Coverity issues #559

trufae · 2024-09-27T18:07:26Z

running it thru coverity i get the following issues, so i'm lazily reporting them in here ^^


[email protected]
19:45 (19 minutes ago)
to me

Hi,

Please find the latest report on new defect(s) introduced to radare2 found with Coverity Scan.

18 new defect(s) introduced to radare2 found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)


** CID 1563181:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1563181:  Memory - corruptions  (OVERRUN)
/shlr/qjs/src/quickjs.c: 47178 in js_set_union()
47172         for (;;) {
47173             item = JS_IteratorNext(ctx, iter, next, 0, NULL, &done);
47174             if (JS_IsException(item))
47175                 goto exception;
47176             if (done) // item is JS_UNDEFINED
47177                 break;
>>>     CID 1563181:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type JSValue of 1 16-byte elements by passing it to a function which accesses it at element index 1 (byte offset 31).
47178             rv = js_map_set(ctx, newset, 1, &item, MAGIC_SET);
47179             JS_FreeValue(ctx, item);
47180             if (JS_IsException(rv))
47181                 goto exception;
47182             JS_FreeValue(ctx, rv);
47183         }

** CID 1563180:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/shlr/qjs/src/cutils.c: 768 in u64toa_radix()


________________________________________________________________________________________________________
*** CID 1563180:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/shlr/qjs/src/cutils.c: 768 in u64toa_radix()
762         if (shift) {
763             if (n < base) {
764                 buf[0] = digits36[n];
765                 buf[1] = '\0';
766                 return 1;
767             }
>>>     CID 1563180:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "1 << shift" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
768             uint64_t mask = (1 << shift) - 1;
769             size_t len = (64 - clz64(n) + shift - 1) / shift;
770             size_t last = n & mask;
771             char *end = buf + len;
772             n >>= shift;
773             *end-- = '\0';

** CID 1563179:  Error handling issues  (CHECKED_RETURN)
/libr/lang/p/qjs.c: 665 in qjs_r2pipe_open()


________________________________________________________________________________________________________
*** CID 1563179:  Error handling issues  (CHECKED_RETURN)
/libr/lang/p/qjs.c: 665 in qjs_r2pipe_open()
659                     if (JS_IsArray (ctx, argv[1])) {
660                             int i;
661                             RStrBuf *sb = r_strbuf_new ("");
662                             JSValue array = argv[1];
663                             ut32 array_length;
664                             JSValue v = JS_GetPropertyStr (ctx, array, "length");
>>>     CID 1563179:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "JS_ToUint32" without checking return value (as is done elsewhere 12 out of 15 times).
665                             JS_ToUint32 (ctx, &array_length, v);
666                             for (i = 0; i < array_length; i++) {
667                                     v = JS_GetPropertyUint32 (ctx, array, i);
668                                     size_t plen;
669                                     const char *n = JS_ToCStringLen2 (ctx, &plen, v, false);
670                                     r_strbuf_append (sb, n);

** CID 1563178:  Insecure data handling  (INTEGER_OVERFLOW)


________________________________________________________________________________________________________
*** CID 1563178:  Insecure data handling  (INTEGER_OVERFLOW)
/shlr/qjs/src/quickjs.c: 11435 in js_dtoa()
11429             exp = quo;
11430         }
11431         start[i] = (char)('0' + exp);
11432     
11433      done:
11434         start[-1] = '-';    /* prepend the sign if negative */
>>>     CID 1563178:  Insecure data handling  (INTEGER_OVERFLOW)
>>>     "len + sign", which might have underflowed, is passed to "js_new_string8_len(ctx, start - sign, len + sign)".
11435         return js_new_string8_len(ctx, start - sign, len + sign);
11436     }
11437     
11438     /* `js_dtoa_radix`: convert a floating point number using a specific base
11439        - `d` must be finite
11440        - `radix` must be in range 2..36

** CID 1563177:  Memory - illegal accesses  (INTEGER_OVERFLOW)
/shlr/qjs/src/quickjs.c: 40769 in js_string_toWellFormed()


