Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Tue Mar 01 2022 01:56 pm Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 79 new defect(s) introduced to Synchronet found with Coverity Scan. 12 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 79 defect(s) ** CID 350349: Memory - illegal accesses (STRING_NULL) /telgate.cpp: 194 in sbbs_t::telnet_gate(char *, unsigned long, unsigned int, char *, char *, char *)() ________________________________________________________________________________________________________ *** CID 350349: Memory - illegal accesses (STRING_NULL) /telgate.cpp: 194 in sbbs_t::telnet_gate(char *, unsigned long, unsigned int, char *, char *, char *)() 188 l=K_CHAT; 189 if(!(mode&TG_ECHO)) 190 l|=K_NOECHO; 191 rd=getstr((char*)buf,sizeof(buf)-1,l); 192 if(!rd) 193 continue; >>> CID 350349: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "buf" to "strlen", which expects a null-terminated string. 194 SAFECAT(buf,crlf); 195 rd+=2; 196 gotline=true; 197 } 198 if((mode&TG_CRLF) && buf[rd-1]=='\r') 199 buf[rd++]='\n'; ** CID 350348: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1376 in JSRuntime::realloc(void *, unsigned long, unsigned long, JSContext *)() ________________________________________________________________________________________________________ *** CID 350348: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1376 in JSRuntime::realloc(void *, unsigned long, unsigned long, JSContext *)() 1370 } 1371 1372 void* realloc(void* p, size_t oldBytes, size_t newBytes, JSContext *cx = NULL) { 1373 JS_ASSERT(oldBytes < newBytes); 1374 updateMallocCounter(newBytes - oldBytes); 1375 void *p2 = ::js_realloc(p, newBytes); >>> CID 350348: Resource leaks (RESOURCE_LEAK) >>> Variable "p2" going out of scope leaks the storage it points to. 1376 return JS_LIKELY(!!p2) ? p2 : onOutOfMemory(p, newBytes, cx); 1377 } 1378 1379 void* realloc(void* p, size_t bytes, JSContext *cx = NULL) { 1380 /* 1381 * For compatibility we do not account for realloc that increases ** CID 350347: (UNINIT) ________________________________________________________________________________________________________ *** CID 350347: (UNINIT) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsstr.cpp: 2517 in js::str_replace(JSContext *, unsigned int, js::Value *)() 2511 * |RegExp| statics. 2512 */ 2513 2514 const FlatMatch *fm = rdata.g.tryFlatMatch(cx, rdata.str, optarg, argc, false); 2515 if (!fm) { 2516 if (cx->isExceptionPending()) /* oom in RopeMatch in tryFlatMatch */ >>> CID 350347: (UNINIT) >>> Using uninitialized value "rdata.session.frame_.regs_.fp" when calling "~ReplaceData". 2517 return false; 2518 JS_ASSERT_IF(!rdata.g.hasRegExpPair(), argc > optarg); 2519 return str_replace_regexp(cx, argc, vp, rdata); 2520 } 2521 2522 if (fm->match() < 0) { /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsstr.cpp: 2517 in js::str_replace(JSContext *, unsigned int, js::Value *)() 2511 * |RegExp| statics. 2512 */ 2513 2514 const FlatMatch *fm = rdata.g.tryFlatMatch(cx, rdata.str, optarg, argc, false); 2515 if (!fm) { 2516 if (cx->isExceptionPending()) /* oom in RopeMatch in tryFlatMatch */ >>> CID 350347: (UNINIT) >>> Using uninitialized value "rdata.singleShot.prevInvokeArgEnd" when calling "~ReplaceData". 2517 return false; 2518 JS_ASSERT_IF(!rdata.g.hasRegExpPair(), argc > optarg); 2519 return str_replace_regexp(cx, argc, vp, rdata); 2520 } 2521 2522 if (fm->match() < 0) { /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsstr.cpp: 2443 in js::str_replace(JSContext *, unsigned int, js::Value *)() 2437 JSBool 2438 js::str_replace(JSContext *cx, uintN argc, Value *vp) 2439 { 2440 ReplaceData rdata(cx); 2441 rdata.str = ThisToStringForStringProto(cx, vp); 2442 if (!rdata.str) >>> CID 350347: (UNINIT) >>> Using uninitialized value "rdata.singleShot.prevInvokeArgEnd" when calling "~ReplaceData". 