New Defects reported by Coverity Scan for LibreOffice
scan-admin at coverity.com
scan-admin at coverity.com
Thu Feb 9 21:25:50 UTC 2017
Hi,
Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan.
200 new defect(s) introduced to LibreOffice found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 200 defect(s)
** CID 1400341: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fxge/dib/fx_dib_main.cpp: 1476 in CFX_ImageRenderer::CFX_ImageRenderer()()
________________________________________________________________________________________________________
*** CID 1400341: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fxge/dib/fx_dib_main.cpp: 1476 in CFX_ImageRenderer::CFX_ImageRenderer()()
1470 }
1471
1472 CFX_ImageRenderer::CFX_ImageRenderer() {
1473 m_Status = 0;
1474 m_bRgbByteOrder = false;
1475 m_BlendType = FXDIB_BLEND_NORMAL;
>>> CID 1400341: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "m_pIccTransform" is not initialized in this constructor nor in any functions that it calls.
1476 }
1477
1478 CFX_ImageRenderer::~CFX_ImageRenderer() {}
1479
1480 bool CFX_ImageRenderer::Start(CFX_DIBitmap* pDevice,
1481 const CFX_ClipRgn* pClipRgn,
** CID 1400340: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/render/cpdf_charposlist.cpp: 14 in CPDF_CharPosList::CPDF_CharPosList()()
________________________________________________________________________________________________________
*** CID 1400340: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/render/cpdf_charposlist.cpp: 14 in CPDF_CharPosList::CPDF_CharPosList()()
8
9 #include "core/fpdfapi/font/cpdf_cidfont.h"
10 #include "core/fpdfapi/font/cpdf_font.h"
11
12 CPDF_CharPosList::CPDF_CharPosList() {
13 m_pCharPos = nullptr;
>>> CID 1400340: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "m_nChars" is not initialized in this constructor nor in any functions that it calls.
14 }
15
16 CPDF_CharPosList::~CPDF_CharPosList() {
17 FX_Free(m_pCharPos);
18 }
19
** CID 1400339: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp: 293 in CPDF_StreamContentParser::CPDF_StreamContentParser(CPDF_Document *, CPDF_Dictionary *, CPDF_Dictionary *, const CFX_Matrix *, CPDF_PageObjectHolder *, CPDF_Dictionary *, CFX_FloatRect *, CPDF_AllStates *, int)()
________________________________________________________________________________________________________
*** CID 1400339: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/page/cpdf_streamcontentparser.cpp: 293 in CPDF_StreamContentParser::CPDF_StreamContentParser(CPDF_Document *, CPDF_Dictionary *, CPDF_Dictionary *, const CFX_Matrix *, CPDF_PageObjectHolder *, CPDF_Dictionary *, CFX_FloatRect *, CPDF_AllStates *, int)()
287 m_pCurStates->m_TextState.Emplace();
288 m_pCurStates->m_ColorState.Emplace();
289 }
290 for (size_t i = 0; i < FX_ArraySize(m_Type3Data); ++i) {
291 m_Type3Data[i] = 0.0;
292 }
>>> CID 1400339: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "m_PathStartY" is not initialized in this constructor nor in any functions that it calls.
293 }
294
295 CPDF_StreamContentParser::~CPDF_StreamContentParser() {
296 ClearAllParams();
297 FX_Free(m_pPathPoints);
298 }
** CID 1400338: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp: 68 in CJBig2_Context::CJBig2_Context(CPDF_StreamAcc *, CPDF_StreamAcc *, std::__cxx11::list<std::pair<std::pair<unsigned int, unsigned int>, std::unique_ptr<CJBig2_SymbolDict, std::default_delete<CJBig2_SymbolDict>>>, std::allocator<std::pair<std::pair<unsigned int, unsigned int>, std::unique_ptr<CJBig2_SymbolDict, std::default_delete<CJBig2_SymbolDict>>>>> *, IFX_Pause *, bool)()
________________________________________________________________________________________________________
*** CID 1400338: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp: 68 in CJBig2_Context::CJBig2_Context(CPDF_StreamAcc *, CPDF_StreamAcc *, std::__cxx11::list<std::pair<std::pair<unsigned int, unsigned int>, std::unique_ptr<CJBig2_SymbolDict, std::default_delete<CJBig2_SymbolDict>>>, std::allocator<std::pair<std::pair<unsigned int, unsigned int>, std::unique_ptr<CJBig2_SymbolDict, std::default_delete<CJBig2_SymbolDict>>>>> *, IFX_Pause *, bool)()
62 m_bIsGlobal(bIsGlobal) {
63 if (pGlobalStream && (pGlobalStream->GetSize() > 0)) {
64 m_pGlobalContext = pdfium::MakeUnique<CJBig2_Context>(
65 nullptr, pGlobalStream, pSymbolDictCache, pPause, true);
66 }
67 m_pStream = pdfium::MakeUnique<CJBig2_BitStream>(pSrcStream);
>>> CID 1400338: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member field "m_ri.flags" is not initialized in this constructor nor in any functions that it calls.
