Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Mon Feb 28 2022 01:50 pm Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 9 new defect(s) introduced to Synchronet found with Coverity Scan. 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 9 of 9 defect(s) ** CID 349947: (CHECKED_RETURN) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsapi.cpp: 3959 in JS_ClearScope() /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsapi.cpp: 3965 in JS_ClearScope() /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsapi.cpp: 3973 in JS_ClearScope() ________________________________________________________________________________________________________ *** CID 349947: (CHECKED_RETURN) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsapi.cpp: 3959 in JS_ClearScope() 3953 /* Clear cached class objects on the global object. */ 3954 if (obj->isGlobal()) { 3955 /* This can return false but that doesn't mean it failed. */ 3956 obj->unbrand(cx); 3957 3958 for (int key = JSProto_Null; key < JSProto_LIMIT * 3; key++) >>> CID 349947: (CHECKED_RETURN) >>> Calling "JS_SetReservedSlot" without checking return value (as is done elsewhere 38 out of 43 times). 3959 JS_SetReservedSlot(cx, obj, key, JSVAL_VOID); 3960 3961 /* Clear regexp statics. */ 3962 RegExpStatics::extractFrom(obj)->clear(); 3963 3964 /* Clear the CSP eval-is-allowed cache. */ /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsapi.cpp: 3965 in JS_ClearScope() 3959 JS_SetReservedSlot(cx, obj, key, JSVAL_VOID); 3960 3961 /* Clear regexp statics. */ 3962 RegExpStatics::extractFrom(obj)->clear(); 3963 3964 /* Clear the CSP eval-is-allowed cache. */ >>> CID 349947: (CHECKED_RETURN) >>> Calling "JS_SetReservedSlot" without checking return value (as is done elsewhere 38 out of 43 times). 3965 JS_SetReservedSlot(cx, obj, JSRESERVED_GLOBAL_EVAL_ALLOWED, JSVAL_VOID); 3966 3967 /* 3968 * Mark global as cleared. If we try to execute any compile-and-go 3969 * scripts from here on, we will throw. 3970 */ /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsapi.cpp: 3973 in JS_ClearScope() 3967 /* 3968 * Mark global as cleared. If we try to execute any compile-and-go 3969 * scripts from here on, we will throw. 3970 */ 3971 int32 flags = obj->getReservedSlot(JSRESERVED_GLOBAL_FLAGS).toInt32(); 3972 flags |= JSGLOBAL_FLAGS_CLEARED; >>> CID 349947: (CHECKED_RETURN) >>> Calling "JS_SetReservedSlot" without checking return value (as is done elsewhere 38 out of 43 times). 3973 JS_SetReservedSlot(cx, obj, JSRESERVED_GLOBAL_FLAGS, Jsvalify(Int32Value(flags))); 3974 } 3975 3976 js_InitRandom(cx); 3977 } 3978 ** CID 349946: Error handling issues (CHECKED_RETURN) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/Library.cpp: 259 in js::ctypes::Library::Close(JSContext *, unsigned int, unsigned long *)() ________________________________________________________________________________________________________ *** CID 349946: Error handling issues (CHECKED_RETURN) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/Library.cpp: 259 in js::ctypes::Library::Close(JSContext *, unsigned int, unsigned long *)() 253 JS_ReportError(cx, "close doesn't take any arguments"); 254 return JS_FALSE; 255 } 256 257 // delete our internal objects 258 Finalize(cx, obj); >>> CID 349946: Error handling issues (CHECKED_RETURN) >>> Calling "JS_SetReservedSlot" without checking return value (as is done elsewhere 38 out of 43 times). 259 JS_SetReservedSlot(cx, obj, SLOT_LIBRARY, PRIVATE_TO_JSVAL(NULL)); 260 261 JS_SET_RVAL(cx, vp, JSVAL_VOID); 262 return JS_TRUE; 263 } 264 ** CID 349945: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 349945: Null pointer dereferences (FORWARD_NULL) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/CTypes.cpp: 4834 in js::ctypes::FunctionType::Create(JSContext *, unsigned int, unsigned long *)() 4828 } 4829 4830 // Pull out the argument types from the array, if any. 4831 JS_ASSERT(!argTypes.length() || arrayObj); 4832 js::AutoArrayRooter items(cx, argTypes.length(), argTypes.begin()); 4833 for (jsuint i = 0; i < argTypes.length(); ++i) { >>> CID 349945: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "arrayObj" to "JS_GetElement", which dereferences it. 4834 if (!JS_GetElement(cx, arrayObj, i, &argTypes[i])) 4835 return JS_FALSE; 4836 } 4837 4838 JSObject* result = CreateInternal(cx, argv[0], argv[1], 4839 argTypes.begin(), argTypes.length()); ** CID 43174: Security best practices violations (SECURE_TEMP) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/closures.c: 226 in open_temp_exec_file_name() ________________________________________________________________________________________________________ *** CID 43174: Security best practices violations (SECURE_TEMP) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/closures.c: 226 in open_temp_exec_file_name() 220 static size_t execsize = 0; 221 222 /* Open a temporary file name, and immediately unlink it. */ 223 static int 224 open_temp_exec_file_name (char *name) 225 { >>> CID 43174: Security best practices violations (SECURE_TEMP) >>> Calling "mkstemp" without securely setting umask first. 