________________________________________________________________________________________________________
*** CID 1563177:  Memory - illegal accesses  (INTEGER_OVERFLOW)
/shlr/qjs/src/quickjs.c: 40769 in js_string_toWellFormed()
40763         JS_FreeValue(ctx, str);
40764         if (JS_IsException(ret))
40765             return JS_EXCEPTION;
40766     
40767         p = JS_VALUE_GET_STRING(ret);
40768         for (i = 0, n = p->len; i < n; i++) {
>>>     CID 1563177:  Memory - illegal accesses  (INTEGER_OVERFLOW)
>>>     "i", which might have underflowed, is passed to "p->u.str16[i]".
40769             c = p->u.str16[i];
40770             if (!is_surrogate(c))
40771                 continue;
40772             if (is_lo_surrogate(c) || i + 1 == n) {
40773                 p->u.str16[i] = 0xFFFD;
40774                 continue;

** CID 1563176:    (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode()
/shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode()
/shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode()
/shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode()


________________________________________________________________________________________________________
*** CID 1563176:    (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode()
34597         if (is_be())
34598             bc_byte_swap(bc_buf, bc_len);
34599     
34600         pos = 0;
34601         while (pos < bc_len) {
34602             op = bc_buf[pos];
>>>     CID 1563176:    (TAINTED_SCALAR)
>>>     Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
34603             len = short_opcode_info(op).size;
34604             switch(short_opcode_info(op).fmt) {
34605             case OP_FMT_atom:
34606             case OP_FMT_atom_u8:
34607             case OP_FMT_atom_u16:
34608             case OP_FMT_atom_label_u8:
/shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode()
34598             bc_byte_swap(bc_buf, bc_len);
34599     
34600         pos = 0;
34601         while (pos < bc_len) {
34602             op = bc_buf[pos];
34603             len = short_opcode_info(op).size;
>>>     CID 1563176:    (TAINTED_SCALAR)
>>>     Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
34604             switch(short_opcode_info(op).fmt) {
34605             case OP_FMT_atom:
34606             case OP_FMT_atom_u8:
34607             case OP_FMT_atom_u16:
34608             case OP_FMT_atom_label_u8:
34609             case OP_FMT_atom_label_u16:
/shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode()
34598             bc_byte_swap(bc_buf, bc_len);
34599     
34600         pos = 0;
34601         while (pos < bc_len) {
34602             op = bc_buf[pos];
34603             len = short_opcode_info(op).size;
>>>     CID 1563176:    (TAINTED_SCALAR)
>>>     Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
34604             switch(short_opcode_info(op).fmt) {
34605             case OP_FMT_atom:
34606             case OP_FMT_atom_u8:
34607             case OP_FMT_atom_u16:
34608             case OP_FMT_atom_label_u8:
34609             case OP_FMT_atom_label_u16:
/shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode()
34597         if (is_be())
34598             bc_byte_swap(bc_buf, bc_len);
34599     
34600         pos = 0;
34601         while (pos < bc_len) {
34602             op = bc_buf[pos];
>>>     CID 1563176:    (TAINTED_SCALAR)
>>>     Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
34603             len = short_opcode_info(op).size;
34604             switch(short_opcode_info(op).fmt) {
34605             case OP_FMT_atom:
34606             case OP_FMT_atom_u8:
34607             case OP_FMT_atom_u16:
34608             case OP_FMT_atom_label_u8:

** CID 1563175:  Control flow issues  (DEADCODE)
/shlr/qjs/src/quickjs.c: 12226 in js_unary_arith_bigint()


________________________________________________________________________________________________________
*** CID 1563175:  Control flow issues  (DEADCODE)
/shlr/qjs/src/quickjs.c: 12226 in js_unary_arith_bigint()
12220         switch(op) {
12221         case OP_inc:
12222         case OP_dec:
12223             v = 2 * (op - OP_dec) - 1;
12224             ret = bf_add_si(r, a, v, BF_PREC_INF, BF_RNDZ);
12225             break;
>>>     CID 1563175:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "case OP_plus:".
12226         case OP_plus:
12227             ret = bf_set(r, a);
12228             break;
12229         case OP_neg:
12230             ret = bf_set(r, a);
12231             bf_neg(r);

** CID 1563174:  Insecure data handling  (TAINTED_SCALAR)
/shlr/qjs/src/libregexp.c: 2583 in lre_byte_swap()


________________________________________________________________________________________________________
*** CID 1563174:  Insecure data handling  (TAINTED_SCALAR)
/shlr/qjs/src/libregexp.c: 2583 in lre_byte_swap()
2577                 inplace_bswap32(&p[9]);
2578                 inplace_bswap32(&p[13]);
2579                 break;
2580             default:
2581                 abort();
2582             }
>>>     CID 1563174:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "n" as an index to pointer "p".
2583             p = &p[n];
2584         }
2585     }
2586     
2587     #ifdef TEST
2588     

