New Defects reported by Coverity Scan for digiKam
scan-admin at coverity.com
scan-admin at coverity.com
Thu Apr 3 10:20:49 BST 2025
Hi,
Please find the latest report on new defect(s) introduced to digiKam found with Coverity Scan.
18 new defect(s) introduced to digiKam found with Coverity Scan.
30 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)
** CID 1645611: (TAINTED_SCALAR)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/ciff.cpp: 289 in LibRaw::parse_ciff(long long, int, int)()
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/ciff.cpp: 276 in LibRaw::parse_ciff(long long, int, int)()
________________________________________________________________________________________________________
*** CID 1645611: (TAINTED_SCALAR)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/ciff.cpp: 289 in LibRaw::parse_ciff(long long, int, int)()
283 }
284 }
285 fseek (ifp, 68-int(Canon_D30_linenums_2_StdWBi.size())*8, SEEK_CUR);
286
287 FORC4 {
288 q = get2();
>>> CID 1645611: (TAINTED_SCALAR)
>>> Using tainted expression "(1 > q) ? 1 : q" as the divisor in "1024f / (float)((1 > q) ? 1 : q)".
289 cam_mul[RGGB_2_RGBG(c)] = 1024.f / float(MAX(1, q));
290 }
291 if (!wbi)
292 cam_mul[0] = -1; // use my auto white balance
293
294 }
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/ciff.cpp: 276 in LibRaw::parse_ciff(long long, int, int)()
270 ushort q;
271 fseek(ifp, 4, SEEK_CUR);
272 for (unsigned linenum = 0; linenum < Canon_D30_linenums_2_StdWBi.size(); linenum++) {
273 if (Canon_D30_linenums_2_StdWBi[linenum] != LIBRAW_WBI_Unknown) {
274 FORC4 {
275 q = get2();
>>> CID 1645611: (TAINTED_SCALAR)
>>> Using tainted expression "(1 > q) ? 1 : q" as the divisor in "1.024e+06f / (float)((1 > q) ? 1 : q)".
276 icWBC[Canon_D30_linenums_2_StdWBi[linenum]][RGGB_2_RGBG(c)] =
277 (int)(roundf(1024000.0f / (float)MAX(1, q)));
278 }
279 // if (Canon_wbi2std[imCanon.wbi] == *(Canon_D30_linenums_2_StdWBi + linenum)) {
280 // FORC4 cam_mul[c] = icWBC[*(Canon_D30_linenums_2_StdWBi + linenum)][c];
281 // Got_AsShotWB = 1;
** CID 1645610: Control flow issues (NO_EFFECT)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/utils/open.cpp: 1188 in LibRaw::open_datastream(LibRaw_abstract_datastream *)()
________________________________________________________________________________________________________
*** CID 1645610: Control flow issues (NO_EFFECT)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/utils/open.cpp: 1188 in LibRaw::open_datastream(LibRaw_abstract_datastream *)()
1182 else if (makeIs(LIBRAW_CAMERAMAKER_Sony) && load_raw == &LibRaw::sony_ycbcr_load_raw)
1183 imgdata.color.as_shot_wb_applied = LIBRAW_ASWB_APPLIED | LIBRAW_ASWB_SONY;
1184 else
1185 imgdata.color.as_shot_wb_applied = 0;
1186
1187 // Adjust Highlight Linearity limit
>>> CID 1645610: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "this->imgdata.color.linear_max[0] < 0U".
1188 if (C.linear_max[0] < 0)
1189 {
1190 if (imgdata.idata.dng_version)
1191 {
1192 for (int c = 0; c < 4; c++)
1193 C.linear_max[c] = -1 * C.linear_max[c] + imgdata.color.cblack[c + 6];
** CID 1645609: Control flow issues (DEADCODE)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/misc_parsers.cpp: 177 in LibRaw::parse_qt(long long)()
________________________________________________________________________________________________________
*** CID 1645609: Control flow issues (DEADCODE)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/misc_parsers.cpp: 177 in LibRaw::parse_qt(long long)()
171 while (ftell(ifp) + 7 < end)
172 {
173 save = ftell(ifp);
174 if ((size = get4()) < 8)
175 return;
176 if ((int)size < 0)
>>> CID 1645609: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return;".
