| Project Name | CID | Checker | Category | Developer Description |
|---|---|---|---|---|
| Kodi | 1262428 | OVERRUN | Memory - illegal accesses | We haven't noticed an impact of the bug but the out of bounds access has been present since at least 2009 without anybody spotting it. If it wasn't for coverity we would never have found out about it until something blew up badly. |
210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 |
memset(buf, 0, sizeof (cc_memory_t)); for (i = 0; i < CC_ROWS; i++) { ccrow_der(&buf->channel[0].rows[i], 0); ccrow_der(&buf->channel[1].rows[i], 0); } } static void ccmem_init(cc_memory_t *buf) { ccmem_clear(buf); } static void ccmem_exit(cc_memory_t *buf) { /*FIXME: anything to deallocate?*/ } void ccmem_tobuf(cc_decoder_t *dec) { cc_buffer_t *buf = &dec->on_buf->channel[dec->on_buf->channel_no]; int empty = 1; dec->textlen = 0; int i,j; |
< 1. Condition "i < 15", taking true branch
234 235 |
for (i = 0; i < CC_ROWS; i++) { |
< 2. Condition "j < 32", taking true branch
236 |
for (j = 0; j<CC_COLUMNS; j++) |
< 3. Condition "buf->rows[i].cells[j].c != 32", taking true branch
237 238 239 |
if (buf->rows[i].cells[j].c != ' ') { empty = 0; |
< 4. Breaking from loop240 241 |
break;
} |
< 5. Condition "!empty", taking true branch
242 |
if (!empty) |
< 6. Breaking from loop243 244 |
break;
} |
< 7. Condition "empty", taking false branch
245 246 |
if (empty) return; // Nothing to write |
< 8. Condition "i < 15", taking true branch
< 29. Condition "i < 15", taking true branch
248 249 250 |
for (i = 0; i<CC_ROWS; i++) { int empty = 1; |
< 9. Condition "j < 32", taking true branch
< 12. Condition "j < 32", taking true branch
< 15. Condition "j < 32", taking false branch
< 30. Condition "j < 32", taking true branch
< 33. Condition "j < 32", taking true branch
< 36. Condition "j < 32", taking false branch
251 |
for (j = 0; j<CC_COLUMNS; j++) |
< 10. Condition "buf->rows[i].cells[j].c != 32", taking true branch
< 13. Condition "buf->rows[i].cells[j].c != 32", taking true branch
< 31. Condition "buf->rows[i].cells[j].c != 32", taking false branch
< 34. Condition "buf->rows[i].cells[j].c != 32", taking true branch
252 |
if (buf->rows[i].cells[j].c != ' ') |
< 11. Jumping back to the beginning of the loop
< 14. Jumping back to the beginning of the loop
< 32. Jumping back to the beginning of the loop
< 35. Jumping back to the beginning of the loop
253 |
empty = 0; |
< 16. Condition "!empty", taking true branch
< 37. Condition "!empty", taking true branch
254 255 256 |
if (!empty) { int f, l; // First,last used char |
< 17. Condition "f < 32", taking true branch
< 38. Condition "f < 32", taking true branch
< 41. Condition "f < 32", taking true branch
<< 42. Checking "f < 32" implies that "f" has the value which may be up to 31 on the true branch.
257 |
for (f = 0; f<CC_COLUMNS; f++) |
< 18. Condition "buf->rows[i].cells[f].c != 32", taking true branch
< 39. Condition "buf->rows[i].cells[f].c != 32", taking false branch
< 43. Condition "buf->rows[i].cells[f].c != 32", taking true branch
258 |
if (buf->rows[i].cells[f].c != ' ') |
< 19. Breaking from loop
< 40. Jumping back to the beginning of the loop
< 44. Breaking from loop
259 |
break; |
< 20. Condition "l > 0", taking true branch
< 45. Condition "l > 0", taking true branch
260 |
for (l = CC_COLUMNS-1; l>0; l--) |
< 21. Condition "buf->rows[i].cells[l].c != 32", taking true branch
< 46. Condition "buf->rows[i].cells[l].c != 32", taking true branch
261 |
if (buf->rows[i].cells[l].c != ' ') |
< 22. Breaking from loop
< 47. Breaking from loop
262 |
break; |
< 23. Condition "j <= l", taking true branch
< 25. Condition "j <= l", taking true branch
< 27. Condition "j <= l", taking false branch
<< 48. Assigning: "j" = "f". The value of "j" may now be up to 31.
< 49. Condition "j <= l", taking true branch
<< 51. Incrementing "j". The value of "j" may now be up to 32.
< 52. Condition "j <= l", taking true branch
263 |
for (j = f; j <= l; j++) |
< 24. Jumping back to the beginning of the loop
< 26. Jumping back to the beginning of the loop
< 50. Jumping back to the beginning of the loop
<<< CID 1262428: Memory - illegal accesses OVERRUN <<< 53. Overrunning array "buf->rows[i].cells" of 32 12-byte elements at element index 32 (byte offset 384) using index "j" (which evaluates to 32).
264 265 266 |
dec->text[dec->textlen++] = buf->rows[i].cells[j].c;
dec->text[dec->textlen++] = '\n';
} |
< 28. Jumping back to the beginning of the loop
267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 |
} dec->text[dec->textlen++] = '\n'; dec->text[dec->textlen++] = '\0'; dec->callback(0, dec->userdata); } /*----------------- cc_decoder_t methods --------------------------------*/ static void cc_set_channel(cc_decoder_t *dec, int channel) { (*dec->active)->channel_no = channel; } static cc_buffer_t *active_ccbuffer(cc_decoder_t *dec) { cc_memory_t *mem = *dec->active; return &mem->channel[mem->channel_no]; } static void cc_swap_buffers(cc_decoder_t *dec) { cc_memory_t *temp; /* hide caption in displayed memory */ /* cc_hide_displayed(dec); */ temp = dec->on_buf; |
| 42. cond_at_most | cc_decoder.c:257 | |
| 48. assignment | cc_decoder.c:263 | |
| 51. incr | cc_decoder.c:263 | |
| 53. overrun-local | cc_decoder.c:264 |