** CID 1563173:  Memory - illegal accesses  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1563173:  Memory - illegal accesses  (OVERRUN)
/shlr/qjs/src/quickjs.c: 53785 in JS_IsEqual()
53779     }
53780     
53781     /* Equality comparisons and sameness */
53782     int JS_IsEqual(JSContext *ctx, JSValue op1, JSValue op2)
53783     {
53784         JSValue sp[2] = { js_dup(op1), js_dup(op2) };
>>>     CID 1563173:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array of 32 bytes at byte offset 32 by dereferencing pointer "sp + 2UL".
53785         if (js_eq_slow(ctx, endof(sp), 0))
53786             return -1;
53787         return JS_VALUE_GET_BOOL(sp[0]);
53788     }
53789     
53790     JS_BOOL JS_IsStrictEqual(JSContext *ctx, JSValue op1, JSValue op2)

** CID 1563172:  Control flow issues  (DEADCODE)
/shlr/qjs/src/cutils.c: 672 in u64toa()


________________________________________________________________________________________________________
*** CID 1563172:  Control flow issues  (DEADCODE)
/shlr/qjs/src/cutils.c: 672 in u64toa()
666                 len = u07toa_shift(buf, n1, len);
667             } else {
668                 len = u7toa_shift(buf, n1);
669             }
670             return u07toa_shift(buf, n, len);
671         }
>>>     CID 1563172:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return u7toa_shift(buf, n);".
672         return u7toa_shift(buf, n);
673     }
674     
675     size_t i32toa(char buf[minimum_length(12)], int32_t n)
676     {
677         if (likely(n >= 0))

** CID 1563171:  Resource leaks  (RESOURCE_LEAK)
/libr/lang/p/qjs.c: 615 in qjs_r2pipe_instance_cmd()


________________________________________________________________________________________________________
*** CID 1563171:  Resource leaks  (RESOURCE_LEAK)
/libr/lang/p/qjs.c: 615 in qjs_r2pipe_instance_cmd()
609             R2Pipe *r2p = JS_GetOpaque (this_val, 0);
610             size_t plen;
611             if (r2p) {
612                     const char *cmd = JS_ToCStringLen2 (ctx, &plen, argv[0], false);
613                     char *s = r2pipe_cmd (r2p, cmd);
614                     if (s) {
>>>     CID 1563171:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "s" going out of scope leaks the storage it points to.
615                             return QJS_STRING (s);
616                     }
617                     return JS_ThrowRangeError (ctx, "Empty command returns undefined");
618             }
619             return JS_ThrowRangeError (ctx, "Only one argument permitted");
620     }

** CID 1563170:  Control flow issues  (UNREACHABLE)
/shlr/qjs/src/quickjs.c: 30456 in resolve_variables()


________________________________________________________________________________________________________
*** CID 1563170:  Control flow issues  (UNREACHABLE)
/shlr/qjs/src/quickjs.c: 30456 in resolve_variables()
30450                         dbuf_putc(&bc_out, OP_source_loc);
30451                         dbuf_put_u32(&bc_out, line_num);
30452                         dbuf_put_u32(&bc_out, col_num);
30453                     }
30454                     break;
30455                 }
>>>     CID 1563170:  Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "goto no_change;".
30456                 goto no_change;
30457     
30458             case OP_label:
30459                 {
30460                     int label;
30461                     LabelSlot *ls;

** CID 1563169:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1563169:    (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 35566 in JS_ReadObject2()
35560             s->first_atom = JS_ATOM_END;
35561         else
35562             s->first_atom = 1;
35563         if (JS_ReadObjectAtoms(s)) {
35564             obj = JS_EXCEPTION;
35565         } else {
>>>     CID 1563169:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*s->idx_to_atom" to "JS_ReadObjectRec", which uses it as an offset.
35566             obj = JS_ReadObjectRec(s);
35567         }
35568         if (psab_tab) {
35569             psab_tab->tab = s->sab_tab;
35570             psab_tab->len = s->sab_tab_len;
35571         } else {
/shlr/qjs/src/quickjs.c: 35574 in JS_ReadObject2()
35568         if (psab_tab) {
35569             psab_tab->tab = s->sab_tab;
35570             psab_tab->len = s->sab_tab_len;
35571         } else {
35572             js_free(ctx, s->sab_tab);
35573         }
>>>     CID 1563169:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*s->idx_to_atom" to "bc_reader_free", which uses it as an offset.
35574         bc_reader_free(s);
35575         return obj;
35576     }
35577     
35578     JSValue JS_ReadObject(JSContext *ctx, const uint8_t *buf, size_t buf_len,
35579                           int flags)