68 }
69
70 CJBig2_Context::~CJBig2_Context() {}
71
72 int32_t CJBig2_Context::decode_SquentialOrgnazation(IFX_Pause* pPause) {
73 int32_t nRet;
** CID 1400337: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fxge/dib/fx_dib_composite.cpp: 4017 in CFX_ScanlineCompositor::CFX_ScanlineCompositor()()
________________________________________________________________________________________________________
*** CID 1400337: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fxge/dib/fx_dib_composite.cpp: 4017 in CFX_ScanlineCompositor::CFX_ScanlineCompositor()()
4011 CFX_ScanlineCompositor::CFX_ScanlineCompositor() {
4012 m_pSrcPalette = nullptr;
4013 m_pCacheScanline = nullptr;
4014 m_CacheSize = 0;
4015 m_bRgbByteOrder = false;
4016 m_BlendType = FXDIB_BLEND_NORMAL;
>>> CID 1400337: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "m_pIccTransform" is not initialized in this constructor nor in any functions that it calls.
4017 }
4018
4019 CFX_ScanlineCompositor::~CFX_ScanlineCompositor() {
4020 FX_Free(m_pSrcPalette);
4021 FX_Free(m_pCacheScanline);
4022 }
** CID 1400336: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/third_party/agg23/agg_scanline_u.h: 54 in agg::scanline_u<unsigned char>::scanline_u()()
________________________________________________________________________________________________________
*** CID 1400336: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/third_party/agg23/agg_scanline_u.h: 54 in agg::scanline_u<unsigned char>::scanline_u()()
48 m_min_x(0),
49 m_max_len(0),
50 m_last_x(0x7FFFFFF0),
51 m_covers(0),
52 m_spans(0),
53 m_cur_span(0)
>>> CID 1400336: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "m_y" is not initialized in this constructor nor in any functions that it calls.
54 {}
55 void reset(int min_x, int max_x)
56 {
57 unsigned max_len = max_x - min_x + 2;
58 if(max_len > m_max_len) {
59 FX_Free(m_spans);
** CID 1400335: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/parser/cpdf_data_avail.cpp: 81 in CPDF_DataAvail::CPDF_DataAvail(CPDF_DataAvail::FileAvail *, const CFX_RetainPtr<IFX_SeekableReadStream> &, bool)()
________________________________________________________________________________________________________
*** CID 1400335: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/parser/cpdf_data_avail.cpp: 81 in CPDF_DataAvail::CPDF_DataAvail(CPDF_DataAvail::FileAvail *, const CFX_RetainPtr<IFX_SeekableReadStream> &, bool)()
75 m_pPageResource = nullptr;
76 m_docStatus = PDF_DATAAVAIL_HEADER;
77 m_bTotalLoadPageTree = false;
78 m_bCurPageDictLoadOK = false;
79 m_bLinearedDataOK = false;
80 m_bSupportHintTable = bSupportHintTable;
>>> CID 1400335: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "m_dwTrailerOffset" is not initialized in this constructor nor in any functions that it calls.
81 }
82
83 CPDF_DataAvail::~CPDF_DataAvail() {
84 m_pHintTables.reset();
85 for (CPDF_Object* pObject : m_arrayAcroforms)
86 delete pObject;
** CID 1400334: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fxcrt/fx_xml_parser.cpp: 724 in CXML_Element::CXML_Element(const CFX_StringCTemplate<char> &, const CFX_StringCTemplate<char> &)()
________________________________________________________________________________________________________
*** CID 1400334: Uninitialized members (UNINIT_CTOR)
/workdir/UnpackedTarball/pdfium/core/fxcrt/fx_xml_parser.cpp: 724 in CXML_Element::CXML_Element(const CFX_StringCTemplate<char> &, const CFX_StringCTemplate<char> &)()
718 CXML_Element::CXML_Element() : m_QSpaceName(), m_TagName(), m_AttrMap() {}
719 CXML_Element::CXML_Element(const CFX_ByteStringC& qSpace,
720 const CFX_ByteStringC& tagName)
721 : m_QSpaceName(), m_TagName(), m_AttrMap() {
722 m_QSpaceName = qSpace;
723 m_TagName = tagName;
>>> CID 1400334: Uninitialized members (UNINIT_CTOR)
>>> Non-static class member "m_pParent" is not initialized in this constructor nor in any functions that it calls.
724 }
725 CXML_Element::CXML_Element(const CFX_ByteStringC& qTagName)
726 : m_pParent(nullptr), m_QSpaceName(), m_TagName(), m_AttrMap() {
727 SetTag(qTagName);
728 }
729 CXML_Element::~CXML_Element() {
** CID 1400333: (UNINIT)
/workdir/UnpackedTarball/pdfium/fpdfsdk/cpdfsdk_baannot.cpp: 124 in CPDFSDK_BAAnnot::SetModifiedDate(const FX_SYSTEMTIME &)()
/workdir/UnpackedTarball/pdfium/fpdfsdk/cpdfsdk_baannot.cpp: 124 in CPDFSDK_BAAnnot::SetModifiedDate(const FX_SYSTEMTIME &)()
________________________________________________________________________________________________________
*** CID 1400333: (UNINIT)
/workdir/UnpackedTarball/pdfium/fpdfsdk/cpdfsdk_baannot.cpp: 124 in CPDFSDK_BAAnnot::SetModifiedDate(const FX_SYSTEMTIME &)()
118
119 CFX_WideString CPDFSDK_BAAnnot::GetAnnotName() const {
120 return m_pAnnot->GetAnnotDict()->GetUnicodeTextFor("NM");
121 }
122
123 void CPDFSDK_BAAnnot::SetModifiedDate(const FX_SYSTEMTIME& st) {
>>> CID 1400333: (UNINIT)
>>> Declaring variable "dt".
124 CPDFSDK_DateTime dt(st);
125 CFX_ByteString str = dt.ToPDFDateTimeString();
126 if (str.IsEmpty())
127 m_pAnnot->GetAnnotDict()->RemoveFor("M");
128 else
129 m_pAnnot->GetAnnotDict()->SetNewFor<CPDF_String>("M", str, false);
/workdir/UnpackedTarball/pdfium/fpdfsdk/cpdfsdk_baannot.cpp: 124 in CPDFSDK_BAAnnot::SetModifiedDate(const FX_SYSTEMTIME &)()
118
119 CFX_WideString CPDFSDK_BAAnnot::GetAnnotName() const {
120 return m_pAnnot->GetAnnotDict()->GetUnicodeTextFor("NM");
121 }
122
123 void CPDFSDK_BAAnnot::SetModifiedDate(const FX_SYSTEMTIME& st) {
>>> CID 1400333: (UNINIT)
>>> Declaring variable "dt".
124 CPDFSDK_DateTime dt(st);
125 CFX_ByteString str = dt.ToPDFDateTimeString();
126 if (str.IsEmpty())
127 m_pAnnot->GetAnnotDict()->RemoveFor("M");
128 else
129 m_pAnnot->GetAnnotDict()->SetNewFor<CPDF_String>("M", str, false);
** CID 1400332: Insecure data handling (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_folderfontinfo.cpp: 52 in <unnamed>::FPDF_LoadTableFromTT(_IO_FILE *, const unsigned char *, unsigned int, unsigned int)()
________________________________________________________________________________________________________
*** CID 1400332: Insecure data handling (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_folderfontinfo.cpp: 52 in <unnamed>::FPDF_LoadTableFromTT(_IO_FILE *, const unsigned char *, unsigned int, unsigned int)()
46 uint32_t nTables,
47 uint32_t tag) {
48 for (uint32_t i = 0; i < nTables; i++) {
49 const uint8_t* p = pTables + i * 16;
50 if (GET_TT_LONG(p) == tag) {
51 uint32_t offset = GET_TT_LONG(p + 8);
>>> CID 1400332: Insecure data handling (TAINTED_SCALAR)
>>> Assigning: "size" = "(uint32_t)((p + 12[0] << 24) | (p + 12[1] << 16) | (p + 12[2] << 8) | p + 12[3])". Both are now tainted.
52 uint32_t size = GET_TT_LONG(p + 12);
53 FXSYS_fseek(pFile, offset, FXSYS_SEEK_SET);
54 return FPDF_ReadStringFromFile(pFile, size);
55 }
56 }
57 return CFX_ByteString();
** CID 1400331: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 254 in CFX_CTTGSUBTable::ParseScriptList(const unsigned char *, CFX_CTTGSUBTable::TScriptList *)()
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 254 in CFX_CTTGSUBTable::ParseScriptList(const unsigned char *, CFX_CTTGSUBTable::TScriptList *)()
________________________________________________________________________________________________________
*** CID 1400331: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 254 in CFX_CTTGSUBTable::ParseScriptList(const unsigned char *, CFX_CTTGSUBTable::TScriptList *)()
248 int i;
249 FT_Bytes sp = raw;
250 rec->ScriptCount = GetUInt16(sp);
251 if (rec->ScriptCount <= 0) {
252 return;
253 }
>>> CID 1400331: (TAINTED_SCALAR)
>>> Passing tainted variable "<new (context.alloc) allocation size>" to a tainted sink.
254 rec->ScriptRecord.reset(new TScriptRecord[rec->ScriptCount]);
255 for (i = 0; i < rec->ScriptCount; i++) {
256 rec->ScriptRecord[i].ScriptTag = GetUInt32(sp);
257 uint16_t offset = GetUInt16(sp);
258 ParseScript(&raw[offset], &rec->ScriptRecord[i].Script);
259 }
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 254 in CFX_CTTGSUBTable::ParseScriptList(const unsigned char *, CFX_CTTGSUBTable::TScriptList *)()
248 int i;
249 FT_Bytes sp = raw;
250 rec->ScriptCount = GetUInt16(sp);
251 if (rec->ScriptCount <= 0) {
252 return;
253 }
>>> CID 1400331: (TAINTED_SCALAR)
>>> Using tainted variable "<new (context.alloc) [] element count>" as a loop boundary.
254 rec->ScriptRecord.reset(new TScriptRecord[rec->ScriptCount]);
255 for (i = 0; i < rec->ScriptCount; i++) {
256 rec->ScriptRecord[i].ScriptTag = GetUInt32(sp);
257 uint16_t offset = GetUInt16(sp);
258 ParseScript(&raw[offset], &rec->ScriptRecord[i].Script);
259 }
** CID 1400330: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1400330: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp: 1027 in CJBig2_Context::parseHalftoneRegion(CJBig2_Segment *, IFX_Pause *)()
1021 const size_t size = GetHuffContextSize(pHRD->HTEMPLATE);
1022 std::unique_ptr<JBig2ArithCtx, FxFreeDeleter> gbContext(
1023 FX_Alloc(JBig2ArithCtx, size));
1024 JBIG2_memset(gbContext.get(), 0, sizeof(JBig2ArithCtx) * size);
1025 std::unique_ptr<CJBig2_ArithDecoder> pArithDecoder(
1026 new CJBig2_ArithDecoder(m_pStream.get()));
>>> CID 1400330: (TAINTED_SCALAR)
>>> Passing tainted variable "pHRD->HGH" to a tainted sink.
1027 pSegment->m_Result.im =
1028 pHRD->decode_Arith(pArithDecoder.get(), gbContext.get(), pPause);
1029 if (!pSegment->m_Result.im)
1030 return JBIG2_ERROR_FATAL;
1031
1032 m_pStream->alignByte();
/workdir/UnpackedTarball/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp: 1035 in CJBig2_Context::parseHalftoneRegion(CJBig2_Segment *, IFX_Pause *)()
1029 if (!pSegment->m_Result.im)
1030 return JBIG2_ERROR_FATAL;
1031
1032 m_pStream->alignByte();
1033 m_pStream->offset(2);
1034 } else {
>>> CID 1400330: (TAINTED_SCALAR)
>>> Passing tainted variable "pHRD->HGH" to a tainted sink.
1035 pSegment->m_Result.im = pHRD->decode_MMR(m_pStream.get(), pPause);
1036 if (!pSegment->m_Result.im)
1037 return JBIG2_ERROR_FATAL;
1038 m_pStream->alignByte();
1039 }
1040 if (pSegment->m_cFlags.s.type != 20) {
/workdir/UnpackedTarball/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp: 1027 in CJBig2_Context::parseHalftoneRegion(CJBig2_Segment *, IFX_Pause *)()
1021 const size_t size = GetHuffContextSize(pHRD->HTEMPLATE);
1022 std::unique_ptr<JBig2ArithCtx, FxFreeDeleter> gbContext(
1023 FX_Alloc(JBig2ArithCtx, size));
1024 JBIG2_memset(gbContext.get(), 0, sizeof(JBig2ArithCtx) * size);
1025 std::unique_ptr<CJBig2_ArithDecoder> pArithDecoder(
1026 new CJBig2_ArithDecoder(m_pStream.get()));
>>> CID 1400330: (TAINTED_SCALAR)
>>> Passing tainted variable "pHRD->HGW" to a tainted sink.
1027 pSegment->m_Result.im =
1028 pHRD->decode_Arith(pArithDecoder.get(), gbContext.get(), pPause);
1029 if (!pSegment->m_Result.im)
1030 return JBIG2_ERROR_FATAL;
1031
1032 m_pStream->alignByte();
/workdir/UnpackedTarball/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp: 1027 in CJBig2_Context::parseHalftoneRegion(CJBig2_Segment *, IFX_Pause *)()
1021 const size_t size = GetHuffContextSize(pHRD->HTEMPLATE);
1022 std::unique_ptr<JBig2ArithCtx, FxFreeDeleter> gbContext(
1023 FX_Alloc(JBig2ArithCtx, size));
1024 JBIG2_memset(gbContext.get(), 0, sizeof(JBig2ArithCtx) * size);
1025 std::unique_ptr<CJBig2_ArithDecoder> pArithDecoder(
1026 new CJBig2_ArithDecoder(m_pStream.get()));
>>> CID 1400330: (TAINTED_SCALAR)
>>> Passing tainted variable "pHRD->HGW" to a tainted sink.
1027 pSegment->m_Result.im =
1028 pHRD->decode_Arith(pArithDecoder.get(), gbContext.get(), pPause);
1029 if (!pSegment->m_Result.im)
1030 return JBIG2_ERROR_FATAL;
1031
1032 m_pStream->alignByte();
/workdir/UnpackedTarball/pdfium/core/fxcodec/jbig2/JBig2_Context.cpp: 1035 in CJBig2_Context::parseHalftoneRegion(CJBig2_Segment *, IFX_Pause *)()
1029 if (!pSegment->m_Result.im)
1030 return JBIG2_ERROR_FATAL;
1031
1032 m_pStream->alignByte();
1033 m_pStream->offset(2);
1034 } else {
>>> CID 1400330: (TAINTED_SCALAR)
>>> Passing tainted variable "pHRD->HGW" to a tainted sink.
1035 pSegment->m_Result.im = pHRD->decode_MMR(m_pStream.get(), pPause);
1036 if (!pSegment->m_Result.im)
1037 return JBIG2_ERROR_FATAL;
1038 m_pStream->alignByte();
1039 }
1040 if (pSegment->m_cFlags.s.type != 20) {
** CID 1400329: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_folderfontinfo.cpp: 202 in CFX_FolderFontInfo::ReportFace(const CFX_ByteString &, _IO_FILE *, unsigned int, unsigned int)()
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_folderfontinfo.cpp: 202 in CFX_FolderFontInfo::ReportFace(const CFX_ByteString &, _IO_FILE *, unsigned int, unsigned int)()
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_folderfontinfo.cpp: 202 in CFX_FolderFontInfo::ReportFace(const CFX_ByteString &, _IO_FILE *, unsigned int, unsigned int)()
________________________________________________________________________________________________________
*** CID 1400329: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_folderfontinfo.cpp: 202 in CFX_FolderFontInfo::ReportFace(const CFX_ByteString &, _IO_FILE *, unsigned int, unsigned int)()
196 uint32_t offset) {
197 FXSYS_fseek(pFile, offset, FXSYS_SEEK_SET);
198 char buffer[16];
199 if (!FXSYS_fread(buffer, 12, 1, pFile))
200 return;
201
>>> CID 1400329: (TAINTED_SCALAR)
>>> Assigning: "nTables" = "(uint16_t)((&buffer[4][0] << 8) | &buffer[4][1])". Both are now tainted.
202 uint32_t nTables = GET_TT_SHORT(buffer + 4);
203 CFX_ByteString tables = FPDF_ReadStringFromFile(pFile, nTables * 16);
204 if (tables.IsEmpty())
205 return;
206
207 CFX_ByteString names =
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_folderfontinfo.cpp: 202 in CFX_FolderFontInfo::ReportFace(const CFX_ByteString &, _IO_FILE *, unsigned int, unsigned int)()
196 uint32_t offset) {
197 FXSYS_fseek(pFile, offset, FXSYS_SEEK_SET);
198 char buffer[16];
199 if (!FXSYS_fread(buffer, 12, 1, pFile))
200 return;
201
>>> CID 1400329: (TAINTED_SCALAR)
>>> Assigning: "nTables" = "(uint16_t)((&buffer[4][0] << 8) | &buffer[4][1])". Both are now tainted.
202 uint32_t nTables = GET_TT_SHORT(buffer + 4);
203 CFX_ByteString tables = FPDF_ReadStringFromFile(pFile, nTables * 16);
204 if (tables.IsEmpty())
205 return;
206
207 CFX_ByteString names =
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_folderfontinfo.cpp: 202 in CFX_FolderFontInfo::ReportFace(const CFX_ByteString &, _IO_FILE *, unsigned int, unsigned int)()
196 uint32_t offset) {
197 FXSYS_fseek(pFile, offset, FXSYS_SEEK_SET);
198 char buffer[16];
199 if (!FXSYS_fread(buffer, 12, 1, pFile))
200 return;
201
>>> CID 1400329: (TAINTED_SCALAR)
>>> Assigning: "nTables" = "(uint16_t)((&buffer[4][0] << 8) | &buffer[4][1])". Both are now tainted.
202 uint32_t nTables = GET_TT_SHORT(buffer + 4);
203 CFX_ByteString tables = FPDF_ReadStringFromFile(pFile, nTables * 16);
204 if (tables.IsEmpty())
205 return;
206
207 CFX_ByteString names =
** CID 1400328: Insecure data handling (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_fontmgr.cpp: 72 in <unnamed>::GetTTCIndex(const unsigned char *, unsigned int, unsigned int)()
________________________________________________________________________________________________________
*** CID 1400328: Insecure data handling (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/ge/cfx_fontmgr.cpp: 72 in <unnamed>::GetTTCIndex(const unsigned char *, unsigned int, unsigned int)()
66 uint32_t ttc_size,
67 uint32_t font_offset) {
68 int face_index = 0;
69 const uint8_t* p = pFontData + 8;
70 uint32_t nfont = GET_TT_LONG(p);
71 uint32_t index;
>>> CID 1400328: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "nfont" as a loop boundary.
72 for (index = 0; index < nfont; index++) {
73 p = pFontData + 12 + index * 4;
74 if (GET_TT_LONG(p) == font_offset)
75 break;
76 }
77 if (index >= nfont)
** CID 1400327: Insecure data handling (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/dib/fx_dib_composite.cpp: 3082 in <unnamed>::CompositeRow_Rgb2Argb_Blend_NoClip_RgbByteOrder(unsigned char *, const unsigned char *, int, int, int)()
________________________________________________________________________________________________________
*** CID 1400327: Insecure data handling (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/dib/fx_dib_composite.cpp: 3082 in <unnamed>::CompositeRow_Rgb2Argb_Blend_NoClip_RgbByteOrder(unsigned char *, const unsigned char *, int, int, int)()
3076 dest_scan_o[2] = dest_scan[0];
3077 RGB_Blend(blend_type, src_scan, dest_scan_o, blended_colors);
3078 }
3079 for (int color = 0; color < 3; color++) {
3080 int index = 2 - color;
3081 int src_color = *src_scan;
>>> CID 1400327: Insecure data handling (TAINTED_SCALAR)
>>> Casting narrower unsigned "dest_scan[index]" to wider signed type "int" effectively tests its lower bound.
3082 int blended = bNonseparableBlend
3083 ? blended_colors[color]
3084 : Blend(blend_type, dest_scan[index], src_color);
3085 dest_scan[index] = FXDIB_ALPHA_MERGE(src_color, blended, back_alpha);
3086 src_scan++;
3087 }
** CID 1400326: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 83 in CFX_CTTGSUBTable::LoadGSUBTable(const unsigned char *)()
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 83 in CFX_CTTGSUBTable::LoadGSUBTable(const unsigned char *)()
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 83 in CFX_CTTGSUBTable::LoadGSUBTable(const unsigned char *)()
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 83 in CFX_CTTGSUBTable::LoadGSUBTable(const unsigned char *)()
________________________________________________________________________________________________________
*** CID 1400326: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 83 in CFX_CTTGSUBTable::LoadGSUBTable(const unsigned char *)()
77 header.Version = gsub[0] << 24 | gsub[1] << 16 | gsub[2] << 8 | gsub[3];
78 if (header.Version != 0x00010000) {
79 return false;
80 }
81 header.ScriptList = gsub[4] << 8 | gsub[5];
82 header.FeatureList = gsub[6] << 8 | gsub[7];
>>> CID 1400326: (TAINTED_SCALAR)
>>> Performing a byte swapping operation on "gsub" implies that it came from an external source, and is therefore tainted.
83 header.LookupList = gsub[8] << 8 | gsub[9];
84 return Parse(&gsub[header.ScriptList], &gsub[header.FeatureList],
85 &gsub[header.LookupList]);
86 }
87
88 bool CFX_CTTGSUBTable::GetVerticalGlyph(uint32_t glyphnum,
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 83 in CFX_CTTGSUBTable::LoadGSUBTable(const unsigned char *)()
77 header.Version = gsub[0] << 24 | gsub[1] << 16 | gsub[2] << 8 | gsub[3];
78 if (header.Version != 0x00010000) {
79 return false;
80 }
81 header.ScriptList = gsub[4] << 8 | gsub[5];
82 header.FeatureList = gsub[6] << 8 | gsub[7];
>>> CID 1400326: (TAINTED_SCALAR)
>>> Performing a byte swapping operation on "gsub" implies that it came from an external source, and is therefore tainted.
83 header.LookupList = gsub[8] << 8 | gsub[9];
84 return Parse(&gsub[header.ScriptList], &gsub[header.FeatureList],
85 &gsub[header.LookupList]);
86 }
87
88 bool CFX_CTTGSUBTable::GetVerticalGlyph(uint32_t glyphnum,
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 83 in CFX_CTTGSUBTable::LoadGSUBTable(const unsigned char *)()
77 header.Version = gsub[0] << 24 | gsub[1] << 16 | gsub[2] << 8 | gsub[3];
78 if (header.Version != 0x00010000) {
79 return false;
80 }
81 header.ScriptList = gsub[4] << 8 | gsub[5];
82 header.FeatureList = gsub[6] << 8 | gsub[7];
>>> CID 1400326: (TAINTED_SCALAR)
>>> Performing a byte swapping operation on "gsub" implies that it came from an external source, and is therefore tainted.
83 header.LookupList = gsub[8] << 8 | gsub[9];
84 return Parse(&gsub[header.ScriptList], &gsub[header.FeatureList],
85 &gsub[header.LookupList]);
86 }
87
88 bool CFX_CTTGSUBTable::GetVerticalGlyph(uint32_t glyphnum,
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 83 in CFX_CTTGSUBTable::LoadGSUBTable(const unsigned char *)()
77 header.Version = gsub[0] << 24 | gsub[1] << 16 | gsub[2] << 8 | gsub[3];
78 if (header.Version != 0x00010000) {
79 return false;
80 }
81 header.ScriptList = gsub[4] << 8 | gsub[5];
82 header.FeatureList = gsub[6] << 8 | gsub[7];
>>> CID 1400326: (TAINTED_SCALAR)
>>> Performing a byte swapping operation on "gsub" implies that it came from an external source, and is therefore tainted.
