digiKam › digikam-devel

New Defects reported by Coverity Scan for digiKam

Classic

List

Threaded

1 message

scan-admin

New Defects reported by Coverity Scan for digiKam

Hi,

Please find the latest report on new defect(s) introduced to digiKam found with Coverity Scan.

29 new defect(s) introduced to digiKam found with Coverity Scan.
12 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 29 defect(s)

** CID 1456673: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/fuji.cpp: 635 in LibRaw::parseFujiMakernotes(unsigned int, unsigned int, unsigned int, unsigned int)()

________________________________________________________________________________________________________
*** CID 1456673: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/fuji.cpp: 635 in LibRaw::parseFujiMakernotes(unsigned int, unsigned int, unsigned int, unsigned int)()
629 mm,
630 words[i] +
631 strnlen(words[i],
632 sizeof(imgdata.shootinginfo.InternalBodySerial) - 1) -
633 16,
634 2);
>>> CID 1456673: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling "strncpy" with a maximum size argument of 2 bytes on destination array "yy" of size 2 bytes might leave the destination string unterminated.
635 strncpy(
636 yy,
637 words[i] +
638 strnlen(words[i],
639 sizeof(imgdata.shootinginfo.InternalBodySerial) - 1) -
640 18,

** CID 1456672: Incorrect expression (PW.ASSIGN_WHERE_COMPARE_MEANT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/identify.cpp: 1570 in ()

________________________________________________________________________________________________________
*** CID 1456672: Incorrect expression (PW.ASSIGN_WHERE_COMPARE_MEANT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/identify.cpp: 1570 in ()
1564 else if (!strcmp(model, "KD-510Z")) // Konica KD-510Z
1565 {
1566 goto konica_510z;
1567 }
1568 else if (makeIs(LIBRAW_CAMERAMAKER_Minolta))
1569 {
>>> CID 1456672: Incorrect expression (PW.ASSIGN_WHERE_COMPARE_MEANT)
>>> use of "=" where "==" may have been intended
1570 if (!load_raw && (maximum = 0xfff))
1571 {
1572 load_raw = &LibRaw::unpacked_load_raw;
1573 }
1574 if (!strncmp(model, "DiMAGE A",
1575 8)) // Minolta "DiMAGE A1", "DiMAGE A2", "DiMAGE A200"

** CID 1456671: Insecure data handling (TAINTED_SCALAR)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/cr3_parser.cpp: 461 in LibRaw::parseCR3(unsigned long long, unsigned long long, short &, char *, short &, short &)()

________________________________________________________________________________________________________
*** CID 1456671: Insecure data handling (TAINTED_SCALAR)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/cr3_parser.cpp: 461 in LibRaw::parseCR3(unsigned long long, unsigned long long, short &, char *, short &, short &)()
455 !strncmp(AtomNameStack, "moovtrakmdiaminfstbl", 20))
456 {
457 if ((TrackType == 4) && (!strcmp(MediaFormatID, "CTMD")))
458 {
459 order = 0x4949;
460 relpos_inDir = 0L;
>>> CID 1456671: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "this->libraw_internal_data.unpacker_data.crx_header[nTrack].MediaSize" as a loop boundary.
461 while (relpos_inDir + 6 < current_track.MediaSize)
462 {
463 fseek(ifp, current_track.MediaOffset + relpos_inDir, SEEK_SET);
464 szItem = get4();
465 tItem = get2();
466 if ((relpos_inDir + szItem) > current_track.MediaSize)

** CID 1456670: Integer handling issues (BAD_SHIFT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1102 in crxDecodeLineWithIQuantization(CrxSubband *)()

________________________________________________________________________________________________________
*** CID 1456670: Integer handling issues (BAD_SHIFT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1102 in crxDecodeLineWithIQuantization(CrxSubband *)()
1096
1097 // update subband buffers
1098 int32_t *bandBuf = (int32_t *)subband->bandBuf;
1099 int32_t qScale =
1100 q_step_tbl[subband->quantValue % 6] >> (6 - subband->quantValue / 6);
1101 if (subband->quantValue / 6 >= 6)
>>> CID 1456670: Integer handling issues (BAD_SHIFT)
>>> In expression "1 << subband->quantValue / 6 + 26", left shifting by more than 31 bits has undefined behavior. The shift amount, "subband->quantValue / 6 + 26", is at least 32.
1102 qScale = q_step_tbl[subband->quantValue % 6] *
1103 (1 << (subband->quantValue / 6 + 26));
1104
1105 if (qScale != 1)
1106 for (int32_t i = 0; i < subband->width; i++)
1107 bandBuf[i] *= qScale;

** CID 1456669: (DEADCODE)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/sony.cpp: 706 in LibRaw::process_Sony_0x9050(unsigned char *, unsigned short, unsigned long long)()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/sony.cpp: 722 in LibRaw::process_Sony_0x9050(unsigned char *, unsigned short, unsigned long long)()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/sony.cpp: 692 in LibRaw::process_Sony_0x9050(unsigned char *, unsigned short, unsigned long long)()

________________________________________________________________________________________________________
*** CID 1456669: (DEADCODE)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/sony.cpp: 706 in LibRaw::process_Sony_0x9050(unsigned char *, unsigned short, unsigned long long)()
700 (b88 << 40) + (b89 << 32) + (b8a << 24) + (b8b << 16) + (b8c << 8) +
701 b8d);
702 }
703 else if (ilm.CameraMount == LIBRAW_MOUNT_Minolta_A)
704 {
705 if (len <= 0xf4)
>>> CID 1456669: (DEADCODE)
>>> Execution cannot reach this statement: "return;".
706 return;
707 unsigned long long bf0 = SonySubstitution[buf[0xf0]];
708 unsigned long long bf1 = SonySubstitution[buf[0xf1]];
709 unsigned long long bf2 = SonySubstitution[buf[0xf2]];
710 unsigned long long bf3 = SonySubstitution[buf[0xf3]];
711 unsigned long long bf4 = SonySubstitution[buf[0xf4]];
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/sony.cpp: 722 in LibRaw::process_Sony_0x9050(unsigned char *, unsigned short, unsigned long long)()
716 (id != 0x120ULL) && // not NEX-5N
717 (id != 0x121ULL) && // not NEX-7
718 (id != 0x122ULL) // not NEX-VG20
719 )
720 {
721 if (len <= 0x7f)
>>> CID 1456669: (DEADCODE)
>>> Execution cannot reach this statement: "return;".
722 return;
723 unsigned b7c = SonySubstitution[buf[0x7c]];
724 unsigned b7d = SonySubstitution[buf[0x7d]];
725 unsigned b7e = SonySubstitution[buf[0x7e]];
726 unsigned b7f = SonySubstitution[buf[0x7f]];
727 sprintf(imgdata.shootinginfo.InternalBodySerial, "%04x",
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/sony.cpp: 692 in LibRaw::process_Sony_0x9050(unsigned char *, unsigned short, unsigned long long)()
686 (id == 0x177ULL) || // ILCE-7RM4
687 (id == 0x17aULL) || // ILCE-6600
688 (id == 0x17bULL) // ILCE-6100
689 )
690 {
691 if (len <= 0x8d)
>>> CID 1456669: (DEADCODE)
>>> Execution cannot reach this statement: "return;".
692 return;
693 unsigned long long b88 = SonySubstitution[buf[0x88]];
694 unsigned long long b89 = SonySubstitution[buf[0x89]];
695 unsigned long long b8a = SonySubstitution[buf[0x8a]];
696 unsigned long long b8b = SonySubstitution[buf[0x8b]];
697 unsigned long long b8c = SonySubstitution[buf[0x8c]];

** CID 1456668: (OVERRUN)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/exif_gps.cpp: 208 in LibRaw::parse_exif(int)()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/exif_gps.cpp: 207 in LibRaw::parse_exif(int)()