177 return; // 2+GB is too much
178 if (save + size < save)
179 return; // 32bit overflow
180 fread(tag, 4, 1, ifp);
181 if (!memcmp(tag, "moov", 4) || !memcmp(tag, "udta", 4) ||
182 !memcmp(tag, "CNTH", 4))
** CID 1645608: Insecure data handling (INTEGER_OVERFLOW)
________________________________________________________________________________________________________
*** CID 1645608: Insecure data handling (INTEGER_OVERFLOW)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/sony.cpp: 2048 in LibRaw::parseSonyMakernotes(long long, unsigned int, unsigned int, unsigned int, unsigned int, unsigned char *&, unsigned short &, unsigned char *&, unsigned short &, unsigned char *&, unsigned short &, unsigned char *&, unsigned short &, unsigned char *&, unsigned short &, unsigned char *&, unsigned short &, unsigned char *&, unsigned short &, unsigned char *&, unsigned short &, unsigned char *&, unsigned short &)()
2042 {
2043 table_buf_0x940e = (uchar *)calloc(len,1);
2044 table_buf_0x940e_len = len;
2045 fread(table_buf_0x940e, len, 1, ifp);
2046 if (ilm.CamID)
2047 {
>>> CID 1645608: Insecure data handling (INTEGER_OVERFLOW)
>>> "table_buf_0x940e_len", which might have overflowed, is passed to "this->process_Sony_0x940e(table_buf_0x940e, table_buf_0x940e_len, this->imgdata.lens.makernotes.CamID)".
2048 process_Sony_0x940e(table_buf_0x940e, table_buf_0x940e_len, ilm.CamID);
2049 free(table_buf_0x940e);
2050 table_buf_0x940e_len = 0;
2051 }
2052 }
2053 else if ((tag == 0x9416) && (len < 256000) && (len > 0x0076)) {
** CID 1645607: Incorrect expression (DIVIDE_BY_ZERO)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/postprocessing/postprocessing_aux.cpp: 361 in LibRaw::recover_highlights()()
________________________________________________________________________________________________________
*** CID 1645607: Incorrect expression (DIVIDE_BY_ZERO)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/postprocessing/postprocessing_aux.cpp: 361 in LibRaw::recover_highlights()()
355 sum += pixel[c];
356 wgt += pixel[kc];
357 count++;
358 }
359 }
360 if (count == SCALE * SCALE)
>>> CID 1645607: Incorrect expression (DIVIDE_BY_ZERO)
>>> In expression "sum / wgt", division by expression "wgt" which may be zero has undefined behavior.
361 map[mrow * wide + mcol] = sum / wgt;
362 }
363 for (spread = int(32.f / grow); spread--;)
364 {
365 for (mrow = 0; mrow < high; mrow++)
366 for (mcol = 0; mcol < wide; mcol++)
** CID 1645606: Incorrect expression (EVALUATION_ORDER)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/decoders/olympus14.cpp: 289 in LibRaw::olympus14_load_raw()()
________________________________________________________________________________________________________
*** CID 1645606: Incorrect expression (EVALUATION_ORDER)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/decoders/olympus14.cpp: 289 in LibRaw::olympus14_load_raw()()
283 vbits = 0;
284
285 pred1 = context[0];
286 context[0] = (tag0x644 == 15) ? 0 : vbits >> tag0x644;
287 int32_t W = col < 2 ? tag0x642 : context[1];
288 int32_t N = row < 2 ? tag0x642 : raw_image[(row - 2) * raw_width + col] >> tag0x640;
>>> CID 1645606: Incorrect expression (EVALUATION_ORDER)
>>> In "NW = ((row < 2U || col < 2U) ? tag0x642 : (NW = raw_image[(row - 2U) * raw_width + col - 2U] >> tag0x640))", "NW" is written twice with the same value.