** CID 1563168:  Error handling issues  (CHECKED_RETURN)
/shlr/qjs/src/quickjs.c: 8425 in set_array_length()


________________________________________________________________________________________________________
*** CID 1563168:  Error handling issues  (CHECKED_RETURN)
/shlr/qjs/src/quickjs.c: 8425 in set_array_length()
8419                 p->u.array.count = len;
8420             }
8421             p->prop[0].u.value = js_uint32(len);
8422         } else {
8423             /* Note: length is always a uint32 because the object is an
8424                array */
>>>     CID 1563168:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "JS_ToUint32" without checking return value (as is done elsewhere 12 out of 15 times).
8425             JS_ToUint32(ctx, &cur_len, p->prop[0].u.value);
8426             if (len < cur_len) {
8427                 uint32_t d;
8428                 JSShape *sh;
8429                 JSShapeProperty *pr;
8430     

** CID 1563167:  Incorrect expression  (UNINTENDED_INTEGER_DIVISION)
/shlr/qjs/src/quickjs.c: 11491 in js_dtoa_radix()


________________________________________________________________________________________________________
*** CID 1563167:  Incorrect expression  (UNINTENDED_INTEGER_DIVISION)
/shlr/qjs/src/quickjs.c: 11491 in js_dtoa_radix()
11485                 digit = trunc(frac);
11486                 frac -= digit;
11487                 *ptr2++ = digits36[digit];
11488                 n0 = n0 * radix + digit;
11489                 prec -= log2_radix;
11490             }
>>>     CID 1563167:  Incorrect expression  (UNINTENDED_INTEGER_DIVISION)
>>>     Dividing integer expressions "radix" and "2", and then converting the integer quotient to type "double". Any remainder, or fractional part of the quotient, is ignored.
11491             if (frac * radix >= radix / 2) {
11492                 /* round up the string representation manually */
11493                 char nine = digits36[radix - 1];
11494                 while (ptr2[-1] == nine) {
11495                     /* strip trailing '9' or equivalent digits */
11496                     ptr2--;

** CID 1563166:  Error handling issues  (CHECKED_RETURN)
/libr/lang/p/qjs.c: 627 in qjs_r2pipe_instance_cmdj()


________________________________________________________________________________________________________
*** CID 1563166:  Error handling issues  (CHECKED_RETURN)
/libr/lang/p/qjs.c: 627 in qjs_r2pipe_instance_cmdj()
621     
622     static JSValue qjs_r2pipe_instance_cmdj(JSContext *ctx, JSValueConst this_val, int argc, JSValueConst *argv) {
623             JSValue arg0 = qjs_r2pipe_instance_cmd (ctx, this_val, argc, argv);
624             const char jp[] = "JSON.parse";
625             JSValue json_parse = JS_Eval (ctx, jp, strlen (jp), "-", JS_EVAL_TYPE_GLOBAL);
626             JSValue args = JS_NewArray (ctx);
>>>     CID 1563166:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "JS_SetPropertyUint32" without checking return value (as is done elsewhere 6 out of 7 times).
627             JS_SetPropertyUint32 (ctx, args, 0, arg0);
628             return JS_Call (ctx, json_parse, this_val, 1, &args);
629     }
630     
631     static JSValue qjs_r2pipe_instance_quit(JSContext *ctx, JSValueConst this_val, int argc, JSValueConst *argv) {
632             R2Pipe *r2p = JS_GetOpaque (this_val, 0);

** CID 1563165:    (DEADCODE)
/shlr/qjs/src/quickjs.c: 37478 in js_function_toString()
/shlr/qjs/src/quickjs.c: 37475 in js_function_toString()
/shlr/qjs/src/quickjs.c: 37481 in js_function_toString()