________________________________________________________________________________________________________
*** CID 1456668: (OVERRUN)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/exif_gps.cpp: 208 in LibRaw::parse_exif(int)()
202 for (l = 0; l < 4; l++)
203 {
204 num = 0.0;
205 for (c = 0; c < 3; c++)
206 {
207 imgdata.color.ccm[l][c] = (float)atoi(pos);
>>> CID 1456668: (OVERRUN)
>>> Overrunning array "this->imgdata.color.ccm" of 3 16-byte elements at element index 3 (byte offset 63) using index "l" (which evaluates to 3).
208 num += imgdata.color.ccm[l][c];
209 #ifdef LIBRAW_WIN32_CALLS
210 pos = strtok(NULL, ",");
211 #else
212 pos = strtok_r(NULL, ",", &last);
213 #endif
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/exif_gps.cpp: 207 in LibRaw::parse_exif(int)()
201 {
202 for (l = 0; l < 4; l++)
203 {
204 num = 0.0;
205 for (c = 0; c < 3; c++)
206 {
>>> CID 1456668: (OVERRUN)
>>> Overrunning array "this->imgdata.color.ccm" of 3 16-byte elements at element index 3 (byte offset 63) using index "l" (which evaluates to 3).
207 imgdata.color.ccm[l][c] = (float)atoi(pos);
208 num += imgdata.color.ccm[l][c];
209 #ifdef LIBRAW_WIN32_CALLS
210 pos = strtok(NULL, ",");
211 #else
212 pos = strtok_r(NULL, ",", &last);

** CID 1456667: Memory - corruptions (OVERRUN)

________________________________________________________________________________________________________
*** CID 1456667: Memory - corruptions (OVERRUN)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/leica.cpp: 329 in LibRaw::parseLeicaMakernote(int, int, unsigned int)()
323 ilm.LensMount = LIBRAW_MOUNT_Leica_M;
324 ilm.LensFormat = LIBRAW_FORMAT_FF;
325 ilm.LensID = c * 256;
326 }
327 else if (tag == 0x0500)
328 {
>>> CID 1456667: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 64 by passing argument "len" (which evaluates to 104857600) in call to "parseLeicaInternalBodySerial".
329 parseLeicaInternalBodySerial(len);
330 }
331 }
332 else if (LeicaMakernoteSignature == 0x3400)
333 { // tag 0x3400 in M9, M9 Monochrom, M Monochrom
334 if (tag == 0x34003402)

** CID 1456666: Control flow issues (MISSING_BREAK)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 68 in LibRaw::parse_phase_one(int)()

________________________________________________________________________________________________________
*** CID 1456666: Control flow issues (MISSING_BREAK)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 68 in LibRaw::parse_phase_one(int)()
62 unique_id = (((imgdata.shootinginfo.BodySerial[0] & 0x3f) << 5) |
63 (imgdata.shootinginfo.BodySerial[1] & 0x3f)) -
64 0x41;
65 }
66 setPhaseOneFeatures(unique_id);
67 break;
>>> CID 1456666: Control flow issues (MISSING_BREAK)
>>> The case for value "515U" is not terminated by a 'break' statement.
68 case 0x0203:
69 stmread(imgdata.makernotes.phaseone.Software, len, ifp);
70 case 0x0204:
71 stmread(imgdata.makernotes.phaseone.SystemType, len, ifp);
72 case 0x0211:
73 imgdata.makernotes.common.SensorTemperature2 = int_to_float(data);

** CID 1456665: Control flow issues (NO_EFFECT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/sony.cpp: 368 in LibRaw::setSonyBodyFeatures(unsigned long long)()