289 int32_t NW = (row < 2 || col < 2)? tag0x642 : NW = raw_image[(row - 2) * raw_width + col - 2] >> tag0x640;
290
291 context[1] = lpred;
292 if ((W < N) || (NW < W))
293 {
294 if (NW <= N && W >= N)
** CID 1645605: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/tiff.cpp: 914 in LibRaw::parse_tiff_ifd(long long)()
________________________________________________________________________________________________________
*** CID 1645605: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/tiff.cpp: 914 in LibRaw::parse_tiff_ifd(long long)()
908 continue;
909 num = 0;
910 FORC4 num += rgb_cam[i][c];
911 FORC4 rgb_cam[i][c] /= float(MAX(1, num));
912 }
913 break;
>>> CID 1645605: Control flow issues (MISSING_BREAK)
>>> The case for value "34310U" is not terminated by a "break" statement.
914 case 0x8606: /* 34310, Leaf metadata */
915 parse_mos(ftell(ifp));
916 case 0x85ff: // 34303
917 strcpy(make, "Leaf");
918 break;
919 case 0x8769: /* 34665, EXIF tag */
** CID 1645604: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1645604: Memory - corruptions (OVERRUN)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/leica.cpp: 360 in LibRaw::parseLeicaMakernote(long long, int, unsigned int)()
354 ilm.LensMount = LIBRAW_MOUNT_Leica_M;
355 ilm.LensFormat = LIBRAW_FORMAT_FF;
356 if (c != 0xff) ilm.LensID = c * 256;
357 }
358 else if (tag == 0x0500)
359 {
>>> CID 1645604: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 64 by passing argument "len" (which evaluates to 104857600) in call to "parseLeicaInternalBodySerial".
360 parseLeicaInternalBodySerial(len);
361 }
362 }
363 else if (LeicaMakernoteSignature == 0x3400) // tag 0x3400 in M9, "M9 Monochrom", "M Monochrom"
364 {
365 if (tag == 0x34003402)
** CID 1645603: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 150 in LibRaw::parse_phase_one(long long)()
________________________________________________________________________________________________________
*** CID 1645603: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 150 in LibRaw::parse_phase_one(long long)()
144 ph1.black_row = int(data + base);
145 break;
146 case 0x0226:
147 for (i = 0; i < 9; i++)
148 imgdata.color.P1_color[1].romm_cam[i] = (float)getreal(LIBRAW_EXIFTAG_TYPE_FLOAT);
149 break;
>>> CID 1645603: Control flow issues (MISSING_BREAK)
>>> The case for value "769U" is not terminated by a "break" statement.
150 case 0x0301:
151 model[63] = 0;
152 fread(imPhaseOne.FirmwareString, 1, 255, ifp);
153 imPhaseOne.FirmwareString[255] = 0;
154 memcpy(model, imPhaseOne.FirmwareString, 63);
155 model[63] = 0;
** CID 1645602: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/exif_gps.cpp: 264 in LibRaw::parse_exif(long long)()
________________________________________________________________________________________________________
*** CID 1645602: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/exif_gps.cpp: 264 in LibRaw::parse_exif(long long)()
258 if (pos)
259 {
260 pos += 4;
261 char *pos2 = strstr(pos, " ");
262 if (pos2)
263 {
>>> CID 1645602: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "0 > (((ushort)(pos2 - pos) < 511) ? (ushort)(pos2 - pos) : 511)" is always false regardless of the values of its operands. This occurs as the logical first operand of "?:".