83 header.LookupList = gsub[8] << 8 | gsub[9];
84 return Parse(&gsub[header.ScriptList], &gsub[header.FeatureList],
85 &gsub[header.LookupList]);
86 }
87
88 bool CFX_CTTGSUBTable::GetVerticalGlyph(uint32_t glyphnum,
** CID 1400325: Insecure data handling (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/dib/fx_dib_composite.cpp: 1021 in <unnamed>::CompositeRow_Rgb2Argb_Blend_NoClip(unsigned char *, const unsigned char *, int, int, int, unsigned char *)()
________________________________________________________________________________________________________
*** CID 1400325: Insecure data handling (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fxge/dib/fx_dib_composite.cpp: 1021 in <unnamed>::CompositeRow_Rgb2Argb_Blend_NoClip(unsigned char *, const unsigned char *, int, int, int, unsigned char *)()
1015 dest_scan[3] = 0xff;
1016 if (bNonseparableBlend) {
1017 RGB_Blend(blend_type, src_scan, dest_scan, blended_colors);
1018 }
1019 for (int color = 0; color < 3; color++) {
1020 int src_color = *src_scan;
>>> CID 1400325: Insecure data handling (TAINTED_SCALAR)
>>> Casting narrower unsigned "*dest_scan" to wider signed type "int" effectively tests its lower bound.
1021 int blended = bNonseparableBlend
1022 ? blended_colors[color]
1023 : Blend(blend_type, *dest_scan, src_color);
1024 *dest_scan = FXDIB_ALPHA_MERGE(src_color, blended, back_alpha);
1025 dest_scan++;
1026 src_scan++;
** CID 1400324: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 383 in CFX_CTTGSUBTable::ParseCoverageFormat1(const unsigned char *, CFX_CTTGSUBTable::TCoverageFormat1 *)()
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 384 in CFX_CTTGSUBTable::ParseCoverageFormat1(const unsigned char *, CFX_CTTGSUBTable::TCoverageFormat1 *)()
________________________________________________________________________________________________________
*** CID 1400324: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 383 in CFX_CTTGSUBTable::ParseCoverageFormat1(const unsigned char *, CFX_CTTGSUBTable::TCoverageFormat1 *)()
377 FT_Bytes sp = raw;
378 GetUInt16(sp);
379 rec->GlyphCount = GetUInt16(sp);
380 if (rec->GlyphCount <= 0) {
381 return;
382 }
>>> CID 1400324: (TAINTED_SCALAR)
>>> Passing tainted variable "rec->GlyphCount * 2UL" to a tainted sink.
383 rec->GlyphArray.reset(new uint16_t[rec->GlyphCount]);
384 for (i = 0; i < rec->GlyphCount; i++) {
385 rec->GlyphArray[i] = GetUInt16(sp);
386 }
387 }
388
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 384 in CFX_CTTGSUBTable::ParseCoverageFormat1(const unsigned char *, CFX_CTTGSUBTable::TCoverageFormat1 *)()
378 GetUInt16(sp);
379 rec->GlyphCount = GetUInt16(sp);
380 if (rec->GlyphCount <= 0) {
381 return;
382 }
383 rec->GlyphArray.reset(new uint16_t[rec->GlyphCount]);
>>> CID 1400324: (TAINTED_SCALAR)
>>> Using tainted variable "rec->GlyphCount" as a loop boundary.
384 for (i = 0; i < rec->GlyphCount; i++) {
385 rec->GlyphArray[i] = GetUInt16(sp);
386 }
387 }
388
389 void CFX_CTTGSUBTable::ParseCoverageFormat2(FT_Bytes raw,
** CID 1400323: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 398 in CFX_CTTGSUBTable::ParseCoverageFormat2(const unsigned char *, CFX_CTTGSUBTable::TCoverageFormat2 *)()
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 398 in CFX_CTTGSUBTable::ParseCoverageFormat2(const unsigned char *, CFX_CTTGSUBTable::TCoverageFormat2 *)()
________________________________________________________________________________________________________
*** CID 1400323: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 398 in CFX_CTTGSUBTable::ParseCoverageFormat2(const unsigned char *, CFX_CTTGSUBTable::TCoverageFormat2 *)()
392 FT_Bytes sp = raw;
393 GetUInt16(sp);
394 rec->RangeCount = GetUInt16(sp);
395 if (rec->RangeCount <= 0) {
396 return;
397 }
>>> CID 1400323: (TAINTED_SCALAR)
>>> Passing tainted variable "<new (context.alloc) [] element count> * 6UL" to a tainted sink.