2443 return false; 2444 static const uint32 optarg = 2; 2445 2446 /* Extract replacement string/function. */ 2447 if (argc >= optarg && js_IsCallable(vp[3])) { 2448 rdata.lambda = &vp[3].toObject(); /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsstr.cpp: 2443 in js::str_replace(JSContext *, unsigned int, js::Value *)() 2437 JSBool 2438 js::str_replace(JSContext *cx, uintN argc, Value *vp) 2439 { 2440 ReplaceData rdata(cx); 2441 rdata.str = ThisToStringForStringProto(cx, vp); 2442 if (!rdata.str) >>> CID 350347: (UNINIT) >>> Using uninitialized value "rdata.session.frame_.regs_.fp" when calling "~ReplaceData". 2443 return false; 2444 static const uint32 optarg = 2; 2445 2446 /* Extract replacement string/function. */ 2447 if (argc >= optarg && js_IsCallable(vp[3])) { 2448 rdata.lambda = &vp[3].toObject(); ** CID 350346: (UNINIT) ________________________________________________________________________________________________________ *** CID 350346: (UNINIT) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsreflect.cpp: 2165 in js::ASTSerializer::statement(JSParseNode *, js::Value *)() 2159 2160 case TOK_WITH: 2161 case TOK_WHILE: 2162 { 2163 Value expr, stmt; 2164 >>> CID 350346: (UNINIT) >>> Using uninitialized value "stmt" when calling "whileStatement". 2165 return expression(pn->pn_left, &expr) && 2166 statement(pn->pn_right, &stmt) && 2167 (PN_TYPE(pn) == TOK_WITH) 2168 ? builder.withStatement(expr, stmt, &pn->pn_pos, dst) 2169 : builder.whileStatement(expr, stmt, &pn->pn_pos, dst); 2170 } /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsreflect.cpp: 2165 in js::ASTSerializer::statement(JSParseNode *, js::Value *)() 2159 2160 case TOK_WITH: 2161 case TOK_WHILE: 2162 { 2163 Value expr, stmt; 2164 >>> CID 350346: (UNINIT) >>> Using uninitialized value "stmt.data" when calling "whileStatement". 2165 return expression(pn->pn_left, &expr) && 2166 statement(pn->pn_right, &stmt) && 2167 (PN_TYPE(pn) == TOK_WITH) 2168 ? builder.withStatement(expr, stmt, &pn->pn_pos, dst) 2169 : builder.whileStatement(expr, stmt, &pn->pn_pos, dst); 2170 } ** CID 350345: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 350345: Memory - corruptions (OVERRUN) /tmp/sbbs-Mar-01-2022/3rdp/src/cl/bn/bn_mul.c: 1130 in BN_mul() 1124 rr->top = top; 1125 bn_mul_normal(rr->d, a->d, al, b->d, bl); 1126 1127 #if defined(BN_MUL_COMBA) || defined(BN_RECURSION) 1128 end: 1129 #endif >>> CID 350345: Memory - corruptions (OVERRUN) >>> Overrunning callee's array of size 72 by passing argument "rr->top" (which evaluates to 272) in call to "BN_normalise". 1130 bn_correct_top(rr); 1131 if (r != rr) 1132 BN_copy(r, rr); 1133 ret = 1; 1134 err: 1135 bn_check_top(r); ** CID 350344: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 350344: Uninitialized variables (UNINIT) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/methodjit/Compiler.cpp: 3355 in js::mjit::Compiler::jsop_callprop_obj(JSAtom *)() 3349 labels.setInlineShapeJump(masm, inlineShapeLabel, inlineShapeJump); 3350 #else 3351 labels.setInlineShapeJump(masm, pic.shapeGuard, inlineShapeJump); 3352 #endif 3353 3354 stubcc.rejoin(Changes(2)); >>> CID 350344: Uninitialized variables (UNINIT) >>> Using uninitialized value "pic". Field "pic.vr" is uninitialized when calling "append". 3355 pics.append(pic); 3356 3357 return true; 3358 } 3359 3360 bool ** CID 350343: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 350343: Uninitialized variables (UNINIT) /js_system.c: 1922 in js_chkname() 1916 1917 js_system_private_t* sys; 1918 if((sys = (js_system_private_t*)js_GetClassPrivate(cx,obj,&js_system_class))==NULL) 1919 return JS_FALSE; 1920 1921 rc=JS_SUSPENDREQUEST(cx); >>> CID 350343: Uninitialized variables (UNINIT) >>> Using uninitialized value "*str" when calling "check_name". 1922 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(check_name(sys->cfg,str))); 1923 JS_RESUMEREQUEST(cx, rc); 1924 1925 return(JS_TRUE); 1926 } 1927 ** CID 350342: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 350342: Uninitialized variables (UNINIT) /mailsrvr.c: 3160 in smtp_thread() 3154 return; 3155 } 3156 3157 if(trashcan(&scfg,host_name,"smtpspy") 3158 || trashcan(&scfg,host_ip,"smtpspy")) { 3159 SAFEPRINTF2(path,"%s%sspy.txt", scfg.logs_dir, client.protocol); >>> CID 350342: Uninitialized variables (UNINIT) >>> Using uninitialized value "*str" when calling "strlwr". 3160 strlwr(str); 3161 spy=fopen(str,"a"); 3162 } 3163 3164 /* Initialize client display */ 3165 client.size=sizeof(client); ** CID 350341: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1369 in JSRuntime::calloc(unsigned long, JSContext *)() ________________________________________________________________________________________________________ *** CID 350341: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1369 in JSRuntime::calloc(unsigned long, JSContext *)() 1363 * Call the system calloc while checking for GC memory pressure and 1364 * reporting OOM error when cx is not null. 1365 */ 1366 void* calloc(size_t bytes, JSContext *cx = NULL) { 1367 updateMallocCounter(bytes); 1368 void *p = ::js_calloc(bytes); >>> CID 350341: Resource leaks (RESOURCE_LEAK) >>> Variable "p" going out of scope leaks the storage it points to. 1369 return JS_LIKELY(!!p) ? p : onOutOfMemory(reinterpret_cast(1), bytes, cx); 1370 } 1371 1372 void* realloc(void* p, size_t oldBytes, size_t newBytes, JSContext *cx = NULL) { 1373 JS_ASSERT(oldBytes < newBytes); 1374 updateMallocCounter(newBytes - oldBytes); ** CID 350340: Memory - illegal accesses (OVERRUN) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsopcode.cpp: 5408 in SimulateImacroCFG(JSContext *, JSScript *, unsigned int, unsigned char *, unsigned char *, unsigned char **)() ________________________________________________________________________________________________________ *** CID 350340: Memory - illegal accesses (OVERRUN) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsopcode.cpp: 5408 in SimulateImacroCFG(JSContext *, JSScript *, unsigned int, unsigned char *, unsigned char *, unsigned char **)() 5402 } 5403 5404 ptrdiff_t oplen; 5405 for (; pc < target; pc += oplen) { 5406 JSOp op = js_GetOpcode(cx, script, pc); 5407 const JSCodeSpec *cs = &js_CodeSpec[op]; >>> CID 350340: Memory - illegal accesses (OVERRUN) >>> Overrunning array of 1952 bytes at byte offset 2040 by dereferencing pointer "cs". 5408 oplen = cs->length; 5409 if (oplen < 0) 5410 oplen = js_GetVariableBytecodeLength(pc); 5411 5412 if (SimulateOp(cx, script, op, cs, pc, tmp_pcstack, pcdepth) < 0) 5413 goto failure; ** CID 350339: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 350339: Uninitialized variables (UNINIT) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/methodjit/Compiler.cpp: 3528 in js::mjit::Compiler::jsop_name(JSAtom *)() 3522 labels.setInlineJump(masm, pic.fastPathStart, inlineJump); 3523 3524 frame.pushRegs(pic.shapeReg, pic.objReg); 3525 3526 stubcc.rejoin(Changes(1)); 3527 >>> CID 350339: Uninitialized variables (UNINIT) >>> Using uninitialized value "pic". Field "pic.pc" is uninitialized when calling "append". 