________________________________________________________________________________________________________
*** CID 1563165:    (DEADCODE)
/shlr/qjs/src/quickjs.c: 37478 in js_function_toString()
37472             case JS_FUNC_NORMAL:
37473                 pref = "function ";
37474                 break;
37475             case JS_FUNC_GENERATOR:
37476                 pref = "function *";
37477                 break;
>>>     CID 1563165:    (DEADCODE)
>>>     Execution cannot reach this statement: "case JS_FUNC_ASYNC:".
37478             case JS_FUNC_ASYNC:
37479                 pref = "async function ";
37480                 break;
37481             case JS_FUNC_ASYNC_GENERATOR:
37482                 pref = "async function *";
37483                 break;
/shlr/qjs/src/quickjs.c: 37475 in js_function_toString()
37469     
37470             switch(func_kind) {
37471             default:
37472             case JS_FUNC_NORMAL:
37473                 pref = "function ";
37474                 break;
>>>     CID 1563165:    (DEADCODE)
>>>     Execution cannot reach this statement: "case JS_FUNC_GENERATOR:".
37475             case JS_FUNC_GENERATOR:
37476                 pref = "function *";
37477                 break;
37478             case JS_FUNC_ASYNC:
37479                 pref = "async function ";
37480                 break;
/shlr/qjs/src/quickjs.c: 37481 in js_function_toString()
37475             case JS_FUNC_GENERATOR:
37476                 pref = "function *";
37477                 break;
37478             case JS_FUNC_ASYNC:
37479                 pref = "async function ";
37480                 break;
>>>     CID 1563165:    (DEADCODE)
>>>     Execution cannot reach this statement: "case JS_FUNC_ASYNC_GENERATOR:".
37481             case JS_FUNC_ASYNC_GENERATOR:
37482                 pref = "async function *";
37483                 break;
37484             }
37485             suff = "() {\n    [native code]\n}";
37486             name = JS_GetProperty(ctx, this_val, JS_ATOM_name);

** CID 1563164:    (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap()
/shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap()
/shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap()
/shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap()


________________________________________________________________________________________________________
*** CID 1563164:    (TAINTED_SCALAR)
/shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap()
33578         int pos, len, op, fmt;
33579     
33580         pos = 0;
33581         while (pos < bc_len) {
33582             op = bc_buf[pos];
33583             len = short_opcode_info(op).size;
>>>     CID 1563164:    (TAINTED_SCALAR)
>>>     Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
33584             fmt = short_opcode_info(op).fmt;
33585             switch(fmt) {
33586             case OP_FMT_u16:
33587             case OP_FMT_i16:
33588             case OP_FMT_label16:
33589             case OP_FMT_npop:
/shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap()
33577     {
33578         int pos, len, op, fmt;
33579     
33580         pos = 0;
33581         while (pos < bc_len) {
33582             op = bc_buf[pos];
>>>     CID 1563164:    (TAINTED_SCALAR)
>>>     Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
33583             len = short_opcode_info(op).size;
33584             fmt = short_opcode_info(op).fmt;
33585             switch(fmt) {
33586             case OP_FMT_u16:
33587             case OP_FMT_i16:
33588             case OP_FMT_label16:
/shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap()
33578         int pos, len, op, fmt;
33579     
33580         pos = 0;
33581         while (pos < bc_len) {
33582             op = bc_buf[pos];
33583             len = short_opcode_info(op).size;
>>>     CID 1563164:    (TAINTED_SCALAR)
>>>     Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
33584             fmt = short_opcode_info(op).fmt;
33585             switch(fmt) {
33586             case OP_FMT_u16:
33587             case OP_FMT_i16:
33588             case OP_FMT_label16:
33589             case OP_FMT_npop:
/shlr/qjs/src/quickjs.c: 33583 in bc_byte_swap()
33577     {
33578         int pos, len, op, fmt;
33579     
33580         pos = 0;
33581         while (pos < bc_len) {
33582             op = bc_buf[pos];
>>>     CID 1563164:    (TAINTED_SCALAR)
>>>     Using tainted variable "(op >= OP_TEMP_START) ? op + 18 : op" as an index into an array "opcode_info".
33583             len = short_opcode_info(op).size;
33584             fmt = short_opcode_info(op).fmt;
33585             switch(fmt) {
33586             case OP_FMT_u16:
33587             case OP_FMT_i16:
33588             case OP_FMT_label16:

The text was updated successfully, but these errors were encountered:

saghul · 2024-09-27T20:42:43Z

Thanks! Is there any way we can run those tests?

trufae · 2024-09-28T07:21:30Z

I don’t think coverity accept new opensource projects for free. I was subscribed at the time and get free reports for all the dependencies i use in radare2.

saghul · 2024-09-28T08:20:01Z

Oh, I am not familiar with coverity, thanks for explaining!