________________________________________________________________________________________________________
*** CID 1456665: Control flow issues (NO_EFFECT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/sony.cpp: 368 in LibRaw::setSonyBodyFeatures(unsigned long long)()
362 imSony.ImageCount3_offset = 0xffff;
363 return;
364 }
365 else
366 idx = id - 0x100ULL;
367
>>> CID 1456665: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "idx >= 0".
368 if ((idx >= 0) && (idx < sizeof SonyCamFeatures / sizeof *SonyCamFeatures))
369 {
370 if (!SonyCamFeatures[idx].scf[2])
371 return;
372 ilm.CameraFormat = SonyCamFeatures[idx].scf[1];
373 ilm.CameraMount = SonyCamFeatures[idx].scf[2];

** CID 1456664: (SIGN_EXTENSION)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1695 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1678 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()

________________________________________________________________________________________________________
*** CID 1456664: (SIGN_EXTENSION)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1695 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()
1689 _constrain(median + lineData[i], 0, maxVal);
1690 }
1691 else if (img->nPlanes == 1)
1692 {
1693 int32_t maxVal = (1 << img->nBits) - 1;
1694 int32_t median = 1 << (img->nBits - 1);
>>> CID 1456664: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "img->planeWidth" with type "uint16_t" (16 bits, unsigned) is promoted in "img->planeWidth * imageRow + imageCol" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "img->planeWidth * imageRow + imageCol" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1695 rawOffset = img->planeWidth * imageRow + imageCol;
1696 for (int i = 0; i < lineLength; i++)
1697 img->outBufs[0][rawOffset + i] =
1698 _constrain(median + lineData[i], 0, maxVal);
1699 }
1700 }
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1678 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()
1672 img->outBufs[plane][rawOffset + 2 * i] =
1673 _constrain(lineData[i], minVal, maxVal);
1674 }
1675 else if (img->encType == 3)
1676 {
1677 // copy to intermediate planeBuf
>>> CID 1456664: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "img->planeWidth" with type "uint16_t" (16 bits, unsigned) is promoted in "plane * img->planeWidth * img->planeHeight + img->planeWidth * imageRow + imageCol" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "plane * img->planeWidth * img->planeHeight + img->planeWidth * imageRow + imageCol" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1678 rawOffset = plane * img->planeWidth * img->planeHeight +
1679 img->planeWidth * imageRow + imageCol;
1680 for (int i = 0; i < lineLength; i++)
1681 img->planeBuf[rawOffset + i] = lineData[i];
1682 }
1683 else if (img->nPlanes == 4)

** CID 1456663: Security best practices violations (STRING_OVERFLOW)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/kodak.cpp: 171 in LibRaw::parse_kodak_ifd(int)()

________________________________________________________________________________________________________
*** CID 1456663: Security best practices violations (STRING_OVERFLOW)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/kodak.cpp: 171 in LibRaw::parse_kodak_ifd(int)()
165 if ((strlen(pkti) > c) && (!strncasecmp(pkti, "Camera body:", c)))
166 {
167 while ((pkti[c] == ' ') && (c < strlen(pkti)))
168 {
169 c++;
170 }
>>> CID 1456663: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 64-character fixed-size string "this->imgdata.lens.makernotes.body" by copying "pkti + c" without checking the length.
171 strcpy(ilm.body, pkti + c);
172 }
173 c = 5;
174 if ((strlen(pkti) > c) && (!strncasecmp(pkti, "Lens:", c)))
175 {
176 ilm.CurFocal = atoi(pkti + c);

** CID 1456662: (STRING_OVERFLOW)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/hasselblad_model.cpp: 136 in LibRaw::parseHassyModel()()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/hasselblad_model.cpp: 434 in LibRaw::parseHassyModel()()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/hasselblad_model.cpp: 174 in LibRaw::parseHassyModel()()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/hasselblad_model.cpp: 152 in LibRaw::parseHassyModel()()

________________________________________________________________________________________________________
*** CID 1456662: (STRING_OVERFLOW)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/hasselblad_model.cpp: 136 in LibRaw::parseHassyModel()()
130 } else
131 strcpy(tmp_model, imgdata.color.UniqueCameraModel);
132 if (!strncasecmp(tmp_model, "Hasselblad ", 11))
133 memmove(tmp_model, tmp_model+11, 64-11);
134
135 // check if model tag contains manual CaptureSequenceInitiator info:
>>> CID 1456662: (STRING_OVERFLOW)
>>> You might overrun the 32-character destination string "this->imgdata.makernotes.hasselblad.CaptureSequenceInitiator" by writing 64 characters from "this->imgdata.idata.model".
136 strcpy(imHassy.CaptureSequenceInitiator, model);
137 FORC(sizeof Hasselblad_Ctrl / sizeof *Hasselblad_Ctrl) {
138 if (strcasestr(model, Hasselblad_Ctrl[c])) {
139 // yes, fill 'model' with sensor unit data
140 strcpy(model, tmp_model);
141 break;
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/hasselblad_model.cpp: 434 in LibRaw::parseHassyModel()()
428 } else {
429 c = imHassy.format;
430 }
431 ps = HassyRawFormat_idx2HR(c);
432 if ((c == LIBRAW_HF_3FR) ||
433 (c == LIBRAW_HF_FFF))
>>> CID 1456662: (STRING_OVERFLOW)
>>> You might overrun the 64-character fixed-size string "this->imgdata.idata.normalized_model" by copying "ps" without checking the length.
434 strcat(normalized_model, ps);
435
436 if (((imHassy.CaptureSequenceInitiator[0] == 'H') &&
437 (imHassy.CaptureSequenceInitiator[1] != 'a')) ||
438 ((imHassy.CaptureSequenceInitiator[0] == 'A') &&
439 isdigit(imHassy.CaptureSequenceInitiator[1]))) {
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/hasselblad_model.cpp: 174 in LibRaw::parseHassyModel()()
168 (model[10] != ' ')) {
169 strcpy(model, "CFV");
170 ilm.CameraMount = LIBRAW_MOUNT_DigitalBack;
171 } else {
172 FORC(sizeof Hasselblad_SensorEnclosures / sizeof *Hasselblad_SensorEnclosures) {
173 if (strcasestr(model, Hasselblad_SensorEnclosures[c])) {
>>> CID 1456662: (STRING_OVERFLOW)
>>> You might overrun the 64-character fixed-size string "this->imgdata.idata.model" by copying "Hasselblad_SensorEnclosures[c]" without checking the length.
174 if (add_MP_toName) strcpy(model, Hasselblad_SensorEnclosures[c]);
175 ilm.CameraMount = LIBRAW_MOUNT_DigitalBack;
176 break;
177 }
178 }
179 }
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/hasselblad_model.cpp: 152 in LibRaw::parseHassyModel()()
146 if (ps) { // check if model contains both host body and sensor version, resolution, MS info
147 strcpy(imHassy.SensorUnit, model);
148 memcpy(imHassy.HostBody, model, ps-model);
149 imHassy.HostBody[ps-model] = 0;
150 if (!strncmp(ps-2, "II-", 3))
151 ps -=2;
>>> CID 1456662: (STRING_OVERFLOW)
>>> You might overrun the 8-character fixed-size string "this->imgdata.makernotes.hasselblad.Sensor" by copying "ps" without checking the length.
152 strcpy(imHassy.Sensor, ps);
153 add_MP_toName = 0;
154 } else { // model contains host body only
155 strcpy(imHassy.HostBody, model);
156 // fill 'model' with sensor unit data
157 strcpy(model, tmp_model);

** CID 1456661: Incorrect expression (PW.ASSIGN_WHERE_COMPARE_MEANT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/tiff.cpp: 1631 in ()

________________________________________________________________________________________________________
*** CID 1456661: Incorrect expression (PW.ASSIGN_WHERE_COMPARE_MEANT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/tiff.cpp: 1631 in ()
1625 os *= tiff_bps;
1626 ns *= tiff_ifd[i].bps;
1627 }
1628 if ((tiff_ifd[i].comp != 6 || tiff_ifd[i].samples != 3) &&
1629 unsigned(tiff_ifd[i].t_width | tiff_ifd[i].t_height) < 0x10000 &&
1630 (unsigned)tiff_ifd[i].bps < 33 && (unsigned)tiff_ifd[i].samples < 13 &&
>>> CID 1456661: Incorrect expression (PW.ASSIGN_WHERE_COMPARE_MEANT)
>>> use of "=" where "==" may have been intended
1631 ns && ((ns > os && (ties = 1)) || (ns == os && shot_select == ties++)))
1632 {
1633 raw_width = tiff_ifd[i].t_width;
1634 raw_height = tiff_ifd[i].t_height;
1635 tiff_bps = tiff_ifd[i].bps;
1636 tiff_compress = tiff_ifd[i].comp;

** CID 1456660: Control flow issues (MISSING_BREAK)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 70 in LibRaw::parse_phase_one(int)()

________________________________________________________________________________________________________
*** CID 1456660: Control flow issues (MISSING_BREAK)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/mediumformat.cpp: 70 in LibRaw::parse_phase_one(int)()
64 0x41;
65 }
66 setPhaseOneFeatures(unique_id);
67 break;
68 case 0x0203:
69 stmread(imgdata.makernotes.phaseone.Software, len, ifp);
>>> CID 1456660: Control flow issues (MISSING_BREAK)
>>> The case for value "516U" is not terminated by a 'break' statement.
70 case 0x0204:
71 stmread(imgdata.makernotes.phaseone.SystemType, len, ifp);
72 case 0x0211:
73 imgdata.makernotes.common.SensorTemperature2 = int_to_float(data);
74 break;
75 case 0x0401:

** CID 1456659: (OVERFLOW_BEFORE_WIDEN)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1665 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1695 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1679 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()

________________________________________________________________________________________________________
*** CID 1456659: (OVERFLOW_BEFORE_WIDEN)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1665 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()
1659 void crxConvertPlaneLine(CrxImage *img, int imageRow, int imageCol = 0,
1660 int plane = 0, int32_t *lineData = 0,
1661 int lineLength = 0)
1662 {
1663 if (lineData)
1664 {
>>> CID 1456659: (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "4 * img->planeWidth * imageRow" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
1665 uint64_t rawOffset = 4 * img->planeWidth * imageRow + 2 * imageCol;
1666 if (img->encType == 1)
1667 {
1668 int32_t maxVal = 1 << (img->nBits - 1);
1669 int32_t minVal = -maxVal;
1670 --maxVal;
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1695 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()
1689 _constrain(median + lineData[i], 0, maxVal);
1690 }
1691 else if (img->nPlanes == 1)
1692 {
1693 int32_t maxVal = (1 << img->nBits) - 1;
1694 int32_t median = 1 << (img->nBits - 1);
>>> CID 1456659: (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "img->planeWidth * imageRow" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
1695 rawOffset = img->planeWidth * imageRow + imageCol;
1696 for (int i = 0; i < lineLength; i++)
1697 img->outBufs[0][rawOffset + i] =
1698 _constrain(median + lineData[i], 0, maxVal);
1699 }
1700 }
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1679 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()
1673 _constrain(lineData[i], minVal, maxVal);
1674 }
1675 else if (img->encType == 3)
1676 {
1677 // copy to intermediate planeBuf
1678 rawOffset = plane * img->planeWidth * img->planeHeight +
>>> CID 1456659: (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "img->planeWidth * imageRow" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
1679 img->planeWidth * imageRow + imageCol;
1680 for (int i = 0; i < lineLength; i++)
1681 img->planeBuf[rawOffset + i] = lineData[i];
1682 }
1683 else if (img->nPlanes == 4)
1684 {

** CID 1456658: (TAINTED_SCALAR)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/canon.cpp: 135 in LibRaw::processCanonCameraInfo(unsigned long long, unsigned char *, unsigned int, unsigned int, unsigned int)()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/canon.cpp: 135 in LibRaw::processCanonCameraInfo(unsigned long long, unsigned char *, unsigned int, unsigned int, unsigned int)()
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/canon.cpp: 135 in LibRaw::processCanonCameraInfo(unsigned long long, unsigned char *, unsigned int, unsigned int, unsigned int)()

________________________________________________________________________________________________________
*** CID 1456658: (TAINTED_SCALAR)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/canon.cpp: 135 in LibRaw::processCanonCameraInfo(unsigned long long, unsigned char *, unsigned int, unsigned int, unsigned int)()
129 if (type == 7 && (sget2(CameraInfo) == 0xaaaa) && (dng_writer == nonDNG)) { // CameraOrientation
130 int c, i;
131 for (c = i = 2; (ushort)c != 0xbbbb && i < maxlen; i++)
132 c = c << 8 | CameraInfo[i];
133 while (i < (maxlen - 5))
134 if ((sget4(CameraInfo+i) == 257) && ((c = CameraInfo[i+8]) < 3)) {
>>> CID 1456658: (TAINTED_SCALAR)
>>> Using tainted variable "c" as an index into an array ""065"".
135 imCanon.MakernotesFlip = "065"[c] - '0';
136 break;
137 } else i+=4;
138 }
139
140 CameraInfo[0] = 0;
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/canon.cpp: 135 in LibRaw::processCanonCameraInfo(unsigned long long, unsigned char *, unsigned int, unsigned int, unsigned int)()
129 if (type == 7 && (sget2(CameraInfo) == 0xaaaa) && (dng_writer == nonDNG)) { // CameraOrientation
130 int c, i;
131 for (c = i = 2; (ushort)c != 0xbbbb && i < maxlen; i++)
132 c = c << 8 | CameraInfo[i];
133 while (i < (maxlen - 5))
134 if ((sget4(CameraInfo+i) == 257) && ((c = CameraInfo[i+8]) < 3)) {
>>> CID 1456658: (TAINTED_SCALAR)
>>> Using tainted variable "c" as an index into an array ""065"".
135 imCanon.MakernotesFlip = "065"[c] - '0';
136 break;
137 } else i+=4;
138 }
139
140 CameraInfo[0] = 0;
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/canon.cpp: 135 in LibRaw::processCanonCameraInfo(unsigned long long, unsigned char *, unsigned int, unsigned int, unsigned int)()
129 if (type == 7 && (sget2(CameraInfo) == 0xaaaa) && (dng_writer == nonDNG)) { // CameraOrientation
130 int c, i;
131 for (c = i = 2; (ushort)c != 0xbbbb && i < maxlen; i++)
132 c = c << 8 | CameraInfo[i];
133 while (i < (maxlen - 5))
134 if ((sget4(CameraInfo+i) == 257) && ((c = CameraInfo[i+8]) < 3)) {
>>> CID 1456658: (TAINTED_SCALAR)
>>> Using tainted variable "c" as an index into an array ""065"".
135 imCanon.MakernotesFlip = "065"[c] - '0';
136 break;
137 } else i+=4;
138 }
139
140 CameraInfo[0] = 0;

** CID 1456657: Null pointer dereferences (NULL_RETURNS)

________________________________________________________________________________________________________
*** CID 1456657: Null pointer dereferences (NULL_RETURNS)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/samples/raw-identify.cpp: 489 in main()
483 MyCoolRawProcessor.recycle();
484 if (use_map)
485 close_mapping(mapping);
486 } // endfor
487
488 if (use_timing && filelist.size() > 0)
>>> CID 1456657: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "nullptr" "outfile" when calling "print_timer".
489 print_timer(outfile, started, filelist.size());
490 return 0;
491 }
492
493 void print_timer(FILE* outfile, const starttime_t& started, int files)
494 {

** CID 1456656: Integer handling issues (SIGN_EXTENSION)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1678 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()

