33579
33580 pos = 0;
33581 while (pos < bc_len) {
33582 op = bc_buf[pos];
>>> CID 1563164: (TAINTED_SCALAR)
>>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
33583 len = short_opcode_info(op).size;
33584 fmt = short_opcode_info(op).fmt;
33585 switch(fmt) {
33586 case OP_FMT_u16:
33587 case OP_FMT_i16:
33588 case OP_FMT_label16:
/shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap()
33578 int pos, len, op, fmt;
33579
33580 pos = 0;
33581 while (pos < bc_len) {
33582 op = bc_buf[pos];
33583 len = short_opcode_info(op).size;
>>> CID 1563164: (TAINTED_SCALAR)
>>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
33584 fmt = short_opcode_info(op).fmt;
33585 switch(fmt) {
33586 case OP_FMT_u16:
33587 case OP_FMT_i16:
33588 case OP_FMT_label16:
33589 case OP_FMT_npop:
/shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap()
33577 {
33578 int pos, len, op, fmt;
33579
33580 pos = 0;
33581 while (pos < bc_len) {
33582 op = bc_buf[pos];
>>> CID 1563164: (TAINTED_SCALAR)
>>> Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
33583 len = short_opcode_info(op).size;
33584 fmt = short_opcode_info(op).fmt;
33585 switch(fmt) {
33586 case OP_FMT_u16:
33587 case OP_FMT_i16:
33588 case OP_FMT_label16: