[GRASS-dev] Fwd: New Defects reported by Coverity Scan for grass
Markus Neteler
neteler at osgeo.org
Fri Dec 11 04:30:32 PST 2015
FYI - from a yesterday's run.
BTW: we should connect it to Travis:
https://scan.coverity.com/travis_ci
---------- Forwarded message ----------
From: <scan-admin at coverity.com>
Date: Thu, Dec 10, 2015 at 4:47 PM
Subject: New Defects reported by Coverity Scan for grass
Hi,
Please find the latest report on new defect(s) introduced to grass
found with Coverity Scan.
37 new defect(s) introduced to grass found with Coverity Scan.
65 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 37 defect(s)
** CID 1208403: (TAINTED_SCALAR)
/lib/vector/Vlib/open_ogr.c: 306 in Vect_open_fidx()
________________________________________________________________________________________________________
*** CID 1208403: (TAINTED_SCALAR)
/lib/vector/Vlib/open_ogr.c: 306 in Vect_open_fidx()
300 /* number of records */
301 if (0 >= dig__fread_port_I(&(offset->array_num), 1, &fp))
302 return -1;
303
304 /* alloc space */
305 offset->array = (int *) G_malloc(offset->array_num * sizeof(int));
>>> CID 1208403: (TAINTED_SCALAR)
>>> Assigning: "offset->array_alloc" = "offset->array_num". Both are now tainted.
306 offset->array_alloc = offset->array_num;
307
308 /* offsets */
309 if (0 >= dig__fread_port_I(offset->array,
310 offset->array_num, &fp))
311 return -1;
/lib/vector/Vlib/open_ogr.c: 305 in Vect_open_fidx()
299
300 /* number of records */
301 if (0 >= dig__fread_port_I(&(offset->array_num), 1, &fp))
302 return -1;
303
304 /* alloc space */
>>> CID 1208403: (TAINTED_SCALAR)
>>> Passing tainted variable "offset->array_num * 4UL" to a tainted sink.
305 offset->array = (int *) G_malloc(offset->array_num * sizeof(int));
306 offset->array_alloc = offset->array_num;
307
308 /* offsets */
309 if (0 >= dig__fread_port_I(offset->array,
310 offset->array_num, &fp))
** CID 1341810: Uninitialized variables (UNINIT)
/vector/v.out.lidar/main.c: 200 in get_integer_column_value()
________________________________________________________________________________________________________
*** CID 1341810: Uninitialized variables (UNINIT)
/vector/v.out.lidar/main.c: 200 in get_integer_column_value()
194 val = catval->val.i;
195 }
196 else if (column_values->ctype == DB_C_TYPE_DOUBLE) {
197 val = catval->val.d;
198 }
199 /* else should be checked by caller */
>>> CID 1341810: Uninitialized variables (UNINIT)
>>> Using uninitialized value "val".
200 return val;
201 }
202
203 /*! Get RGB in a column for a category as three integers
204 *
205 * Expects the column to be a string.
** CID 1341811: Memory - corruptions (STRING_SIZE)
/lib/iostream/ami_stream.cpp: 86 in ami_single_temp_name(const
std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char>> &, char *)()
________________________________________________________________________________________________________
*** CID 1341811: Memory - corruptions (STRING_SIZE)
/lib/iostream/ami_stream.cpp: 86 in ami_single_temp_name(const
std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char>> &, char *)()
80 base_dir = getenv(STREAM_TMPDIR);
81 if(!base_dir) {
82 fprintf(stderr, "ami_stream: %s not set\n", STREAM_TMPDIR);
83 assert(base_dir);
84 exit(1);
85 }
>>> CID 1341811: Memory - corruptions (STRING_SIZE)
>>> Passing string "base_dir" of unknown size to "sprintf".
86 sprintf(tmp_path, "%s/%s_XXXXXX", base_dir, base.c_str());
87
88 fd = G_mkstemp(tmp_path, O_RDWR, 0600);
89
90 if (fd == -1) {
91 cerr << "ami_single_temp_name: ";
** CID 1341812: Memory - corruptions (STRING_SIZE)
/lib/gis/file_name.c: 89 in G_file_name_tmp()
________________________________________________________________________________________________________
*** CID 1341812: Memory - corruptions (STRING_SIZE)
/lib/gis/file_name.c: 89 in G_file_name_tmp()
83 {
84 const char *env, *tmp_path;
85
86 tmp_path = NULL;
87 env = getenv("GRASS_VECTOR_TMPDIR_MAPSET");
88 if (env && strcmp(env, "0") == 0) {
>>> CID 1341812: Memory - corruptions (STRING_SIZE)
>>> Assigning: "tmp_path" = "getenv". "tmp_path" is now tainted.
89 tmp_path = getenv("TMPDIR");
90 }
91
92 return file_name(path, NULL, element, name, mapset, tmp_path);
93 }
94
** CID 1341813: (STRING_OVERFLOW)
/raster/r.in.lidar/projection.c: 33 in projection_mismatch_report()
/raster/r.in.lidar/projection.c: 40 in projection_mismatch_report()
/raster/r.in.lidar/projection.c: 49 in projection_mismatch_report()
/raster/r.in.lidar/projection.c: 55 in projection_mismatch_report()
/raster/r.in.lidar/projection.c: 94 in projection_mismatch_report()
________________________________________________________________________________________________________
*** CID 1341813: (STRING_OVERFLOW)
/raster/r.in.lidar/projection.c: 33 in projection_mismatch_report()
27 struct Key_Value *proj_info,
28 struct Key_Value *proj_units, int err)
29 {
30 int i_value;
31 char error_msg[8192];
32
>>> CID 1341813: (STRING_OVERFLOW)
>>> You might overrun the 8192 byte fixed-size string "error_msg" by copying the return value of "G_gettext" without checking the length.
33 strcpy(error_msg,
34 _("Projection of dataset does not"
35 " appear to match current location.\n\n"));
36
37 /* TODO: output this info sorted by key: */
38 if (loc_wind.proj != cellhd.proj || err != -2) {
/raster/r.in.lidar/projection.c: 40 in projection_mismatch_report()
34 _("Projection of dataset does not"
35 " appear to match current location.\n\n"));
36
37 /* TODO: output this info sorted by key: */
38 if (loc_wind.proj != cellhd.proj || err != -2) {
39 if (loc_proj_info != NULL) {
>>> CID 1341813: (STRING_OVERFLOW)
>>> You might overrun the 8192 byte fixed-size string "error_msg" by copying the return value of "G_gettext" without checking the length.
40 strcat(error_msg, _("GRASS LOCATION PROJ_INFO is:\n"));
41 for (i_value = 0; i_value < loc_proj_info->nitems; i_value++)
42 sprintf(error_msg + strlen(error_msg), "%s: %s\n",
43 loc_proj_info->key[i_value],
44 loc_proj_info->value[i_value]);
45 strcat(error_msg, "\n");
/raster/r.in.lidar/projection.c: 49 in projection_mismatch_report()
43 loc_proj_info->key[i_value],
44 loc_proj_info->value[i_value]);
45 strcat(error_msg, "\n");
46 }
47
48 if (proj_info != NULL) {
>>> CID 1341813: (STRING_OVERFLOW)
>>> You might overrun the 8192 byte fixed-size string "error_msg" by copying the return value of "G_gettext" without checking the length.
49 strcat(error_msg, _("Import dataset PROJ_INFO is:\n"));
50 for (i_value = 0; i_value < proj_info->nitems; i_value++)
51 sprintf(error_msg + strlen(error_msg), "%s: %s\n",
52 proj_info->key[i_value],
proj_info->value[i_value]);
53 }
54 else {
/raster/r.in.lidar/projection.c: 55 in projection_mismatch_report()
49 strcat(error_msg, _("Import dataset PROJ_INFO is:\n"));
50 for (i_value = 0; i_value < proj_info->nitems; i_value++)
51 sprintf(error_msg + strlen(error_msg), "%s: %s\n",
52 proj_info->key[i_value],
proj_info->value[i_value]);
53 }
54 else {
>>> CID 1341813: (STRING_OVERFLOW)
>>> You might overrun the 8192 byte fixed-size string "error_msg" by copying the return value of "G_gettext" without checking the length.
55 strcat(error_msg, _("Import dataset PROJ_INFO is:\n"));
56 if (cellhd.proj == PROJECTION_XY)
57 sprintf(error_msg + strlen(error_msg),
58 "Dataset proj = %d (unreferenced/unknown)\n",
59 cellhd.proj);
60 else if (cellhd.proj == PROJECTION_LL)
/raster/r.in.lidar/projection.c: 94 in projection_mismatch_report()
88 }
89 }
90 sprintf(error_msg + strlen(error_msg),
91 _("\nIn case of no significant differences in the
projection definitions,"
92 " use the -o flag to ignore them and use"
93 " current location definition.\n"));
>>> CID 1341813: (STRING_OVERFLOW)
>>> You might overrun the 8192 byte fixed-size string "error_msg" by copying the return value of "G_gettext" without checking the length.
94 strcat(error_msg,
95 _("Consider generating a new location with
'location' parameter"
96 " from input data set.\n"));
97 G_fatal_error("%s", error_msg);
98 }
99
** CID 1341814: Incorrect expression (SIZEOF_MISMATCH)
/vector/v.decimate/grid_decimation.c: 25 in grid_decimation_create()
________________________________________________________________________________________________________
*** CID 1341814: Incorrect expression (SIZEOF_MISMATCH)
/vector/v.decimate/grid_decimation.c: 25 in grid_decimation_create()
19
20 /* max size: rows * cols < max of size_t (using 1D array) */
21 void grid_decimation_create(struct GridDecimation *grid_decimation,
22 size_t rows, size_t cols)
23 {
24 grid_decimation->grid_points =
>>> CID 1341814: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "8UL /* sizeof (struct DecimationPoint *) */" to function "G__calloc" and then casting the return value to "struct DecimationPoint ***" is suspicious.
25 G_calloc(rows * cols, sizeof(struct DecimationPoint *));
26 grid_decimation->grid_sizes = G_calloc(rows * cols, sizeof(size_t));
27 grid_decimation->rows = rows;
28 grid_decimation->cols = cols;
29 grid_decimation->if_add_point = NULL;
30 grid_decimation->on_add_point = NULL;
** CID 1341815: Null pointer dereferences (REVERSE_INULL)
/lib/db/dbmi_base/login.c: 318 in get_login()
________________________________________________________________________________________________________
*** CID 1341815: Null pointer dereferences (REVERSE_INULL)
/lib/db/dbmi_base/login.c: 318 in get_login()
312
313 if (login.data[i].host &&
strlen(login.data[i].host) > 0 && host)
314 *host = G_store(login.data[i].host);
315 else
316 *host = NULL;
317
>>> CID 1341815: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "port" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
318 if (login.data[i].port &&
strlen(login.data[i].port) > 0 && port)
319 *port = G_store(login.data[i].port);
320 else
321 *port = NULL;
322
323 break;
** CID 1341816: Null pointer dereferences (REVERSE_INULL)
/lib/db/dbmi_base/login.c: 313 in get_login()
________________________________________________________________________________________________________
*** CID 1341816: Null pointer dereferences (REVERSE_INULL)
/lib/db/dbmi_base/login.c: 313 in get_login()
307
308 if (login.data[i].password &&
strlen(login.data[i].password) > 0)
309 *password = G_store(login.data[i].password);
310 else
311 *password = NULL;
312
>>> CID 1341816: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "host" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
313 if (login.data[i].host &&
strlen(login.data[i].host) > 0 && host)
314 *host = G_store(login.data[i].host);
315 else
316 *host = NULL;
317
318 if (login.data[i].port &&
strlen(login.data[i].port) > 0 && port)
** CID 1341817: (RESOURCE_LEAK)
/lib/vector/Vlib/close_nat.c: 158 in V1_close_nat()
/lib/vector/Vlib/close_nat.c: 171 in V1_close_nat()
________________________________________________________________________________________________________
*** CID 1341817: (RESOURCE_LEAK)
/lib/vector/Vlib/close_nat.c: 158 in V1_close_nat()
152
153 /* drop also attribute table */
154 ndblinks = Vect_get_num_dblinks(Map);
155 for (i = 0; i < ndblinks; i++) {
156 fi = Vect_get_dblink(Map, i);
157
>>> CID 1341817: (RESOURCE_LEAK)
>>> Overwriting "driver" in "driver = db_start_driver_open_database(fi->driver, fi->database)" leaks the storage that "driver" points to.
158 driver =
db_start_driver_open_database(fi->driver, fi->database);
159 if (driver == NULL) {
160 G_warning(_("Unable to open database
<%s> by driver <%s>"),
161 fi->database, fi->driver);
162 continue;
163 }
/lib/vector/Vlib/close_nat.c: 171 in V1_close_nat()
165 db_set_string(&table_name, fi->table);
166 if (DB_OK != db_drop_table(driver, &table_name)) {
167 G_warning(_("Unable to drop table
<%s>"), fi->table);
168 continue;
169 }
170 }
>>> CID 1341817: (RESOURCE_LEAK)
>>> Variable "driver" going out of scope leaks the storage it points to.
171 }
172 #endif
173 }
174 }
175
176 return 0;
** CID 1341818: (RESOURCE_LEAK)
/lib/vector/Vlib/close_nat.c: 156 in V1_close_nat()
/lib/vector/Vlib/close_nat.c: 171 in V1_close_nat()
________________________________________________________________________________________________________
*** CID 1341818: (RESOURCE_LEAK)
/lib/vector/Vlib/close_nat.c: 156 in V1_close_nat()
150
151 db_init_string(&table_name);
152
153 /* drop also attribute table */
154 ndblinks = Vect_get_num_dblinks(Map);
155 for (i = 0; i < ndblinks; i++) {
>>> CID 1341818: (RESOURCE_LEAK)
>>> Overwriting "fi" in "fi = Vect_get_dblink(Map, i)" leaks the storage that "fi" points to.
156 fi = Vect_get_dblink(Map, i);
157
158 driver =
db_start_driver_open_database(fi->driver, fi->database);
159 if (driver == NULL) {
160 G_warning(_("Unable to open database
<%s> by driver <%s>"),
161 fi->database, fi->driver);
/lib/vector/Vlib/close_nat.c: 171 in V1_close_nat()
165 db_set_string(&table_name, fi->table);
166 if (DB_OK != db_drop_table(driver, &table_name)) {
167 G_warning(_("Unable to drop table
<%s>"), fi->table);
168 continue;
169 }
170 }
>>> CID 1341818: (RESOURCE_LEAK)
>>> Variable "fi" going out of scope leaks the storage it points to.
171 }
172 #endif
173 }
174 }
175
176 return 0;
** CID 1341819: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/projection.c: 142 in projection_check_wkt()
________________________________________________________________________________________________________
*** CID 1341819: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/projection.c: 142 in projection_check_wkt()
136 proj_info, proj_units, err);
137 }
138 else if (verbose) {
139 G_message(_("Projection of input dataset and current location "
140 "appear to match"));
141 }
>>> CID 1341819: Resource leaks (RESOURCE_LEAK)
>>> Variable "proj_units" going out of scope leaks the storage it points to.
** CID 1341820: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/projection.c: 142 in projection_check_wkt()
________________________________________________________________________________________________________
*** CID 1341820: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/projection.c: 142 in projection_check_wkt()
136 proj_info, proj_units, err);
137 }
138 else if (verbose) {
139 G_message(_("Projection of input dataset and current location "
140 "appear to match"));
141 }
>>> CID 1341820: Resource leaks (RESOURCE_LEAK)
>>> Variable "proj_info" going out of scope leaks the storage it points to.
** CID 1341821: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/projection.c: 142 in projection_check_wkt()
________________________________________________________________________________________________________
*** CID 1341821: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/projection.c: 142 in projection_check_wkt()
136 proj_info, proj_units, err);
137 }
138 else if (verbose) {
139 G_message(_("Projection of input dataset and current location "
140 "appear to match"));
141 }
>>> CID 1341821: Resource leaks (RESOURCE_LEAK)
>>> Variable "loc_proj_units" going out of scope leaks the storage it points to.
** CID 1341822: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/projection.c: 142 in projection_check_wkt()
________________________________________________________________________________________________________
*** CID 1341822: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/projection.c: 142 in projection_check_wkt()
136 proj_info, proj_units, err);
137 }
138 else if (verbose) {
139 G_message(_("Projection of input dataset and current location "
140 "appear to match"));
141 }
>>> CID 1341822: Resource leaks (RESOURCE_LEAK)
>>> Variable "loc_proj_info" going out of scope leaks the storage it points to.
** CID 1341823: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/rast_segment.c: 37 in rast_segment_open()
________________________________________________________________________________________________________
*** CID 1341823: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/rast_segment.c: 37 in rast_segment_open()
31 int segment_rows = 64;
32
33 /* we use long segments because this is how the values a binned */
34 int segment_cols = Rast_input_window_cols();
35 int segments_in_memory = 4;
36
>>> CID 1341823: Resource leaks (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "G_tempfile()" leaks it.
37 if (Segment_open(segment, G_tempfile(), Rast_input_window_rows(),
38 Rast_input_window_cols(), segment_rows,
segment_cols,
39 Rast_cell_size(*map_type), segments_in_memory) != 1)
40 G_fatal_error(_("Cannot create temporary file with
segments of a raster map"));
41 rast_segment_load(segment, rowio, *map_type);
42 Rast_close(rowio); /* we won't need the raster again */
** CID 1341824: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/rast_segment.c: 20 in rast_segment_load()
________________________________________________________________________________________________________
*** CID 1341824: Resource leaks (RESOURCE_LEAK)
/raster/r.in.lidar/rast_segment.c: 20 in rast_segment_load()
14
15 for (row = 0; row < Rast_input_window_rows(); row++) {
16 /* TODO: free mem */
17 Rast_get_row(rowio, raster_row, row, map_type);
18 Segment_put_row(segment, raster_row, row);
19 }
>>> CID 1341824: Resource leaks (RESOURCE_LEAK)
>>> Variable "raster_row" going out of scope leaks the storage it points to.
20 }
21
22 /* TODO: close function */
23
24 void rast_segment_open(SEGMENT * segment, const char *name,
25 RASTER_MAP_TYPE * map_type)
** CID 1341825: (RESOURCE_LEAK)
/lib/db/dbmi_client/copy_tab.c: 203 in copy_table()
/lib/db/dbmi_client/copy_tab.c: 203 in copy_table()
________________________________________________________________________________________________________
*** CID 1341825: (RESOURCE_LEAK)
/lib/db/dbmi_client/copy_tab.c: 203 in copy_table()
197
198 if (ret != DB_OK) {
199 db_close_database_shutdown_driver(to_driver);
200 if (from_driver != to_driver)
201 db_close_database_shutdown_driver(from_driver);
202
>>> CID 1341825: (RESOURCE_LEAK)
>>> Variable "tblname_i" going out of scope leaks the storage it points to.
203 return DB_FAILED;
204 }
205 }
206
207 G_free(tblname_i);
208 }
/lib/db/dbmi_client/copy_tab.c: 203 in copy_table()
197
198 if (ret != DB_OK) {
199 db_close_database_shutdown_driver(to_driver);
200 if (from_driver != to_driver)
201 db_close_database_shutdown_driver(from_driver);
202
>>> CID 1341825: (RESOURCE_LEAK)
>>> Variable "tblname_i" going out of scope leaks the storage it points to.
203 return DB_FAILED;
204 }
205 }
206
207 G_free(tblname_i);
208 }
** CID 1341826: API usage errors (PW.TOO_MANY_PRINTF_ARGS)
/vector/v.in.lidar/main.c: 635 in ()
________________________________________________________________________________________________________
*** CID 1341826: API usage errors (PW.TOO_MANY_PRINTF_ARGS)
/vector/v.in.lidar/main.c: 635 in ()
629 }
630 }
631 sprintf(error_msg + strlen(error_msg),
632 _("\nIn case of no significant differences
in the projection definitions,"
633 " use the -o flag to ignore them and use"
634 " current location definition.\n"),
>>> CID 1341826: API usage errors (PW.TOO_MANY_PRINTF_ARGS)
>>> the format string ends before this argument
635 G_program_name());
636 strcat(error_msg,
637 _("Consider generating a new location with
'location' parameter"
638 " from input data set.\n"));
639 G_fatal_error("%s", error_msg);
640 }
** CID 1341827: API usage errors (PW.TOO_MANY_PRINTF_ARGS)
/raster3d/r3.info/main.c: 485 in ()
________________________________________________________________________________________________________
*** CID 1341827: API usage errors (PW.TOO_MANY_PRINTF_ARGS)
/raster3d/r3.info/main.c: 485 in ()
479 fprintf(out, "\"%s\"\n",
Rast_get_history(&hist, HIST_DATSRC_1));
480 fprintf(out, "source2=");
481 fprintf(out, "\"%s\"\n",
Rast_get_history(&hist, HIST_DATSRC_2));
482 fprintf(out, "description=");
483 fprintf(out, "\"%s\"\n",
Rast_get_history(&hist, HIST_KEYWRD));
484 if (Rast_history_length(&hist)) {
>>> CID 1341827: API usage errors (PW.TOO_MANY_PRINTF_ARGS)
>>> the format string ends before this argument
485 fprintf(out, "comments=\"", i);
486 for (i = 0; i < Rast_history_length(&hist); i++)
487 fprintf(out, "%s", Rast_history_line(&hist, i));
488 fprintf(out, "\"\n");
489 }
490 }
** CID 1341828: API usage errors (PW.PRINTF_ARG_MISMATCH)
/vector/v.random/main.c: 577 in ()
________________________________________________________________________________________________________
*** CID 1341828: API usage errors (PW.PRINTF_ARG_MISMATCH)
/vector/v.random/main.c: 577 in ()
571 if (flag.z->answer)
572 Vect_append_point(Points, x, y, z);
573 else
574 Vect_append_point(Points, x, y, 0.0);
575
576 if (parm.zcol->answer) {
>>> CID 1341828: API usage errors (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
577 sprintf(buf, "insert into %s values ( %d, ",
Fi->table, i + 1);
578 db_set_string(&sql, buf);
579 /* Round random value if column is integer type */
580 if (usefloat)
581 sprintf(buf, "%f )", z);
582 else
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/grass?tab=overview
More information about the grass-dev
mailing list