264 l = LIM(ushort(pos2 - pos), 0, 511);
265 memcpy(ccms, pos, l);
266 ccms[l] = '\0';
267 #ifdef LIBRAW_WIN32_CALLS
268 // Win32 strtok is already thread-safe
269 pos = strtok(ccms, ",");
** CID 1645601: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/tiff.cpp: 1255 in LibRaw::parse_tiff_ifd(long long)()
________________________________________________________________________________________________________
*** CID 1645601: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/tiff.cpp: 1255 in LibRaw::parse_tiff_ifd(long long)()
1249 icWBC[LIBRAW_WBI_Auto][3] = icWBC[LIBRAW_WBI_Auto][1];
1250 }
1251 break;
1252 case 0xc615: /* 50709, LocalizedCameraModel */
1253 stmread(imgdata.color.LocalizedCameraModel, len, ifp);
1254 break;
>>> CID 1645601: Control flow issues (MISSING_BREAK)
>>> The case for value "61450U" is not terminated by a "break" statement.
1255 case 0xf00a: // 61450
1256 cblack[4] = cblack[5] = int(MIN(sqrtf((float)len), 64.f));
1257 case 0xc61a: /* 50714, BlackLevel */
1258 if (tiff_ifd[ifd].samples > 1 &&
1259 tiff_ifd[ifd].samples == (int)len) // LinearDNG, per-channel black
1260 {
** CID 1645600: Security best practices violations (STRING_OVERFLOW)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/kodak.cpp: 171 in LibRaw::parse_kodak_ifd(long long)()
________________________________________________________________________________________________________
*** CID 1645600: Security best practices violations (STRING_OVERFLOW)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/kodak.cpp: 171 in LibRaw::parse_kodak_ifd(long long)()
165 if (((int)strlen(pkti) > c) && (!strncasecmp(pkti, "Camera body:", c)))
166 {
167 while ((pkti[c] == ' ') && (c < (int)strlen(pkti)))
168 {
169 c++;
170 }
>>> CID 1645600: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 64-character fixed-size string "this->imgdata.lens.makernotes.body" by copying "pkti + c" without checking the length.
171 strcpy(ilm.body, pkti + c);
172 }
173 c = 5;
174 if (((int)strlen(pkti) > c) && (!strncasecmp(pkti, "Lens:", c)))
175 {
176 ilm.CurFocal = float(atoi(pkti + c));
** CID 1645599: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/x3f/x3f_parse_process.cpp: 324 in LibRaw::x3f_thumb_size()()
________________________________________________________________________________________________________
*** CID 1645599: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/x3f/x3f_parse_process.cpp: 324 in LibRaw::x3f_thumb_size()()
318 x3f_directory_entry_t *DE = x3f_get_thumb_jpeg(x3f);
319 if (!DE)
320 DE = x3f_get_thumb_plain(x3f);
321 if (!DE)
322 return -1;
323 int32_t p = x3f_load_data_size(x3f, DE);
>>> CID 1645599: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "p > 4294967295U" is always false regardless of the values of its operands. This occurs as the logical second operand of "||".
324 if (p < 0 || p > 0xffffffff)
325 return -1;
326 return p;
327 }
328 catch (...)
329 {
** CID 1645598: Incorrect expression (IDENTICAL_BRANCHES)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/decoders/decoders_libraw_dcrdefs.cpp: 118 in LibRaw::nikon_he_load_raw_placeholder()()
________________________________________________________________________________________________________
*** CID 1645598: Incorrect expression (IDENTICAL_BRANCHES)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/decoders/decoders_libraw_dcrdefs.cpp: 118 in LibRaw::nikon_he_load_raw_placeholder()()
112 ljpeg_end(&jh);
113 }
114 }
115
116 void LibRaw::nikon_he_load_raw_placeholder()
117 {
>>> CID 1645598: Incorrect expression (IDENTICAL_BRANCHES)
>>> The same code is executed when the condition "this->imgdata.idata.dng_version" is true or false, because the code in the if-then branch and after the if statement is identical. Should the if statement be removed?