226 int fd = mkstemp (name); 227 228 if (fd != -1) 229 unlink (name); 230 231 return fd; ** CID 43169: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/closures.c: 436 in dlmmap_locked() ________________________________________________________________________________________________________ *** CID 43169: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/closures.c: 436 in dlmmap_locked() 430 } 431 432 mmap_exec_offset ((char *)start, length) = (char*)ptr - (char*)start; 433 434 execsize += length; 435 >>> CID 43169: Resource leaks (RESOURCE_LEAK) >>> Variable "ptr" going out of scope leaks the storage it points to. 436 return start; 437 } 438 439 /* Map in a writable and executable chunk of memory if possible. 440 Failing that, fall back to dlmmap_locked. */ 441 static void * ** CID 43149: Control flow issues (MISSING_BREAK) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/x86/ffi64.c: 148 in classify_argument() ________________________________________________________________________________________________________ *** CID 43149: Control flow issues (MISSING_BREAK) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/x86/ffi64.c: 148 in classify_argument() 142 case FFI_TYPE_UINT16: 143 case FFI_TYPE_SINT16: 144 case FFI_TYPE_UINT32: 145 case FFI_TYPE_SINT32: 146 case FFI_TYPE_UINT64: 147 case FFI_TYPE_SINT64: >>> CID 43149: Control flow issues (MISSING_BREAK) >>> The case for value "14" is not terminated by a "break" statement. 148 case FFI_TYPE_POINTER: 149 { 150 int size = byte_offset + type->size; 151 152 if (size <= 4) 153 { ** CID 43148: Program hangs (LOCK) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/dlmalloc.c: 4350 in dlfree() ________________________________________________________________________________________________________ *** CID 43148: Program hangs (LOCK) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/dlmalloc.c: 4350 in dlfree() 4344 POSTACTION(fm); 4345 } 4346 } 4347 #if !FOOTERS 4348 #undef fm 4349 #endif /* FOOTERS */ >>> CID 43148: Program hangs (LOCK) >>> Returning without unlocking "_gm_.mutex". 4350 } 4351 4352 void* dlcalloc(size_t n_elements, size_t elem_size) { 4353 void* mem; 4354 size_t req = 0; 4355 if (n_elements != 0) { ** CID 43147: Program hangs (LOCK) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/dlmalloc.c: 4246 in dlmalloc() ________________________________________________________________________________________________________ *** CID 43147: Program hangs (LOCK) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/dlmalloc.c: 4246 in dlmalloc() 4240 } 4241 4242 mem = sys_alloc(gm, nb); 4243 4244 postaction: 4245 POSTACTION(gm); >>> CID 43147: Program hangs (LOCK) >>> Returning without unlocking "_gm_.mutex". 4246 return mem; 4247 } 4248 4249 return 0; 4250 } 4251 ** CID 43140: Memory - corruptions (BAD_FREE) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/closures.c: 501 in dlmunmap() ________________________________________________________________________________________________________ *** CID 43140: Memory - corruptions (BAD_FREE) /tmp/sbbs-Feb-28-2022/3rdp/src/mozjs/js-1.8.5/js/src/ctypes/libffi/src/closures.c: 501 in dlmunmap() 495 #if FFI_CLOSURE_TEST 496 printf ("unmapping %zi\n", length); 497 #endif 498 499 if (seg && (code = add_segment_exec_offset (start, seg)) != start) 500 { >>> CID 43140: Memory - corruptions (BAD_FREE) >>> "munmap" frees incorrect pointer "code". 501 int ret = munmap (code, length); 502 if (ret) 503 return ret; 504 } 505 506 return munmap (start, length); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp-2FP9gGRhvFklLaQKuBylUrkMFB3WMR2p7qIYKYTZrh4BbWTBf-2B-2Fi5ZUVF-2Fo-2B6flxo-3DBdDU_g4j7BHlu96plUOfCQsO0yRjoWZCZl8YGnZ-2FUtT39hrAWQK-2BbauFoR8oEcd8fVvowWww1uOREp83U-2BQv-2F49ZxHjLovWpQVbJzCo15li7JaqiLVFDhjl0JEgQeQKrnzmY9Xam1jd0jpy91zK33qTfOzOatQbuBkc6tp1BrmOUJzbyc0kg3LQP5h22pzEnSi6XFuU-2FNv7elDIbIVbH0Y0tr0w-3D-3D .