Fwd: New Defects reported by Coverity Scan for Das U-Boot

Tom Rini trini at konsulko.com
Tue Jul 29 18:32:03 CEST 2025 

So I ran Coverity with the newest scan version and this is good news.
Only a few newly found issues in existing code.

---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Tue, Jul 29, 2025 at 10:04 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 3
   - 12 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 3 of 3 defect(s)

Defect Details

** CID 583415:       Integer handling issues  (INTEGER_OVERFLOW)
/cmd/i2c.c: 369           in do_i2c_write()


_____________________________________________________________________________________________
*** CID 583415:         Integer handling issues  (INTEGER_OVERFLOW)
/cmd/i2c.c: 369             in do_i2c_write()
363     			return i2c_report_err(ret, I2C_ERR_WRITE);
364     	} else {
365     		/*
366     		 * Repeated addressing - perform <length> separate
367     		 * write transactions of one byte each
368     		 */
>>>     CID 583415:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "length--", where "length" is known to be equal to 0, underflows the type of "length--", which is type "uint".
369     		while (length-- > 0) {
370     #if CONFIG_IS_ENABLED(DM_I2C)
371     			i2c_chip->flags |= DM_I2C_CHIP_WR_ADDRESS;
372     			ret = dm_i2c_write(dev, devaddr++, memaddr++, 1);
373     #else
374     			ret = i2c_write(chip, devaddr++, alen, memaddr++, 1);

** CID 583414:       Memory - corruptions  (OVERRUN)
/cmd/eficonfig.c: 334           in eficonfig_append_menu_entry()


_____________________________________________________________________________________________
*** CID 583414:         Memory - corruptions  (OVERRUN)
/cmd/eficonfig.c: 334             in eficonfig_append_menu_entry()
328
329     	entry = calloc(1, sizeof(struct eficonfig_entry));
330     	if (!entry)
331     		return EFI_OUT_OF_RESOURCES;
332
333     	entry->title = title;
>>>     CID 583414:         Memory - corruptions  (OVERRUN)
>>>     "sprintf" will overrun its first argument "entry->key" which can accommodate 3 bytes.  The number of bytes written may be 11 bytes, including the terminating null.
334     	sprintf(entry->key, "%d", efi_menu->count);
335     	entry->efi_menu = efi_menu;
336     	entry->func = func;
337     	entry->data = data;
338     	entry->num = efi_menu->count++;
339     	list_add_tail(&entry->list, &efi_menu->list);

** CID 583357:         (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714           in deflate_slow()
/lib/zlib/deflate.c: 1706           in deflate_slow()


_____________________________________________________________________________________________
*** CID 583357:           (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714             in deflate_slow()
1708
1709                 /* Insert in hash table all strings up to the end
of the match.
1710                  * strstart-1 and strstart are already inserted.
If there is not
1711                  * enough lookahead, the last two strings are not
inserted in
1712                  * the hash table.
1713                  */
>>>     CID 583357:           (INTEGER_OVERFLOW)
>>>     Expression "s->lookahead", where "s->prev_length - 1U" is known to be equal to 4294967270, underflows the type of "s->lookahead", which is type "uInt".
1714                 s->lookahead -= s->prev_length-1;
1715                 s->prev_length -= 2;
1716                 do {
1717                     if (++s->strstart <= max_insert) {
1718                         INSERT_STRING(s, s->strstart, hash_head);
1719                     }
/lib/zlib/deflate.c: 1706             in deflate_slow()
1700             if (s->prev_length >= MIN_MATCH && s->match_length <=
s->prev_length) {
1701                 uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;
1702                 /* Do not insert strings in hash table beyond this. */
1703
1704                 check_match(s, s->strstart-1, s->prev_match,
s->prev_length);
1705
>>>     CID 583357:           (INTEGER_OVERFLOW)
>>>     Expression "len", where "s->prev_length - 3U" is known to be equal to 4294967267, overflows the type of "len", which is type "uch".
1706                 _tr_tally_dist(s, s->strstart -1 - s->prev_match,
1707                                s->prev_length - MIN_MATCH, bflush);
1708
1709                 /* Insert in hash table all strings up to the end
of the match.
1710                  * strstart-1 and strstart are already inserted.
If there is not
1711                  * enough lookahead, the last two strings are not
inserted in



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250729/4b65098c/attachment.sig>

More information about the U-Boot mailing list