New Defects reported by Coverity Scan for LibreOffice

scan-admin at coverity.com scan-admin at coverity.com
Wed Jan 29 13:42:48 UTC 2020 

Hi,

Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan.

6 new defect(s) introduced to LibreOffice found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)


** CID 1458020:  Insecure data handling  (TAINTED_SCALAR)
/svl/source/items/macitem.cxx: 110 in SvxMacroTableDtor::Read(SvStream &)()


________________________________________________________________________________________________________
*** CID 1458020:  Insecure data handling  (TAINTED_SCALAR)
/svl/source/items/macitem.cxx: 110 in SvxMacroTableDtor::Read(SvStream &)()
104         {
105             SAL_WARN("editeng", "Parsing error: " << nMaxRecords <<
106                      " max possible entries, but " << nMacro<< " claimed, truncating");
107             nMacro = nMaxRecords;
108         }
109     
>>>     CID 1458020:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "nMacro" as a loop boundary.
110         for (short i = 0; i < nMacro; ++i)
111         {
112             sal_uInt16 nCurKey, eType = STARBASIC;
113             OUString aLibName, aMacName;
114             rStrm.ReadUInt16( nCurKey );
115             aLibName = readByteString(rStrm);

** CID 1458019:  Memory - corruptions  (OVERRUN)
/svl/source/numbers/zforscan.cxx: 1645 in ImpSvNumberformatScan::InsertSymbol(unsigned short &, svt::NfSymbolType, const rtl::OUString &)()


________________________________________________________________________________________________________
*** CID 1458019:  Memory - corruptions  (OVERRUN)
/svl/source/numbers/zforscan.cxx: 1645 in ImpSvNumberformatScan::InsertSymbol(unsigned short &, svt::NfSymbolType, const rtl::OUString &)()
1639             {
1640                 return false;
1641             }
1642             ++nStringsCnt;
1643             for (size_t i = nStringsCnt; i > nPos; --i)
1644             {
>>>     CID 1458019:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "this->nTypeArray" of 100 2-byte elements at element index 100 (byte offset 201) using index "i" (which evaluates to 100).
1645                 nTypeArray[i] = nTypeArray[i-1];
1646                 sStrArray[i] = sStrArray[i-1];
1647             }
1648         }
1649         ++nResultStringsCnt;
1650         nTypeArray[nPos] = static_cast<short>(eType);

** CID 1458018:  Insecure data handling  (TAINTED_SCALAR)
/filter/source/msfilter/svdfppt.cxx: 1231 in SdrEscherImport::ProcessObj(SvStream &, DffObjData &, SvxMSDffClientData &, tools::Rectangle &, SdrObject *)()


________________________________________________________________________________________________________
*** CID 1458018:  Insecure data handling  (TAINTED_SCALAR)
/filter/source/msfilter/svdfppt.cxx: 1231 in SdrEscherImport::ProcessObj(SvStream &, DffObjData &, SvxMSDffClientData &, tools::Rectangle &, SdrObject *)()
1225                         }
1226                         if (nRowCount > 0)
1227                         {
1228                             std::unique_ptr<sal_uInt32[]> pTableArry(new sal_uInt32[ nRowCount + 2 ]);
1229                             pTableArry[ 0 ] = nTableProperties;
1230                             pTableArry[ 1 ] = nRowCount;
>>>     CID 1458018:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "nRowCount" as a loop boundary.
1231                             for ( i = 0; i < nRowCount; i++ )
1232                                 rSt.ReadUInt32( pTableArry[ i + 2 ] );
1233                             rData.pTableRowProperties = std::move(pTableArry);
1234                         }
1235                     }
1236                 }

** CID 1458017:  Memory - illegal accesses  (OVERRUN)
/svl/source/numbers/zforscan.cxx: 1646 in ImpSvNumberformatScan::InsertSymbol(unsigned short &, svt::NfSymbolType, const rtl::OUString &)()


