Closed
Bug 1284187
Opened 8 years ago
Closed 8 years ago
New coverity issues in Snapshot 164273
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.26
People
(Reporter: franziskus, Assigned: franziskus)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: [CID 1362986][CID 1362986])
Attachments
(1 file, 1 obsolete file)
2.71 KB,
patch
|
ttaubert
:
review+
|
Details | Diff | Splinter Review |
** CID 1362987: (USE_AFTER_FREE) /lib/jar/jarver.c: 355 in jar_parse_any() /lib/jar/jarver.c: 355 in jar_parse_any() ________________________________________________________________________________________________________ *** CID 1362987: (USE_AFTER_FREE) /lib/jar/jarver.c: 355 in jar_parse_any() 349 } 350 } 351 352 if (type != jarTypeMF) { 353 PORT_Free(met->header); 354 if (type != jarTypeSF || !jar->globalmeta) { >>> CID 1362987: (USE_AFTER_FREE) >>> Calling "PORT_Free_Util" frees pointer "met->info" which has already been freed. 355 PORT_Free(met->info); 356 } 357 PORT_Free(met); 358 } 359 } 360 /lib/jar/jarver.c: 355 in jar_parse_any() 349 } 350 } 351 352 if (type != jarTypeMF) { 353 PORT_Free(met->header); 354 if (type != jarTypeSF || !jar->globalmeta) { >>> CID 1362987: (USE_AFTER_FREE) >>> Passing freed pointer "met->info" as an argument to "PORT_Free_Util". 355 PORT_Free(met->info); 356 } 357 PORT_Free(met); 358 } 359 } 360 ** CID 1362986: Resource leaks (RESOURCE_LEAK) /cmd/ecperf/ecperf.c: 311 in hexString2SECItem() ________________________________________________________________________________________________________ *** CID 1362986: Resource leaks (RESOURCE_LEAK) /cmd/ecperf/ecperf.c: 311 in hexString2SECItem() 305 tmp = str[i] - '0'; 306 else if ((str[i] >= 'a') && (str[i] <= 'f')) 307 tmp = str[i] - 'a' + 10; 308 else if ((str[i] >= 'A') && (str[i] <= 'F')) 309 tmp = str[i] - 'A' + 10; 310 else >>> CID 1362986: Resource leaks (RESOURCE_LEAK) >>> Returning without freeing "item" leaks the storage that it points to. 311 return NULL; 312 313 byteval = byteval * 16 + tmp; 314 if ((i % 2) != 0) { 315 item->data[i / 2] = byteval; 316 byteval = 0;
Assignee | ||
Comment 1•8 years ago
|
||
Attachment #8767561 -
Flags: review?(ttaubert)
Comment 2•8 years ago
|
||
Comment on attachment 8767561 [details] [diff] [review] coverity-snapshot-164273.patch Review of attachment 8767561 [details] [diff] [review]: ----------------------------------------------------------------- ::: cmd/ecperf/ecperf.c @@ +312,1 @@ > return NULL; Coverity complains because it assumes that (arena == NULL && item == NULL). We could assert both to be non-null at the top of the function to silence it. That's how I would love the SECITEM* functions to behave anyway :) ::: lib/jar/jarver.c @@ +355,1 @@ > PORT_Free(met->info); This won't work because |met->info| isn't set to NULL by PORT_Free() above. How about changing the condition to |if (!(type == jarTypeSF && jar->globalmeta) && (sf_md5 || sf_sha1)) {? It's a little messy but so we'd handle the free() call on line 348, as well as the possibility that we'll never enter the block on line 361 and so free(met->info) to not leak.
Attachment #8767561 -
Flags: review?(ttaubert) → feedback+
Assignee | ||
Comment 3•8 years ago
|
||
(In reply to Tim Taubert [:ttaubert] from comment #2) > Comment on attachment 8767561 [details] [diff] [review] > coverity-snapshot-164273.patch > > Review of attachment 8767561 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: cmd/ecperf/ecperf.c > @@ +312,1 @@ > > return NULL; > > Coverity complains because it assumes that (arena == NULL && item == NULL). > We could assert both to be non-null at the top of the function to silence > it. That's how I would love the SECITEM* functions to behave anyway :) Well, item is probably NULL. But we can assert arena (btw, I don't think covertiy is intelligent enough to detect use of the arena). > ::: lib/jar/jarver.c > @@ +355,1 @@ > > PORT_Free(met->info); > > This won't work because |met->info| isn't set to NULL by PORT_Free() above. > How about changing the condition to |if (!(type == jarTypeSF && > jar->globalmeta) && (sf_md5 || sf_sha1)) {? > > It's a little messy but so we'd handle the free() call on line 348, as well > as the possibility that we'll never enter the block on line 361 and so > free(met->info) to not leak. how about |met->info = NULL| in addition to the PORT_Free?
Attachment #8767561 -
Attachment is obsolete: true
Attachment #8767659 -
Flags: review?(ttaubert)
Comment 4•8 years ago
|
||
Comment on attachment 8767659 [details] [diff] [review] coverity-snapshot-164273.patch Review of attachment 8767659 [details] [diff] [review]: ----------------------------------------------------------------- ::: cmd/ecperf/ecperf.c @@ +284,5 @@ > int i = 0; > int byteval = 0; > int tmp = PORT_Strlen(str); > > + PORT_Assert(arena); |item| is never null, all callers in ecperf.c pass a stack pointer. Although I think Coverity will stop complaining with arena != NULL.
Attachment #8767659 -
Flags: review?(ttaubert) → review+
Assignee | ||
Comment 5•8 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/1887efbdceda
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.26
You need to log in
before you can comment on or make changes to this bug.
Description
•