3528 pics.append(pic); 3529 } 3530 3531 bool 3532 mjit::Compiler::jsop_xname(JSAtom *atom) 3533 { ** CID 350338: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 350338: (USE_AFTER_FREE) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsdtoa.cpp: 506 in js_dtobasestr() 500 if (j1 > 0) { 501 /* Either dig or dig+1 would work here as the least significant digit. 502 Use whichever would produce an output value closer to d. */ 503 b = lshift(PASS_STATE b, 1); 504 if (!b) 505 goto nomem2; >>> CID 350338: (USE_AFTER_FREE) >>> Calling "cmp" dereferences freed pointer "s". 506 j1 = cmp(b, s); 507 if (j1 > 0) /* The even test (|| (j1 == 0 && (digit & 1))) is not here because it messes up odd base output 508 * such as 3.5 in base 3. */ 509 digit++; 510 } 511 done = JS_TRUE; /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsdtoa.cpp: 481 in js_dtobasestr() 475 goto nomem2; 476 } 477 478 /* Do we yet have the shortest string that will round to d? */ 479 j = cmp(b, mlo); 480 /* j is b/2^s2 compared with mlo/2^s2. */ >>> CID 350338: (USE_AFTER_FREE) >>> Calling "diff" dereferences freed pointer "s". 481 delta = diff(PASS_STATE s, mhi); 482 if (!delta) 483 goto nomem2; 484 j1 = delta->sign ? 1 : cmp(b, delta); 485 Bfree(PASS_STATE delta); 486 /* j1 is b/2^s2 compared with 1 - mhi/2^s2. */ /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jsdtoa.cpp: 481 in js_dtobasestr() 475 goto nomem2; 476 } 477 478 /* Do we yet have the shortest string that will round to d? */ 479 j = cmp(b, mlo); 480 /* j is b/2^s2 compared with mlo/2^s2. */ >>> CID 350338: (USE_AFTER_FREE) >>> Calling "diff" dereferences freed pointer "s". 481 delta = diff(PASS_STATE s, mhi); 482 if (!delta) 483 goto nomem2; 484 j1 = delta->sign ? 1 : cmp(b, delta); 485 Bfree(PASS_STATE delta); 486 /* j1 is b/2^s2 compared with 1 - mhi/2^s2. */ ** CID 350337: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1359 in JSRuntime::malloc(unsigned long, JSContext *)() ________________________________________________________________________________________________________ *** CID 350337: Resource leaks (RESOURCE_LEAK) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/jscntxt.h: 1359 in JSRuntime::malloc(unsigned long, JSContext *)() 1353 * Call the system malloc while checking for GC memory pressure and 1354 * reporting OOM error when cx is not null. 1355 */ 1356 void* malloc(size_t bytes, JSContext *cx = NULL) { 1357 updateMallocCounter(bytes); 1358 void *p = ::js_malloc(bytes); >>> CID 350337: Resource leaks (RESOURCE_LEAK) >>> Variable "p" going out of scope leaks the storage it points to. 1359 return JS_LIKELY(!!p) ? p : onOutOfMemory(NULL, bytes, cx); 1360 } 1361 1362 /* 1363 * Call the system calloc while checking for GC memory pressure and 1364 * reporting OOM error when cx is not null. ** CID 350336: Uninitialized variables (UNINIT) /main.cpp: 2755 in event_thread(void *)() ________________________________________________________________________________________________________ *** CID 350336: Uninitialized variables (UNINIT) /main.cpp: 2755 in event_thread(void *)() 2749 SAFEPRINTF3(str,"%sfile%c%04u.qwk" 2750 ,sbbs->cfg.data_dir,PATH_DELIM,sbbs->useron.number); 2751 if(sbbs->pack_qwk(str,&l,true /* pre-pack/off-line */)) { 2752 sbbs->lprintf(LOG_INFO, "Packing completed: %s", str); 2753 sbbs->qwk_success(l,0,1); 2754 sbbs->putmsgptrs(); >>> CID 350336: Uninitialized variables (UNINIT) >>> Using uninitialized value "*bat_list" when calling "remove". 