Fix incorrect expressions reported by Coverity

OpenSCAP · Sep 20, 2023 · 09a532b · 09a532b
1 parent 73d957d
commit 09a532b
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 5 deletions.
diff --git a/0001-Fix-out-of-bounds-access-reported-by-Coverity.patch b/0001-Fix-out-of-bounds-access-reported-by-Coverity.patch
@@ -0,0 +1,26 @@
+From c9cd9c1eaae7cf29fa9c391346d8bbcc202893bb Mon Sep 17 00:00:00 2001
+From: David du Colombier <[email protected]>
+Date: Wed, 20 Sep 2023 12:15:57 +0200
+Subject: [PATCH] Fix out-of-bounds access reported by Coverity
+
+---
+ src/OVAL/probes/probe/worker.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/OVAL/probes/probe/worker.c b/src/OVAL/probes/probe/worker.c
+index fe9e6aa72..cedb339d2 100644
+--- a/src/OVAL/probes/probe/worker.c
++++ b/src/OVAL/probes/probe/worker.c
+@@ -219,6 +219,9 @@ static int probe_varref_create_ctx(const SEXP_t *probe_in, SEXP_t *varrefs, stru
+ 	ent_cnt = SEXP_number_getu_32(r1 = SEXP_list_nth(varrefs, 3));
+ 	SEXP_free(r1);
+
++	if (ent_cnt == UINT32_MAX)
++		return -1;
++
+ 	struct probe_varref_ctx *ctx = malloc(sizeof(struct probe_varref_ctx));
+ 	ctx->pi2 = SEXP_softref((SEXP_t *)probe_in);
+ 	ctx->ent_cnt = ent_cnt;
+-- 
+2.34.1
+
diff --git a/src/OVAL/probes/SEAP/generic/strto.c b/src/OVAL/probes/SEAP/generic/strto.c
@@ -74,7 +74,7 @@ int64_t strto_int64 (const char *str, size_t len, char **endptr, int base)
 {
     int errno_copy = 0;
     int64_t result = 0;
-    char *null_str = calloc(len + 1, sizeof(str));
+    char *null_str = calloc(len + 1, sizeof(*str));
 
     memcpy(null_str, str, len);
     errno = 0;
@@ -90,7 +90,7 @@ uint64_t strto_uint64 (const char *str, size_t len, char **endptr, int base)
 {
     int errno_copy = 0;
     int64_t result = 0;
-    char *null_str = calloc(len + 1, sizeof(str));
+    char *null_str = calloc(len + 1, sizeof(*str));
 
     memcpy(null_str, str, len);
     errno = 0;
@@ -106,7 +106,7 @@ double strto_double (const char *str, size_t len, char **endptr)
 {
     int errno_copy = 0;
     int64_t result = 0;
-    char *null_str = calloc(len + 1, sizeof(str));
+    char *null_str = calloc(len + 1, sizeof(*str));
 
     memcpy(null_str, str, len);
     errno = 0;

diff --git a/src/OVAL/probes/independent/sql57_probe.c b/src/OVAL/probes/independent/sql57_probe.c
@@ -482,7 +482,7 @@ int sql57_probe_main(probe_ctx *ctx, void *arg)
 	err = dbSQL_eval(engine, version, conn, sqlexp, ctx);
 __exit:
 	if (engine != NULL) {
-		__clearmem(conn, strlen(engine));
+		__clearmem(engine, strlen(engine));
 		free(engine);
 	}
 

diff --git a/src/OVAL/probes/independent/sql_probe.c b/src/OVAL/probes/independent/sql_probe.c
@@ -427,7 +427,7 @@ int sql_probe_main(probe_ctx *ctx, void *arg)
 	err = dbSQL_eval(engine, version, conn, sqlexp, ctx);
 __exit:
 	if (engine != NULL) {
-		__clearmem(conn, strlen(engine));
+		__clearmem(engine, strlen(engine));
 		free(engine);
 	}