Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Fri Jan 10 2025 17:21:22 Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 3 new defect(s) introduced to Synchronet found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 3 of 3 defect(s) ** CID 530002: (NULL_RETURNS) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1544 in bitmap_clrscr() ________________________________________________________________________________________________________ *** CID 530002: (NULL_RETURNS) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1547 in bitmap_clrscr() 1541 cols = vstat.cols; 1542 for (y = cio_textinfo.wintop - 1; y < cio_textinfo.winbottom && y < rows; y++) { 1543 for (x = cio_textinfo.winleft - 1; x < cio_textinfo.winright && x < cols; x++) { 1544 va[c++] = *set_vmem_cell(vmem_ptr, y * cio_textinfo.screenwidth + x, fill, ciolib_fg, ciolib_bg); 1545 } 1546 } >>> CID 530002: (NULL_RETURNS) >>> Dereferencing a pointer that might be "NULL" "va" when calling "bitmap_draw_vmem". 1547 bitmap_draw_vmem(cio_textinfo.winleft, cio_textinfo.wintop, cio_textinfo.winright, cio_textinfo.winbottom, va); 1548 release_vmem(vmem_ptr); 1549 pthread_mutex_unlock(&vstatlock); 1550 } 1551 1552 void bitmap_getcustomcursor(int *s, int *e, int *r, int *b, int *v) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1544 in bitmap_clrscr() 1538 pthread_mutex_lock(&vstatlock); 1539 vmem_ptr = get_vmem(&vstat); 1540 rows = vstat.rows; 1541 cols = vstat.cols; 1542 for (y = cio_textinfo.wintop - 1; y < cio_textinfo.winbottom && y < rows; y++) { 1543 for (x = cio_textinfo.winleft - 1; x < cio_textinfo.winright && x < cols; x++) { >>> CID 530002: (NULL_RETURNS) >>> Dereferencing "va", which is known to be "NULL". 1544 va[c++] = *set_vmem_cell(vmem_ptr, y * cio_textinfo.screenwidth + x, fill, ciolib_fg, ciolib_bg); 1545 } 1546 } 1547 bitmap_draw_vmem(cio_textinfo.winleft, cio_textinfo.wintop, cio_textinfo.winright, cio_textinfo.winbottom, va); 1548 release_vmem(vmem_ptr); 1549 pthread_mutex_unlock(&vstatlock); ** CID 530001: (EVALUATION_ORDER) /pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() /pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() ________________________________________________________________________________________________________ *** CID 530001: (EVALUATION_ORDER) /pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() 744 lprintf(LOG_ERR, "libarchive error (%s) creating %s", error, packet); 745 else 746 lprintf(LOG_INFO, "libarchive created %s from %d files", packet, file_count); 747 } 748 if(flength(packet) < 1) { 749 remove(packet); >>> CID 530001: (EVALUATION_ORDER) >>> In argument #1 of "this->external(this->cmdstr(this->temp_cmd(ex), packet, path, NULL, ex), ex | 1, NULL)", a call is made to "this->temp_cmd(ex)". In argument #1 of this function, the object "ex" is modified. This object is also used in "ex | 1", the argument #2 of the outer function call. The order in which these arguments are evaluated is not specified, and will vary between platforms. 750 if((i = external(cmdstr(temp_cmd(ex),packet,path,NULL,ex), ex|EX_WILDCARD)) != 0) 751 errormsg(WHERE, ERR_EXEC, cmdstr_output, i); 752 if(flength(packet) < 1) { 753 bputs(text[QWKCompressionFailed]); 754 return(false); 755 } /pack_qwk.cpp: 750 in sbbs_t::pack_qwk(char *, unsigned int *, bool)() 744 lprintf(LOG_ERR, "libarchive error (%s) creating %s", error, packet); 745 else 746 lprintf(LOG_INFO, "libarchive created %s from %d files", packet, file_count); 747 } 748 if(flength(packet) < 1) { 749 remove(packet); >>> CID 530001: (EVALUATION_ORDER) >>> In argument #1 of "this->cmdstr(this->temp_cmd(ex), packet, path, NULL, ex)", a call is made to "this->temp_cmd(ex)". In argument #1 of this function, the object "ex" is modified. This object is also used in "ex", the argument #5 of the outer function call. The order in which these arguments are evaluated is not specified, and will vary between platforms. 750 if((i = external(cmdstr(temp_cmd(ex),packet,path,NULL,ex), ex|EX_WILDCARD)) != 0) 751 errormsg(WHERE, ERR_EXEC, cmdstr_output, i); 752 if(flength(packet) < 1) { 753 bputs(text[QWKCompressionFailed]); 754 return(false); 755 } ** CID 530000: (RESOURCE_LEAK) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1550 in bitmap_clrscr() /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1536 in bitmap_clrscr() ________________________________________________________________________________________________________ *** CID 530000: (RESOURCE_LEAK) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1550 in bitmap_clrscr() 1544 va[c++] = *set_vmem_cell(vmem_ptr, y * cio_textinfo.screenwidth + x, fill, ciolib_fg, ciolib_bg); 1545 } 1546 } 1547 bitmap_draw_vmem(cio_textinfo.winleft, cio_textinfo.wintop, cio_textinfo.winright, cio_textinfo.winbottom, va); 1548 release_vmem(vmem_ptr); 1549 pthread_mutex_unlock(&vstatlock); >>> CID 530000: (RESOURCE_LEAK) >>> Variable "va" going out of scope leaks the storage it points to. 1550 } 1551 1552 void bitmap_getcustomcursor(int *s, int *e, int *r, int *b, int *v) 1553 { 1554 pthread_mutex_lock(&vstatlock); 1555 if(s) /tmp/sbbs-Jan-10-2025/src/conio/bitmap_con.c: 1536 in bitmap_clrscr() 1530 struct vstat_vmem *vmem_ptr; 1531 size_t c = 0; 1532 int rows, cols; 1533 struct vmem_cell *va = malloc(((cio_textinfo.winright - cio_textinfo.winleft + 1) * (cio_textinfo.winbottom - cio_textinfo.wintop + 1)) * sizeof(struct vmem_cell)); 1534 1535 if(!bitmap_initialized) >>> CID 530000: (RESOURCE_LEAK) >>> Variable "va" going out of scope leaks the storage it points to. 1536 return; 1537 1538 pthread_mutex_lock(&vstatlock); 1539 vmem_ptr = get_vmem(&vstat); 1540 rows = vstat.rows; 1541 cols = vstat.cols; ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/synchronet?tab=overview --- þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net .