Subj : New Defects reported by Coverity Scan for Synchronet To : cov-scan@synchro.net From : scan-admin@coverity.com Date : Sun May 07 2023 02:09 pm Hi, Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan. 3 new defect(s) introduced to Synchronet found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 3 of 3 defect(s) ** CID 453850: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 453850: Memory - corruptions (OVERRUN) /main.cpp: 2135 in input_thread(void *)() 2129 else 2130 wrbuf=telnet_interpret(sbbs, inbuf, rd, telbuf, wr); 2131 if(wr > (int)sizeof(telbuf)) 2132 lprintf(LOG_ERR,"!TELBUF OVERFLOW (%d>%d)",wr,(int)sizeof(telbuf)); 2133 2134 if(!(sbbs->console & CON_RAW_IN)) >>> CID 453850: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "wrbuf" of 4000 bytes by passing it to a function which accesses it at byte offset 4000 using argument "wr" (which evaluates to 4001). 2135 sbbs->translate_input(wrbuf, wr); 2136 2137 if(sbbs->passthru_socket_active == true) { 2138 BOOL writable = FALSE; 2139 if(socket_check(sbbs->passthru_socket, NULL, &writable, 1000) && writable) 2140 (void)sendsocket(sbbs->passthru_socket, (char*)wrbuf, wr); ** CID 453849: (STRING_SIZE) /tmp/sbbs-May-07-2023/src/conio/genmap.c: 72 in main() /tmp/sbbs-May-07-2023/src/conio/genmap.c: 74 in main() /tmp/sbbs-May-07-2023/src/conio/genmap.c: 68 in main() /tmp/sbbs-May-07-2023/src/conio/genmap.c: 70 in main() ________________________________________________________________________________________________________ *** CID 453849: (STRING_SIZE) /tmp/sbbs-May-07-2023/src/conio/genmap.c: 72 in main() 66 return EXIT_FAILURE; 67 } 68 sprintf(path, "%s/rgbmap.s", argv[2]); 69 s = fopen(path, "w"); 70 sprintf(path, "%s/rgbmap.h", argv[2]); 71 h = fopen(path, "w"); >>> CID 453849: (STRING_SIZE) >>> Passing string "argv[2]" of unknown size to "sprintf". 72 sprintf(path, "%s/r2y.bin", argv[2]); 73 r = fopen(path, "wb"); 74 sprintf(path, "%s/y2r.bin", argv[2]); 75 y = fopen(path, "wb"); 76 init_r2y(); 77 if (argc > 1 && strcmp(argv[1], "win32") == 0) /tmp/sbbs-May-07-2023/src/conio/genmap.c: 74 in main() 68 sprintf(path, "%s/rgbmap.s", argv[2]); 69 s = fopen(path, "w"); 70 sprintf(path, "%s/rgbmap.h", argv[2]); 71 h = fopen(path, "w"); 72 sprintf(path, "%s/r2y.bin", argv[2]); 73 r = fopen(path, "wb"); >>> CID 453849: (STRING_SIZE) >>> Passing string "argv[2]" of unknown size to "sprintf". 74 sprintf(path, "%s/y2r.bin", argv[2]); 75 y = fopen(path, "wb"); 76 init_r2y(); 77 if (argc > 1 && strcmp(argv[1], "win32") == 0) 78 mangle = "_"; 79 /tmp/sbbs-May-07-2023/src/conio/genmap.c: 68 in main() 62 char *mangle = ""; 63 64 if (argc != 3) { 65 fprintf(stderr, "Usage: %s \n", argv[0]); 66 return EXIT_FAILURE; 67 } >>> CID 453849: (STRING_SIZE) >>> Passing string "argv[2]" of unknown size to "sprintf". 68 sprintf(path, "%s/rgbmap.s", argv[2]); 69 s = fopen(path, "w"); 70 sprintf(path, "%s/rgbmap.h", argv[2]); 71 h = fopen(path, "w"); 72 sprintf(path, "%s/r2y.bin", argv[2]); 73 r = fopen(path, "wb"); /tmp/sbbs-May-07-2023/src/conio/genmap.c: 70 in main() 64 if (argc != 3) { 65 fprintf(stderr, "Usage: %s \n", argv[0]); 66 return EXIT_FAILURE; 67 } 68 sprintf(path, "%s/rgbmap.s", argv[2]); 69 s = fopen(path, "w"); >>> CID 453849: (STRING_SIZE) >>> Passing string "argv[2]" of unknown size to "sprintf". 70 sprintf(path, "%s/rgbmap.h", argv[2]); 71 h = fopen(path, "w"); 72 sprintf(path, "%s/r2y.bin", argv[2]); 73 r = fopen(path, "wb"); 74 sprintf(path, "%s/y2r.bin", argv[2]); 75 y = fopen(path, "wb"); ** CID 453848: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-May-07-2023/src/conio/x_events.c: 562 in video_init() ________________________________________________________________________________________________________ *** CID 453848: Concurrent data access violations (MISSING_LOCK) /tmp/sbbs-May-07-2023/src/conio/x_events.c: 562 in video_init() 556 if (x_cvstat.scaling < 1 || vstat.scaling < 1) 557 x_cvstat.scaling = vstat.scaling = 1; 558 pthread_mutex_unlock(&vstatlock); 559 /* Initialize mode 3 (text, 80x25, 16 colors) */ 560 if(load_vmode(&vstat, ciolib_initial_mode)) 561 return(-1); >>> CID 453848: Concurrent data access violations (MISSING_LOCK) >>> Accessing "x_cvstat" without holding lock "vstatlock". Elsewhere, "x_cvstat" is accessed with "vstatlock" held 3 out of 4 times (1 of these accesses strongly imply that it is necessary). 562 x_cvstat = vstat; 563 if(init_window()) 564 return(-1); 565 bitmap_drv_init(x11_drawrect, x11_flush); 566 pthread_mutex_lock(&vstatlock); 567 bitmap_drv_init_mode(vstat.mode, NULL, NULL, 0, 0); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yp-2FP9gGRhvFklLaQKuBylUrkMFB3WMR2p7qIYKYTZrh4BbWTBf-2B-2Fi5ZUVF-2Fo-2B6flxo-3DHCK2_g4j7BHlu96plUOfCQsO0yRjoWZCZl8YGnZ-2FUtT39hrCrnxZlR95qbad06mHzW16hipyALzV0mFuj3ay6pFxYR0eStfRzX4PFZA0tGWVeDEIjb6ggx0scvHBcaLMTSmWKTHh-2BY-2F-2FJXVJUS-2FMWWRke5EcHM57k-2F70xISfOM2XGn-2F4aK35uR43soY3XaxM-2BxoxpO-2BmFSex4uKhKezwAhOx42w-3D-3D .