________________________________________________________________________________________________________
*** CID 1456656: Integer handling issues (SIGN_EXTENSION)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/decoders/crx.cpp: 1678 in crxConvertPlaneLine(CrxImage *, int, int, int, int *, int)()
1672 img->outBufs[plane][rawOffset + 2 * i] =
1673 _constrain(lineData[i], minVal, maxVal);
1674 }
1675 else if (img->encType == 3)
1676 {
1677 // copy to intermediate planeBuf
>>> CID 1456656: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "img->planeHeight" with type "uint16_t" (16 bits, unsigned) is promoted in "plane * img->planeWidth * img->planeHeight + img->planeWidth * imageRow + imageCol" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "plane * img->planeWidth * img->planeHeight + img->planeWidth * imageRow + imageCol" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1678 rawOffset = plane * img->planeWidth * img->planeHeight +
1679 img->planeWidth * imageRow + imageCol;
1680 for (int i = 0; i < lineLength; i++)
1681 img->planeBuf[rawOffset + i] = lineData[i];
1682 }
1683 else if (img->nPlanes == 4)

** CID 1456655: Integer handling issues (NO_EFFECT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/tiff.cpp: 1568 in LibRaw::apply_tiff()()

________________________________________________________________________________________________________
*** CID 1456655: Integer handling issues (NO_EFFECT)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/tiff.cpp: 1568 in LibRaw::apply_tiff()()
1562 }
1563 qsort(arr, MIN(ifdc,LIBRAW_IFD_MAXCOUNT*2) ,sizeof(arr[0]),ifd_size_t_cmp);
1564 for(int i = 0; i < ifdc && i < LIBRAW_IFD_MAXCOUNT*2; i++)
1565 libraw_internal_data.unpacker_data.dng_frames[i] = arr[i].ifdi;
1566 }
1567
>>> CID 1456655: Integer handling issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "0U > ((this->imgdata.params.shot_select < ifdc - 1) ? this->imgdata.params.shot_select : (ifdc - 1))".
1568 int idx = LIM(shot_select,0,ifdc-1);
1569 i = (libraw_internal_data.unpacker_data.dng_frames[idx]>>8) & 0xff; // extract frame# back
1570
1571 raw_width = tiff_ifd[i].t_width;
1572 raw_height = tiff_ifd[i].t_height;
1573 tiff_bps = tiff_ifd[i].bps;

** CID 1456654: Control flow issues (DEADCODE)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/identify_tools.cpp: 110 in LibRaw::remove_caseSubstr(char *, char *)()

________________________________________________________________________________________________________
*** CID 1456654: Control flow issues (DEADCODE)
/mnt/devel/GIT/6.x/core/libs/rawengine/libraw/src/metadata/identify_tools.cpp: 110 in LibRaw::remove_caseSubstr(char *, char *)()
104 }
105
106 void LibRaw::remove_caseSubstr(char *string, char *subStr) // replace a substring with an equal length of spaces
107 {
108 char *found;
109 while ((found = strcasestr(string,subStr))) {
>>> CID 1456654: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return;".
110 if (!found) return;
111 int fill_len = strlen(subStr);
112 int p = found - string;
113 for (int i=p; i<p+fill_len; i++) {
114 string[i] = 32;
115 }

________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRZIlZa20oQ0xtvekoaSXYBwveaZrocF7HKhDAyMb-2Biah-2FnlVHKEoHYKtgojWoi52Ac-3D_Vulo-2FzB1zz6bqp-2F-2Bl-2FpBD-2BzKk1Nu56XtBupWJitvnTDSZlfZotHYXs7vPuKPKpL4rQmLfI3yH7S-2FMCB8cwQOW2UOlKkeVX1xaCJJxkrq6brUvCv4IqgU1dt1QAtlbxkJvhdIIKyin-2BRVICgjGEsO1-2BjXA1QJ6xo7o1qqCUaO8D60cJRTFIXlryGAxAVUjoMFdbSaoiufU6aZj3WZAfEwxhohhV0mYgPzVBfOmJiVqaJns7HCRtbKR51SqhZuyZY-2B