2755 remove(bat_list); 2756 } else 2757 sbbs->lputs(LOG_INFO, "No packet created (no new messages)"); 2758 sbbs->delfiles(sbbs->cfg.temp_dir,ALLFILES); 2759 sbbs->console&=~CON_L_ECHO; 2760 sbbs->online=FALSE; ** CID 350335: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 350335: Memory - corruptions (OVERRUN) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/nanojit/Assembler.cpp: 716 in nanojit::Assembler::freeResourcesOf(nanojit::LIns *)() 710 } 711 712 // Frees all record of registers and spill slots used by 'ins'. 713 void Assembler::freeResourcesOf(LIns *ins) 714 { 715 if (ins->isInReg()) { >>> CID 350335: Memory - corruptions (OVERRUN) >>> Overrunning callee's array of size 32 by passing argument "ins->getReg()" (which evaluates to 127) in call to "retire". 716 _allocator.retire(ins->getReg()); // free any register associated with entry 717 ins->clearReg(); 718 } 719 if (ins->isInAr()) { 720 arFree(ins); // free any AR space associated with entry 721 ins->clearArIndex(); ** CID 350334: (USE_AFTER_FREE) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/dtoa.c: 3095 in dtoa(DtoaState *, U, int, int, int *, int *, char **)() ________________________________________________________________________________________________________ *** CID 350334: (USE_AFTER_FREE) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/dtoa.c: 3108 in dtoa(DtoaState *, U, int, int, int *, int *, char **)() 3102 for(i = 1;;i++) { 3103 dig = quorem(b,S) + '0'; 3104 /* Do we yet have the shortest decimal string 3105 * that will round to d? 3106 */ 3107 j = cmp(b, mlo); >>> CID 350334: (USE_AFTER_FREE) >>> Calling "diff" dereferences freed pointer "mhi". 3108 delta = diff(PASS_STATE S, mhi); 3109 j1 = delta->sign ? 1 : cmp(b, delta); 3110 Bfree(PASS_STATE delta); 3111 #ifndef ROUND_BIASED 3112 if (j1 == 0 && mode != 1 && !(word1(d) & 1) 3113 #ifdef Honor_FLT_ROUNDS /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/dtoa.c: 3108 in dtoa(DtoaState *, U, int, int, int *, int *, char **)() 3102 for(i = 1;;i++) { 3103 dig = quorem(b,S) + '0'; 3104 /* Do we yet have the shortest decimal string 3105 * that will round to d? 3106 */ 3107 j = cmp(b, mlo); >>> CID 350334: (USE_AFTER_FREE) >>> Calling "diff" dereferences freed pointer "mhi". 3108 delta = diff(PASS_STATE S, mhi); 3109 j1 = delta->sign ? 1 : cmp(b, delta); 3110 Bfree(PASS_STATE delta); 3111 #ifndef ROUND_BIASED 3112 if (j1 == 0 && mode != 1 && !(word1(d) & 1) 3113 #ifdef Honor_FLT_ROUNDS /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/dtoa.c: 3095 in dtoa(DtoaState *, U, int, int, int *, int *, char **)() 3089 mhi = lshift(PASS_STATE mhi, m2); 3090 3091 /* Compute mlo -- check for special case 3092 * that d is a normalized power of 2. 3093 */ 3094 >>> CID 350334: (USE_AFTER_FREE) >>> Using freed pointer "mhi". 3095 mlo = mhi; 3096 if (spec_case) { 3097 mhi = Balloc(PASS_STATE mhi->k); 3098 Bcopy(mhi, mlo); 3099 mhi = lshift(PASS_STATE mhi, Log2P); 3100 } ** CID 350333: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 350333: Uninitialized variables (UNINIT) /js_socket.c: 1817 in js_getsockopt() 1811 if((p=(js_socket_private_t*)js_GetClassPrivate(cx, obj, &js_socket_class))==NULL) { 1812 return(JS_FALSE); 1813 } 1814 1815 rc=JS_SUSPENDREQUEST(cx); 1816 JSVALUE_TO_ASTRING(cx, argv[0], cstr, 64, NULL); >>> CID 350333: Uninitialized variables (UNINIT) >>> Using uninitialized value "*cstr" when calling "getSocketOptionByName". 