Closed
Bug 1284187
Opened 9 years ago
Closed 9 years ago
New coverity issues in Snapshot 164273
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.26
People
(Reporter: franziskus, Assigned: franziskus)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: [CID 1362986][CID 1362986])
Attachments
(1 file, 1 obsolete file)
|
2.71 KB,
patch
|
ttaubert
:
review+
|
Details | Diff | Splinter Review |
** CID 1362987: (USE_AFTER_FREE)
/lib/jar/jarver.c: 355 in jar_parse_any()
/lib/jar/jarver.c: 355 in jar_parse_any()
________________________________________________________________________________________________________
*** CID 1362987: (USE_AFTER_FREE)
/lib/jar/jarver.c: 355 in jar_parse_any()
349 }
350 }
351
352 if (type != jarTypeMF) {
353 PORT_Free(met->header);
354 if (type != jarTypeSF || !jar->globalmeta) {
>>> CID 1362987: (USE_AFTER_FREE)
>>> Calling "PORT_Free_Util" frees pointer "met->info" which has already been freed.
355 PORT_Free(met->info);
356 }
357 PORT_Free(met);
358 }
359 }
360
/lib/jar/jarver.c: 355 in jar_parse_any()
349 }
350 }
351
352 if (type != jarTypeMF) {
353 PORT_Free(met->header);
354 if (type != jarTypeSF || !jar->globalmeta) {
>>> CID 1362987: (USE_AFTER_FREE)
>>> Passing freed pointer "met->info" as an argument to "PORT_Free_Util".
355 PORT_Free(met->info);
356 }
357 PORT_Free(met);
358 }
359 }
360
** CID 1362986: Resource leaks (RESOURCE_LEAK)
/cmd/ecperf/ecperf.c: 311 in hexString2SECItem()
________________________________________________________________________________________________________
*** CID 1362986: Resource leaks (RESOURCE_LEAK)
/cmd/ecperf/ecperf.c: 311 in hexString2SECItem()
305 tmp = str[i] - '0';
306 else if ((str[i] >= 'a') && (str[i] <= 'f'))
307 tmp = str[i] - 'a' + 10;
308 else if ((str[i] >= 'A') && (str[i] <= 'F'))
309 tmp = str[i] - 'A' + 10;
310 else
>>> CID 1362986: Resource leaks (RESOURCE_LEAK)
>>> Returning without freeing "item" leaks the storage that it points to.
311 return NULL;
312
313 byteval = byteval * 16 + tmp;
314 if ((i % 2) != 0) {
315 item->data[i / 2] = byteval;
316 byteval = 0;
| Assignee | ||
Comment 1•9 years ago
|
||
Attachment #8767561 -
Flags: review?(ttaubert)
Comment 2•9 years ago
|
||
Comment on attachment 8767561 [details] [diff] [review]
coverity-snapshot-164273.patch
Review of attachment 8767561 [details] [diff] [review]:
-----------------------------------------------------------------
::: cmd/ecperf/ecperf.c
@@ +312,1 @@
> return NULL;
Coverity complains because it assumes that (arena == NULL && item == NULL). We could assert both to be non-null at the top of the function to silence it. That's how I would love the SECITEM* functions to behave anyway :)
::: lib/jar/jarver.c
@@ +355,1 @@
> PORT_Free(met->info);
This won't work because |met->info| isn't set to NULL by PORT_Free() above. How about changing the condition to |if (!(type == jarTypeSF && jar->globalmeta) && (sf_md5 || sf_sha1)) {?
It's a little messy but so we'd handle the free() call on line 348, as well as the possibility that we'll never enter the block on line 361 and so free(met->info) to not leak.
Attachment #8767561 -
Flags: review?(ttaubert) → feedback+
| Assignee | ||
Comment 3•9 years ago
|
||
(In reply to Tim Taubert [:ttaubert] from comment #2)
> Comment on attachment 8767561 [details] [diff] [review]
> coverity-snapshot-164273.patch
>
> Review of attachment 8767561 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> ::: cmd/ecperf/ecperf.c
> @@ +312,1 @@
> > return NULL;
>
> Coverity complains because it assumes that (arena == NULL && item == NULL).
> We could assert both to be non-null at the top of the function to silence
> it. That's how I would love the SECITEM* functions to behave anyway :)
Well, item is probably NULL. But we can assert arena (btw, I don't think covertiy is intelligent enough to detect use of the arena).
> ::: lib/jar/jarver.c
> @@ +355,1 @@
> > PORT_Free(met->info);
>
> This won't work because |met->info| isn't set to NULL by PORT_Free() above.
> How about changing the condition to |if (!(type == jarTypeSF &&
> jar->globalmeta) && (sf_md5 || sf_sha1)) {?
>
> It's a little messy but so we'd handle the free() call on line 348, as well
> as the possibility that we'll never enter the block on line 361 and so
> free(met->info) to not leak.
how about |met->info = NULL| in addition to the PORT_Free?
Attachment #8767561 -
Attachment is obsolete: true
Attachment #8767659 -
Flags: review?(ttaubert)
Comment 4•9 years ago
|
||
Comment on attachment 8767659 [details] [diff] [review]
coverity-snapshot-164273.patch
Review of attachment 8767659 [details] [diff] [review]:
-----------------------------------------------------------------
::: cmd/ecperf/ecperf.c
@@ +284,5 @@
> int i = 0;
> int byteval = 0;
> int tmp = PORT_Strlen(str);
>
> + PORT_Assert(arena);
|item| is never null, all callers in ecperf.c pass a stack pointer. Although I think Coverity will stop complaining with arena != NULL.
Attachment #8767659 -
Flags: review?(ttaubert) → review+
| Assignee | ||
Comment 5•9 years ago
|
||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.26
You need to log in
before you can comment on or make changes to this bug.
Description
•