118 if(dng_version)
119 throw LIBRAW_EXCEPTION_UNSUPPORTED_FORMAT; // Never reached
120 throw LIBRAW_EXCEPTION_UNSUPPORTED_FORMAT;
121 }
122
123 void LibRaw::nikon_coolscan_load_raw()
** CID 1645597: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 116 in LibRaw::parse_phase_one(long long)()
________________________________________________________________________________________________________
*** CID 1645597: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 116 in LibRaw::parse_phase_one(long long)()
110 break;
111 case 0x0112:
112 ph1.key_off = int(save - 4);
113 break;
114 case 0x0203:
115 stmread(imPhaseOne.Software, len, ifp);
>>> CID 1645597: Control flow issues (MISSING_BREAK)
>>> The case for value "516U" is not terminated by a "break" statement.
116 case 0x0204:
117 stmread(imPhaseOne.SystemType, len, ifp);
118 case 0x0210:
119 ph1.tag_210 = int_to_float(data);
120 imCommon.SensorTemperature = ph1.tag_210;
121 break;
** CID 1645596: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1645596: Insecure data handling (TAINTED_SCALAR)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/fuji.cpp: 1105 in LibRaw::parse_fuji_thumbnail(long long)()
1099 int len = get2();
1100 if (len > xmpsz + 2)
1101 {
1102 if ((fread(buf, 1, xmpsz, ifp) == xmpsz) && !memcmp(buf, xmpmarker, xmpsz)) // got it
1103 {
1104 xmplen = len - xmpsz - 2;
>>> CID 1645596: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "this->imgdata.idata.xmplen + 1U" to "calloc", which uses it as an allocation size.
1105 xmpdata = (char*) calloc(xmplen+1,1);
1106 unsigned br = fread(xmpdata, 1, xmplen, ifp);
1107 xmpdata[br] = 0;
1108 break;
1109 }
1110 }
** CID 1645595: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 114 in LibRaw::parse_phase_one(long long)()
________________________________________________________________________________________________________
*** CID 1645595: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 114 in LibRaw::parse_phase_one(long long)()
108 meta_offset = data + base;
109 meta_length = len;
110 break;
111 case 0x0112:
112 ph1.key_off = int(save - 4);
113 break;
>>> CID 1645595: Control flow issues (MISSING_BREAK)
>>> The case for value "515U" is not terminated by a "break" statement.
114 case 0x0203:
115 stmread(imPhaseOne.Software, len, ifp);
116 case 0x0204:
117 stmread(imPhaseOne.SystemType, len, ifp);
118 case 0x0210:
119 ph1.tag_210 = int_to_float(data);
** CID 1645594: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/olympus.cpp: 717 in LibRaw::parseOlympusMakernotes(long long, unsigned int, unsigned int, unsigned int, unsigned int)()
________________________________________________________________________________________________________
*** CID 1645594: Control flow issues (MISSING_BREAK)
/home/gilles/devel/GIT/8.x/core/libs/rawengine/libraw/src/metadata/olympus.cpp: 717 in LibRaw::parseOlympusMakernotes(long long, unsigned int, unsigned int, unsigned int, unsigned int)()
711 if (imOly.FocusStepInfinity == 0xffff) imOly.FocusStepInfinity = get2();
712 break;
713 case 0x103c:
714 if (imOly.FocusStepNear == 0xffff) imOly.FocusStepNear = get2();
715 break;
716 case 0x20300108:
>>> CID 1645594: Control flow issues (MISSING_BREAK)
>>> The case for value "540082441U" is not terminated by a "break" statement.
717 case 0x20310109:
718 if (dng_writer == nonDNG) {
719 imOly.ColorSpace = get2();
720 switch (imOly.ColorSpace) {
721 case 0:
722 imCommon.ColorSpace = LIBRAW_COLORSPACE_sRGB;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/digikam?tab=overview
More information about the Digikam-devel
mailing list