New Defects reported by Coverity Scan for LibreOffice

scan-admin at coverity.com scan-admin at coverity.com
Sat Mar 27 19:26:42 UTC 2021 

Hi,

Please find the latest report on new defect(s) introduced to LibreOffice found with Coverity Scan.

4 new defect(s) introduced to LibreOffice found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 1474353:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1474353:  Insecure data handling  (TAINTED_SCALAR)
/sw/source/filter/ww8/ww8toolbar.cxx: 402 in SwCTB::Read(SvStream &)()
396     {
397         SAL_INFO("sw.ww8","SwCTB::Read() stream pos 0x" << std::hex << rS.Tell() );
398         nOffSet = rS.Tell();
399         if ( !name.Read( rS ) )
400             return false;
401         rS.ReadInt32( cbTBData );
>>>     CID 1474353:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "*rS.m_pBufPos" to "Read", which uses it as a loop boundary.
402         if ( !tb.Read( rS ) )
403             return false;
404         for ( short index = 0; index < nVisualData; ++index )
405         {
406             TBVisualData aVisData;
407             aVisData.Read( rS );

** CID 1473931:  Insecure data handling  (TAINTED_SCALAR)
/sw/source/filter/ww8/ww8par2.cxx: 3729 in WW8RStyle::WW8RStyle(WW8Fib &, SwWW8ImplReader *)()


________________________________________________________________________________________________________
*** CID 1473931:  Insecure data handling  (TAINTED_SCALAR)
/sw/source/filter/ww8/ww8par2.cxx: 3729 in WW8RStyle::WW8RStyle(WW8Fib &, SwWW8ImplReader *)()
3723         , mbCTLFontChanged(false)
3724         , mbFSizeChanged(false)
3725         , mbFCTLSizeChanged(false)
3726         , mbWidowsChanged(false)
3727         , mbBidiChanged(false)
3728     {
>>>     CID 1473931:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "this->m_cstd" to "resize", which uses it as an allocation size. [Note: The source code implementation of the function has been overridden by a builtin model.]
3729         mpIo->m_vColl.resize(m_cstd);
3730     }
3731     
3732     void WW8RStyle::Set1StyleDefaults()
3733     {
3734         // see #i25247#, #i25561#, #i48064#, #i92341# for default font

** CID 1473756:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1473756:  Insecure data handling  (TAINTED_SCALAR)
/sw/source/filter/ww8/ww8par.cxx: 465 in <unnamed>::Sttb::Read(SvStream &)()
459             if (cData > nMaxPossibleRecords)
460                 return false;
461             for ( sal_Int32 index = 0; index < cData; ++index )
462             {
463                 SBBItem aItem;
464                 rS.ReadUInt16( aItem.cchData );
>>>     CID 1473756:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "aItem.cchData" to "read_uInt16s_ToOUString", which uses it as a loop boundary.
465                 aItem.data = read_uInt16s_ToOUString(rS, aItem.cchData);
466                 dataItems.push_back( aItem );
467             }
468         }
469         return true;
470     }

** CID 1473755:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1473755:  Insecure data handling  (TAINTED_SCALAR)
/include/tools/stream.hxx: 461 in read_uInt16_lenPrefixed_uInt16s_ToOUString(SvStream &)()
455     /// 16bit units to an OUString, returned OString's length is number of
456     /// units successfully read.
457     inline OUString read_uInt16_lenPrefixed_uInt16s_ToOUString(SvStream& rStrm)
458     {
459         sal_uInt16 nUnits = 0;
460         rStrm.ReadUInt16( nUnits );
>>>     CID 1473755:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "nUnits" to "read_uInt16s_ToOUString", which uses it as a loop boundary.
461         return read_uInt16s_ToOUString(rStrm, nUnits);
462     }
463     
464     inline OUString read_uInt32_lenPrefixed_uInt16s_ToOUString(SvStream& rStrm)
465     {
466         sal_uInt32 nUnits = 0;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypSs1kiFPuCn2xFdlMIFBirii0zZ9j2-2F9F2XPBcBm2BNgi9duPy3v-2FzgFDd2LJ-2BDKI-3DFI7K_OTq2XUZbbipYjyLSo6GRo-2FpVxQ9OzkDINu9UTS-2FQhSdO0F0jQniitrGlNxDIzPJik17NuiXcVoG1L0tp4qZ2gRTVf9k01t5mvsMixKsv03o3hjPJcjpVYaIOlB3xjEXyoXlpX3-2FMV9DjGHEoSSufOiaYDrSR-2BxSa-2FR8Tp4R-2BaVdr-2F3a76Cl6hU2uWNFSg-2FAsACWogQ-2BoIOoea6Nco6vAGcYCvFDEYc9YyqjGCzcdrKoIx4GBZCl-2FW9Lwznq7YpJz

More information about the LibreOffice mailing list