Cool to hear you are using it in radare2! I'll take a look at those issues as time allows.

trufae · 2024-09-28T09:32:17Z

We plan to fuzz it and test qjsng more widely and report more issues soon. We have also some portability patches that may be good to be maintained upstream :)

saghul · 2024-09-28T09:39:50Z

Excellent!

satk0 · 2024-09-28T12:29:34Z

Yeah, I found some things here that I needed to patch and I would be really glad to share it 💪

saghul · 2024-09-28T12:56:34Z

PRs are most welcome! 🙏

bnoordhuis · 2024-09-28T14:52:16Z

/shlr/qjs/src/quickjs.c: 47178 in js_set_union()

False positive, js_map_set() accesses argv[1] only when !(magic & MAGIC_SET) but coverity probably can't see through that

/shlr/qjs/src/cutils.c: 768 in u64toa_radix()

False positive, only shifts 5 bits max but uses a lookup table, probably what confuses coverity

/libr/lang/p/qjs.c: 665 in qjs_r2pipe_open()

That's in r2's glue layer :-)

/shlr/qjs/src/quickjs.c: 11435 in js_dtoa()

False positive, cannot realistically underflow/overflow

/shlr/qjs/src/quickjs.c: 40769 in js_string_toWellFormed()

False positive, cannot realistically underflow/overflow; strings are max 2 GB

/shlr/qjs/src/quickjs.c: 34603 in JS_ReadFunctionBytecode()
/shlr/qjs/src/quickjs.c: 34604 in JS_ReadFunctionBytecode()

Legit, deserializer should check that op < countof(opcode_info); it trusts input but it's good to harden it

/shlr/qjs/src/quickjs.c: 12226 in js_unary_arith_bigint()

Legit, but harmless, just dead code

/shlr/qjs/src/libregexp.c: 2583 in lre_byte_swap()

Legit, I think; needs bounds checks

/shlr/qjs/src/quickjs.c: 53785 in JS_IsEqual()

False positive, coverity seems to get confused by the negative pointer arithmetic

/shlr/qjs/src/cutils.c: 672 in u64toa()

False positive? I don't get why coverity thinks it's unreachable

/shlr/qjs/src/quickjs.c: 30456 in resolve_variables()

Legit, but harmless, just dead code

/shlr/qjs/src/quickjs.c: 35566 in JS_ReadObject2()
/shlr/qjs/src/quickjs.c: 35574 in JS_ReadObject2()

Legit, 95% confidence rate. It's somewhat obscured but js_resize_array doesn't zero new elements when growing the idx_to_atom array

/shlr/qjs/src/quickjs.c: 8425 in set_array_length()

False positive, length is always an uint32 but we might as well call JS_VALUE_GET_INT(p->prop[0].u.value) directly instead of going through JS_ToUint32

/shlr/qjs/src/quickjs.c: 11491 in js_dtoa_radix()

False positive, looks intentional (rounding when fraction >= .5) but probably not Obviously Intentional to a tool like coverity; maybe make more explicit

/shlr/qjs/src/quickjs.c: 37478 in js_function_toString()

Legit, looks like we forget to actually read the JS_FUNC type from the function object

/shlr/qjs/src/quickjs.c: 33584 in bc_byte_swap()

Legit, deserializer should check op < countof(opcode_info)

satk0 mentioned this issue Oct 2, 2024

Apply patches when used in radare2 #569

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Coverity issues #559

Coverity issues #559

trufae commented Sep 27, 2024

saghul commented Sep 27, 2024

trufae commented Sep 28, 2024

saghul commented Sep 28, 2024

trufae commented Sep 28, 2024

saghul commented Sep 28, 2024

satk0 commented Sep 28, 2024

saghul commented Sep 28, 2024

bnoordhuis commented Sep 28, 2024

Coverity issues #559

Coverity issues #559

Comments

trufae commented Sep 27, 2024

saghul commented Sep 27, 2024

trufae commented Sep 28, 2024

saghul commented Sep 28, 2024

trufae commented Sep 28, 2024

saghul commented Sep 28, 2024

satk0 commented Sep 28, 2024

saghul commented Sep 28, 2024

bnoordhuis commented Sep 28, 2024