________________________________________________________________________________________________________
*** CID 1458017:  Memory - illegal accesses  (OVERRUN)
/svl/source/numbers/zforscan.cxx: 1646 in ImpSvNumberformatScan::InsertSymbol(unsigned short &, svt::NfSymbolType, const rtl::OUString &)()
1640                 return false;
1641             }
1642             ++nStringsCnt;
1643             for (size_t i = nStringsCnt; i > nPos; --i)
1644             {
1645                 nTypeArray[i] = nTypeArray[i-1];
>>>     CID 1458017:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "this->sStrArray" of 100 8-byte elements at element index 100 (byte offset 807) using index "i" (which evaluates to 100).
1646                 sStrArray[i] = sStrArray[i-1];
1647             }
1648         }
1649         ++nResultStringsCnt;
1650         nTypeArray[nPos] = static_cast<short>(eType);
1651         sStrArray[nPos] = rStr;

** CID 1458016:  Uninitialized members  (UNINIT_CTOR)
/sw/source/core/access/AccessibilityIssue.cxx: 22 in sw::AccessibilityIssue::AccessibilityIssue(sfx::AccessibilityIssueID)()


________________________________________________________________________________________________________
*** CID 1458016:  Uninitialized members  (UNINIT_CTOR)
/sw/source/core/access/AccessibilityIssue.cxx: 22 in sw::AccessibilityIssue::AccessibilityIssue(sfx::AccessibilityIssueID)()
16     {
17     AccessibilityIssue::AccessibilityIssue(sfx::AccessibilityIssueID eIssueID)
18         : sfx::AccessibilityIssue(eIssueID)
19         , m_eIssueObject(IssueObject::UNKNOWN)
20         , m_pDoc(nullptr)
21     {
>>>     CID 1458016:  Uninitialized members  (UNINIT_CTOR)
>>>     Non-static class member "m_nEnd" is not initialized in this constructor nor in any functions that it calls.
22     }
23     
24     void AccessibilityIssue::setIssueObject(IssueObject eIssueObject) { m_eIssueObject = eIssueObject; }
25     
26     void AccessibilityIssue::setDoc(SwDoc* pDoc) { m_pDoc = pDoc; }
27     

** CID 1401342:  Error handling issues  (UNCAUGHT_EXCEPT)
/usr/include/c++/8/bits/shared_ptr_base.h: 550 in std::_Sp_counted_ptr_inplace<sd::GraphicViewShell, std::allocator<sd::GraphicViewShell>, (__gnu_cxx::_Lock_policy)2>::_M_dispose()()


________________________________________________________________________________________________________
*** CID 1401342:  Error handling issues  (UNCAUGHT_EXCEPT)
/usr/include/c++/8/bits/shared_ptr_base.h: 550 in std::_Sp_counted_ptr_inplace<sd::GraphicViewShell, std::allocator<sd::GraphicViewShell>, (__gnu_cxx::_Lock_policy)2>::_M_dispose()()
544     	      std::forward<_Args>(__args)...); // might throw
545     	}
546     
547           ~_Sp_counted_ptr_inplace() noexcept { }
548     
549           virtual void
>>>     CID 1401342:  Error handling issues  (UNCAUGHT_EXCEPT)
>>>     An exception of type "com::sun::star::uno::RuntimeException" is thrown but the throw list "noexcept" doesn't allow it to be thrown. This will cause a call to unexpected() which usually calls terminate().
550           _M_dispose() noexcept
551           {
552     	allocator_traits<_Alloc>::destroy(_M_impl._M_alloc(), _M_ptr());
553           }
554     
555           // Override because the allocator needs to know the dynamic type


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRZBnDJeNb0HijxaS4JNJPxk3kpyAm2AYqo71yXmnOxB73RtgzoPcQtNNP5dkHLuV1E-3D_g-2BrHdvqzaBa155F-2F8AmPhpJzY63UzWDisJV95WUBpGhqFw1ICExHG8aMaV2EoFpyjKrxDz-2F9L9r15q7dApjlxu2GwAMYV4stHx4FPcftcsP0RtoWHWoTgs-2BZFPKxuGEZzXoOOpKEY-2BhNG-2BVjXaGVJo-2F3MCwCwvyBnBkClQwtTDTscU7oS9AUXao-2BDEENmuEsGzYIhsmA-2Bc1efaQTNWTgubTEjCS6-2BAJH-2Bw5rfXXltI1hFbwkTz1WlgE9a52PNTfr

More information about the LibreOffice mailing list