398 rec->RangeRecord.reset(new TRangeRecord[rec->RangeCount]);
399 for (i = 0; i < rec->RangeCount; i++) {
400 rec->RangeRecord[i].Start = GetUInt16(sp);
401 rec->RangeRecord[i].End = GetUInt16(sp);
402 rec->RangeRecord[i].StartCoverageIndex = GetUInt16(sp);
403 }
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 398 in CFX_CTTGSUBTable::ParseCoverageFormat2(const unsigned char *, CFX_CTTGSUBTable::TCoverageFormat2 *)()
392 FT_Bytes sp = raw;
393 GetUInt16(sp);
394 rec->RangeCount = GetUInt16(sp);
395 if (rec->RangeCount <= 0) {
396 return;
397 }
>>> CID 1400323: (TAINTED_SCALAR)
>>> Using tainted variable "<new (context.alloc) [] element count>" as a loop boundary.
398 rec->RangeRecord.reset(new TRangeRecord[rec->RangeCount]);
399 for (i = 0; i < rec->RangeCount; i++) {
400 rec->RangeRecord[i].Start = GetUInt16(sp);
401 rec->RangeRecord[i].End = GetUInt16(sp);
402 rec->RangeRecord[i].StartCoverageIndex = GetUInt16(sp);
403 }
** CID 1400322: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 330 in CFX_CTTGSUBTable::ParseLookupList(const unsigned char *, CFX_CTTGSUBTable::TLookupList *)()
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 330 in CFX_CTTGSUBTable::ParseLookupList(const unsigned char *, CFX_CTTGSUBTable::TLookupList *)()
________________________________________________________________________________________________________
*** CID 1400322: (TAINTED_SCALAR)
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 330 in CFX_CTTGSUBTable::ParseLookupList(const unsigned char *, CFX_CTTGSUBTable::TLookupList *)()
324 int i;
325 FT_Bytes sp = raw;
326 rec->LookupCount = GetUInt16(sp);
327 if (rec->LookupCount <= 0) {
328 return;
329 }
>>> CID 1400322: (TAINTED_SCALAR)
>>> Passing tainted variable "<new (context.alloc) allocation size>" to a tainted sink.
330 rec->Lookup.reset(new TLookup[rec->LookupCount]);
331 for (i = 0; i < rec->LookupCount; i++) {
332 uint16_t offset = GetUInt16(sp);
333 ParseLookup(&raw[offset], &rec->Lookup[i]);
334 }
335 }
/workdir/UnpackedTarball/pdfium/core/fpdfapi/font/ttgsubtable.cpp: 330 in CFX_CTTGSUBTable::ParseLookupList(const unsigned char *, CFX_CTTGSUBTable::TLookupList *)()
324 int i;
325 FT_Bytes sp = raw;
326 rec->LookupCount = GetUInt16(sp);
327 if (rec->LookupCount <= 0) {
328 return;
329 }
>>> CID 1400322: (TAINTED_SCALAR)
>>> Using tainted variable "<new (context.alloc) [] element count>" as a loop boundary.
330 rec->Lookup.reset(new TLookup[rec->LookupCount]);
331 for (i = 0; i < rec->LookupCount; i++) {
332 uint16_t offset = GetUInt16(sp);
333 ParseLookup(&raw[offset], &rec->Lookup[i]);
334 }
335 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRZBnDJeNb0HijxaS4JNJPxk3kpyAm2AYqo71yXmnOxB72ibeUH-2F-2F1Lhi9AZq3dRu-2F4-3D_g-2BrHdvqzaBa155F-2F8AmPhpJzY63UzWDisJV95WUBpGhqFw1ICExHG8aMaV2EoFpyywhefoAuHQyOhLJueyBjWDngLKWlmb6PAKHSkejLvg9-2FRaszJcax2mAogsinIr439I10jsid3tZG-2Bq-2B52OBOhpo3tkRRRYT9oo-2BC24GZfIaV6rgpOFtZx9E7PblSJSHkQRj-2BdICP8-2BvBCcjHooFDCN8oC9-2BD3y-2BzC87DsyZdB-2F8-3D
To manage Coverity Scan email notifications for "libreoffice at lists.freedesktop.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4k1FZJSDV-2FTHi5VQof9xGafB4oBwGYxuHHknceo2QLpCrZ44Ciy7AqBR2QyX6OCB5N5X-2B1MAElavPQhH6nLwozJzqOkt2k8uOkYf2ZoppNa9QVe0T3fEZVQ7Kky1tOkLz_g-2BrHdvqzaBa155F-2F8AmPhpJzY63UzWDisJV95WUBpGhqFw1ICExHG8aMaV2EoFpyywhefoAuHQyOhLJueyBjWJcnM-2FgsS2uueBEJiePk1SYfiNzhWAcvHGxDqEJYZU0vFXLel8d8mK7INFWSp5Jk1M4hGp5JDOUP7IRvO1HuiBzUck9HYHM3K62h2OA5fqUmkGHRsqVGkK3qZOdlOfit1Fk860KHIIC2TrRL6HZfoOo-3D
More information about the LibreOffice
mailing list