1817 if((opt = getSocketOptionByName(cstr, &level)) == -1) { 1818 JS_RESUMEREQUEST(cx, rc); 1819 return(JS_TRUE); 1820 } 1821 1822 if(opt == SO_LINGER) { ** CID 350332: (OVERRUN) ________________________________________________________________________________________________________ *** CID 350332: (OVERRUN) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/nanojit/Assembler.cpp: 542 in nanojit::Assembler::findRegFor(nanojit::LIns *, unsigned int)() 536 // 537 // pre-state: ecx(ins) 538 // instruction: mov eax, ecx 539 // post-state: eax(ins) 540 // 541 Register s = r; >>> CID 350332: (OVERRUN) >>> Overrunning callee's array of size 32 by passing argument "r" (which evaluates to 127) in call to "retire". 542 _allocator.retire(r); 543 r = registerAlloc(ins, allow, hint(ins)); 544 545 // 'ins' is in 'allow', in register r (different to the old r); 546 // s is the old r. 547 if ((rmask(s) & GpRegs) && (rmask(r) & GpRegs)) { /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/nanojit/Assembler.cpp: 511 in nanojit::Assembler::findRegFor(nanojit::LIns *, unsigned int)() 505 if (!ins->isInReg()) { 506 // 'ins' isn't in a register (must be in a spill slot or nowhere). 507 r = registerAlloc(ins, allow, hint(ins)); 508 509 } else if (rmask(r = ins->getReg()) & allow) { 510 // 'ins' is in an allowed register. >>> CID 350332: (OVERRUN) >>> Overrunning callee's array of size 32 by passing argument "r" (which evaluates to 127) in call to "useActive". 511 _allocator.useActive(r); 512 513 } else { 514 // 'ins' is in a register (r) that's not in 'allow'. 515 #ifdef NANOJIT_IA32 516 if (((rmask(r)&XmmRegs) && !(allow&XmmRegs)) || ** CID 350331: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 350331: Memory - corruptions (OVERRUN) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/nanojit/Assembler.cpp: 255 in nanojit::Assembler::registerAlloc(nanojit::LIns *, unsigned int, unsigned int)() 249 r = vic->getReg(); 250 251 evict(vic); 252 253 // r ends up staying active, but the LIns defining it changes. 254 _allocator.removeFree(r); >>> CID 350331: Memory - corruptions (OVERRUN) >>> Overrunning callee's array of size 32 by passing argument "r" (which evaluates to 127) in call to "addActive". 255 _allocator.addActive(r, ins); 256 ins->setReg(r); 257 } 258 259 return r; 260 } ** CID 350330: Error handling issues (CHECKED_RETURN) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/methodjit/StubCalls.cpp: 2114 in InitPropOrMethod(js::VMFrame &, JSAtom *, JSOp)() ________________________________________________________________________________________________________ *** CID 350330: Error handling issues (CHECKED_RETURN) /tmp/sbbs-Mar-01-2022/3rdp/src/mozjs/js-1.8.5/js/src/methodjit/StubCalls.cpp: 2114 in InitPropOrMethod(js::VMFrame &, JSAtom *, JSOp)() 2108 /* Get the immediate property name into id. */ 2109 jsid id = ATOM_TO_JSID(atom); 2110 2111 uintN defineHow = (op == JSOP_INITMETHOD) 2112 ? JSDNP_CACHE_RESULT | JSDNP_SET_METHOD 2113 : JSDNP_CACHE_RESULT; >>> CID 350330: Error handling issues (CHECKED_RETURN) >>> Calling "js_SetPropertyHelper" without checking return value (as is done elsewhere 4 out of 5 times). 2114 if (!(JS_UNLIKELY(atom == cx->runtime->atomState.protoAtom) 2115 ? js_SetPropertyHelper(cx, obj, id, defineHow, &rval, false) 2116 : js_DefineNativeProperty(cx, obj, id, rval, NULL, NULL, 2117 JSPROP_ENUMERATE, 0, 0, NULL, 2118 defineHow))) { 2119 THROW(); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp-2FP9gGRhvFklLaQKuBylUrkMFB3WMR2p7qIYKYTZrh4BbWTBf-2B-2Fi5ZUVF-2Fo-2B6flxo-3DEMqw_g4j7BHlu96plUOfCQsO0yRjoWZCZl8YGnZ-2FUtT39hrCP-2B8OHIldljvVVL5cQeE6UT0WnQ1RNbqLoTxk-2FeL9PEk8n4H0FlfdjUpDUESHU7jfONTBkfwWnTxTnSwiEf8HMCaPWxKHWwiX5TlAgpBxAxNxqOwpiuqloQotGWODdOqhlmv0xc95f00sygbqs-2B5cr6DKQDu2jc96LxrO4bOzQnQ-3D-3D .