Coverity scan issues #201

Closed
opened 2026-01-29 20:39:46 +00:00 by claunia · 1 comment
Owner

Originally created by @tpopela on GitHub (Oct 12, 2017).

  1. Defect type: FORWARD_NULL
16. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1937: var_compare_op: Comparing "s->ringbuffer" to null implies that "s->ringbuffer" might be null.
26. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:2240: var_deref_model: Passing "s" to "ProcessCommands", which dereferences null "s->ringbuffer".
27. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1868:3: deref_parm_in_call: Function "ProcessCommandsInternal" dereferences "s->ringbuffer".
64. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1766:11: deref_parm_field_in_call: Function "memcpy" dereferences an offset off "s->ringbuffer". [Note: The source code implementation of the function has been overridden by a builtin model.]
#  2238|         case BROTLI_STATE_COMMAND_POST_DECODE_LITERALS:
#  2239|         case BROTLI_STATE_COMMAND_POST_WRAP_COPY:
#  2240|->         result = ProcessCommands(s);
#  2241|           if (result == BROTLI_DECODER_NEEDS_MORE_INPUT) {
#  2242|             result = SafeProcessCommands(s);
  1. Defect type: FORWARD_NULL
16. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1937: var_compare_op: Comparing "s->ringbuffer" to null implies that "s->ringbuffer" might be null.
26. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:2069: var_deref_model: Passing "s" to "CopyUncompressedBlockToOutput", which dereferences null "s->ringbuffer".
34. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1313:9: deref_parm_field_in_call: Function "BrotliCopyBytes" dereferences an offset off "s->ringbuffer".
37. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/bit_reader.h:346:5: deref_parm: Directly dereferencing parameter "dest".
#   344|                                             BrotliBitReader* br, size_t num) {
#   345|     while (BrotliGetAvailableBits(br) >= 8 && num > 0) {
#   346|->     *dest = (uint8_t)BrotliGetBitsUnmasked(br);
#   347|       BrotliDropBits(br, 8);
#   348|       ++dest;
Originally created by @tpopela on GitHub (Oct 12, 2017). 1. Defect type: FORWARD_NULL ``` 16. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1937: var_compare_op: Comparing "s->ringbuffer" to null implies that "s->ringbuffer" might be null. 26. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:2240: var_deref_model: Passing "s" to "ProcessCommands", which dereferences null "s->ringbuffer". 27. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1868:3: deref_parm_in_call: Function "ProcessCommandsInternal" dereferences "s->ringbuffer". 64. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1766:11: deref_parm_field_in_call: Function "memcpy" dereferences an offset off "s->ringbuffer". [Note: The source code implementation of the function has been overridden by a builtin model.] # 2238| case BROTLI_STATE_COMMAND_POST_DECODE_LITERALS: # 2239| case BROTLI_STATE_COMMAND_POST_WRAP_COPY: # 2240|-> result = ProcessCommands(s); # 2241| if (result == BROTLI_DECODER_NEEDS_MORE_INPUT) { # 2242| result = SafeProcessCommands(s); ``` 2. Defect type: FORWARD_NULL ``` 16. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1937: var_compare_op: Comparing "s->ringbuffer" to null implies that "s->ringbuffer" might be null. 26. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:2069: var_deref_model: Passing "s" to "CopyUncompressedBlockToOutput", which dereferences null "s->ringbuffer". 34. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/decode.c:1313:9: deref_parm_field_in_call: Function "BrotliCopyBytes" dereferences an offset off "s->ringbuffer". 37. webkitgtk-2.14.7/Source/ThirdParty/brotli/dec/bit_reader.h:346:5: deref_parm: Directly dereferencing parameter "dest". # 344| BrotliBitReader* br, size_t num) { # 345| while (BrotliGetAvailableBits(br) >= 8 && num > 0) { # 346|-> *dest = (uint8_t)BrotliGetBitsUnmasked(br); # 347| BrotliDropBits(br, 8); # 348| ++dest; ```
Author
Owner

@eustas commented on GitHub (Oct 13, 2017):

  1. False positive; Coverity Scan fails to analyse workflow; it is guaranteed that at the stage when ProcessCommands is invoked ring-buffer is allocated.
  2. Same.

Take a look at BrotliEnsureRingBuffer and its invocation points in the workflow.

@eustas commented on GitHub (Oct 13, 2017): 1) False positive; Coverity Scan fails to analyse workflow; it is guaranteed that at the stage when `ProcessCommands` is invoked ring-buffer is allocated. 2) Same. Take a look at `BrotliEnsureRingBuffer` and its invocation points in the workflow.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/brotli#201