Date: Wed, 21 Oct 2015 20:04:16 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 203943] makefs: Coverity CID 977469: False positive Message-ID: <bug-203943-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203943 Bug ID: 203943 Summary: makefs: Coverity CID 977469: False positive Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: scdbackup@gmx.net usr.sbin/makefs/cd9660/cd9660_debug.c CID 977469: Out-of-bounds access (OVERRUN) 1. overrun-buffer-val: Overrunning array pttemp->parent_number of 2 bytes by passing it to a function which accesses it at byte offset 3. 186 printf("<parent_number>%i</parent_number>\n", 187 debug_get_encoded_number(pttemp->parent_number,mode)); --------------- Source analysis: The problem is with debug_get_encoded_number() which depending on iparameter "mode" reads more or less bytes. The complained call is in function debug_dump_to_xml_ptentry(), which gets called only by function debug_dump_to_xml_path_table(). It gets the "mode" value as parameter. This function gets called at two occasions in debug_dump_to_xml(): debug_dump_to_xml_path_table(fd, t, t2, 721); debug_dump_to_xml_path_table(fd, t, t2, 722); The modes 721 and 722 select 2-byte reading in debug_get_encoded_number(). So the size of pttemp->parent_number is sufficient. --------------- Remedy proposal: In Coverity classify CID 977469 as "False positive" and set its Action to "Ignore". -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-203943-8>