From 6af12bf7543b6d68dbdb328a11beebdeb6cc4c2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Honza=20Hor=C3=A1k?= Date: Mon, 25 Mar 2013 15:52:25 +0100 Subject: [PATCH] Fix issues found by Coverity --- gd-sa1.patch | 59 ++++++ gd-sa2.patch | 515 +++++++++++++++++++++++++++++++++++++++++++++++++++ gd-sa3.patch | 31 ++++ gd-sa4.patch | 148 +++++++++++++++ gd.spec | 13 +- 5 files changed, 765 insertions(+), 1 deletion(-) create mode 100644 gd-sa1.patch create mode 100644 gd-sa2.patch create mode 100644 gd-sa3.patch create mode 100644 gd-sa4.patch diff --git a/gd-sa1.patch b/gd-sa1.patch new file mode 100644 index 0000000..dc2b1b9 --- /dev/null +++ b/gd-sa1.patch @@ -0,0 +1,59 @@ +These issues were found by Coverity static analysis tool + +Error: DEADCODE (CWE-561): [#def3] +gd-2.0.35/gd.c:3494: cond_cannot_single: Condition "dx == 0L", taking false branch. Now the value of "dx" cannot be equal to 0. +gd-2.0.35/gd.c:3502: cannot_single: At condition "dx == 0L", the value of "dx" cannot be equal to 0. +gd-2.0.35/gd.c:3502: dead_error_condition: The condition "dx == 0L" cannot be true. +gd-2.0.35/gd.c:3502: dead_error_line: Execution cannot reach this expression "dy == 0L" inside statement "if (dx == 0L && dy == 0L){ +...". + +Error: DEADCODE (CWE-561): [#def4] +gd-2.0.35/gd.c:1085: cond_cannot_single: Condition "dx == 0", taking false branch. Now the value of "dx" cannot be equal to 0. +gd-2.0.35/gd.c:1097: cannot_single: At condition "dx == 0", the value of "dx" cannot be equal to 0. +gd-2.0.35/gd.c:1097: dead_error_condition: The condition "dx == 0" cannot be true. +gd-2.0.35/gd.c:1097: dead_error_line: Execution cannot reach this expression "dy == 0" inside statement "if (dx == 0 && dy == 0){ + ...". + + +diff -up gd-2.0.35/gd.c.sa1 gd-2.0.35/gd.c +--- gd-2.0.35/gd.c.sa1 2012-12-05 16:23:09.289667430 +0100 ++++ gd-2.0.35/gd.c 2012-12-05 16:30:41.634854587 +0100 +@@ -1094,11 +1094,6 @@ BGD_DECLARE(void) gdImageLine (gdImagePt + { + /* More-or-less horizontal. use wid for vertical stroke */ + /* Doug Claar: watch out for NaN in atan2 (2.0.5) */ +- if ((dx == 0) && (dy == 0)) +- { +- wid = 1; +- } +- else + { + /* 2.0.12: Michael Schwartz: divide rather than multiply; + TBB: but watch out for /0! */ +@@ -3490,6 +3485,12 @@ static void gdImageAALine (gdImagePtr im + dx = x2 - x1; + dy = y2 - y1; + ++ if (dx == 0 && dy == 0) { ++ /* TBB: allow setting points */ ++ gdImageSetAAPixelColor(im, x1, y1, col, 0xFF); ++ return; ++ } ++ + /* Axis aligned lines */ + if (dx == 0) { + gdImageVLine(im, x1, y1, y2, col); +@@ -3499,12 +3500,7 @@ static void gdImageAALine (gdImagePtr im + return; + } + +- if (dx == 0 && dy == 0) { +- /* TBB: allow setting points */ +- gdImageSetAAPixelColor(im, x1, y1, col, 0xFF); +- return; +- } +- else { ++ { + double ag; + if (abs(dy) < abs(dx)) + ag = cos (atan2 (dy, dx)); diff --git a/gd-sa2.patch b/gd-sa2.patch new file mode 100644 index 0000000..61abb28 --- /dev/null +++ b/gd-sa2.patch @@ -0,0 +1,515 @@ +The following issues have been found by Coverity static analysis tool: + +Error: RESOURCE_LEAK (CWE-404): [#def25] +gd-2.0.35/gd.c:2436: cond_false: Condition "overflow2(4 /* sizeof (int) */, srcW)", taking false branch +gd-2.0.35/gd.c:2438: if_end: End of if statement +gd-2.0.35/gd.c:2439: cond_false: Condition "overflow2(4 /* sizeof (int) */, srcH)", taking false branch +gd-2.0.35/gd.c:2441: if_end: End of if statement +gd-2.0.35/gd.c:2442: alloc_fn: Storage is returned from allocation function "gdMalloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: alloc_fn: Storage is returned from allocation function "malloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: return_alloc_fn: Directly returning storage allocated by "malloc(size_t)". +gd-2.0.35/gd.c:2442: var_assign: Assigning: "stx" = storage returned from "gdMalloc(4UL * srcW)". +gd-2.0.35/gd.c:2443: cond_false: Condition "!stx", taking false branch +gd-2.0.35/gd.c:2445: if_end: End of if statement +gd-2.0.35/gd.c:2448: cond_true: Condition "!sty", taking true branch +gd-2.0.35/gd.c:2449: leaked_storage: Variable "stx" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-404): [#def26] +gd-2.0.35/gd.c:2016: cond_false: Condition "!im->tile", taking false branch +gd-2.0.35/gd.c:2018: if_end: End of if statement +gd-2.0.35/gd.c:2021: cond_true: Condition "nc == -5", taking true branch +gd-2.0.35/gd.c:2024: alloc_fn: Storage is returned from allocation function "gdCalloc(size_t, size_t)". +gd-2.0.35/gdhelpers.c:79:3: alloc_fn: Storage is returned from allocation function "calloc(size_t, size_t)". +gd-2.0.35/gdhelpers.c:79:3: return_alloc_fn: Directly returning storage allocated by "calloc(size_t, size_t)". +gd-2.0.35/gd.c:2024: var_assign: Assigning: "pts" = storage returned from "gdCalloc(8UL * im->sy, 4UL)". +gd-2.0.35/gd.c:2025: cond_false: Condition "!pts", taking false branch +gd-2.0.35/gd.c:2027: if_end: End of if statement +gd-2.0.35/gd.c:2029: cond_true: Condition "i < im->sy", taking true branch +gd-2.0.35/gd.c:2032: cond_true: Condition "!pts[i]", taking true branch +gd-2.0.35/gd.c:2033: cond_false: Condition "i >= 0", taking false branch +gd-2.0.35/gd.c:2035: loop_end: Reached end of loop +gd-2.0.35/gd.c:2036: leaked_storage: Variable "pts" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-404): [#def27] +gd-2.0.35/gd.c:2016: cond_false: Condition "!im->tile", taking false branch +gd-2.0.35/gd.c:2018: if_end: End of if statement +gd-2.0.35/gd.c:2021: cond_true: Condition "nc == -5", taking true branch +gd-2.0.35/gd.c:2024: alloc_fn: Storage is returned from allocation function "gdCalloc(size_t, size_t)". +gd-2.0.35/gdhelpers.c:79:3: alloc_fn: Storage is returned from allocation function "calloc(size_t, size_t)". +gd-2.0.35/gdhelpers.c:79:3: return_alloc_fn: Directly returning storage allocated by "calloc(size_t, size_t)". +gd-2.0.35/gd.c:2024: var_assign: Assigning: "pts" = storage returned from "gdCalloc(8UL * im->sy, 4UL)". +gd-2.0.35/gd.c:2025: cond_false: Condition "!pts", taking false branch +gd-2.0.35/gd.c:2027: if_end: End of if statement +gd-2.0.35/gd.c:2029: cond_true: Condition "i < im->sy", taking true branch +gd-2.0.35/gd.c:2032: cond_false: Condition "!pts[i]", taking false branch +gd-2.0.35/gd.c:2037: if_end: End of if statement +gd-2.0.35/gd.c:2038: loop: Jumping back to the beginning of the loop +gd-2.0.35/gd.c:2029: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gd.c:2029: cond_true: Condition "i < im->sy", taking true branch +gd-2.0.35/gd.c:2032: cond_false: Condition "!pts[i]", taking false branch +gd-2.0.35/gd.c:2037: if_end: End of if statement +gd-2.0.35/gd.c:2038: loop: Jumping back to the beginning of the loop +gd-2.0.35/gd.c:2029: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gd.c:2029: cond_false: Condition "i < im->sy", taking false branch +gd-2.0.35/gd.c:2038: loop_end: Reached end of loop +gd-2.0.35/gd.c:2041: cond_true: Condition "!stack", taking true branch +gd-2.0.35/gd.c:2042: leaked_storage: Variable "pts" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-404): [#def28] +gd-2.0.35/gd.c:2803: cond_false: Condition "!fgets(s, 160, fd)", taking false branch +gd-2.0.35/gd.c:2806: if_end: End of if statement +gd-2.0.35/gd.c:2810: cond_false: Condition "!sp", taking false branch +gd-2.0.35/gd.c:2813: if_end: End of if statement +gd-2.0.35/gd.c:2817: cond_false: Condition "!sp", taking false branch +gd-2.0.35/gd.c:2820: if_end: End of if statement +gd-2.0.35/gd.c:2823: cond_false: Condition "!w", taking false branch +gd-2.0.35/gd.c:2826: if_end: End of if statement +gd-2.0.35/gd.c:2827: cond_false: Condition "!fgets(s, 160, fd)", taking false branch +gd-2.0.35/gd.c:2830: if_end: End of if statement +gd-2.0.35/gd.c:2834: cond_false: Condition "!sp", taking false branch +gd-2.0.35/gd.c:2837: if_end: End of if statement +gd-2.0.35/gd.c:2841: cond_false: Condition "!sp", taking false branch +gd-2.0.35/gd.c:2844: if_end: End of if statement +gd-2.0.35/gd.c:2847: cond_false: Condition "!h", taking false branch +gd-2.0.35/gd.c:2850: if_end: End of if statement +gd-2.0.35/gd.c:2852: cond_false: Condition "!fgets(s, 160, fd)", taking false branch +gd-2.0.35/gd.c:2855: if_end: End of if statement +gd-2.0.35/gd.c:2857: alloc_fn: Storage is returned from allocation function "gdImageCreate(int, int)". +gd-2.0.35/gd.c:76:3: cond_false: Condition "overflow2(8 /* sizeof (unsigned char *) */, sy)", taking false branch +gd-2.0.35/gd.c:78:3: if_end: End of if statement +gd-2.0.35/gd.c:79:3: cond_false: Condition "overflow2(8 /* sizeof (unsigned char *) */, sx)", taking false branch +gd-2.0.35/gd.c:81:3: if_end: End of if statement +gd-2.0.35/gd.c:83:3: alloc_fn: Storage is returned from allocation function "gdMalloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: alloc_fn: Storage is returned from allocation function "malloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: return_alloc_fn: Directly returning storage allocated by "malloc(size_t)". +gd-2.0.35/gd.c:83:3: var_assign: Assigning: "im" = "gdMalloc(7304UL)". +gd-2.0.35/gd.c:84:2: cond_false: Condition "!im", taking false branch +gd-2.0.35/gd.c:86:2: if_end: End of if statement +gd-2.0.35/gd.c:88:3: noescape: Resource "im" is not freed or pointed-to in function "memset(void *, int, size_t)". +gd-2.0.35/gd.c:91:2: cond_false: Condition "!im->pixels", taking false branch +gd-2.0.35/gd.c:94:2: if_end: End of if statement +gd-2.0.35/gd.c:101:3: cond_true: Condition "i < sy", taking true branch +gd-2.0.35/gd.c:105:4: cond_false: Condition "!im->pixels[i]", taking false branch +gd-2.0.35/gd.c:114:4: if_end: End of if statement +gd-2.0.35/gd.c:116:5: loop: Jumping back to the beginning of the loop +gd-2.0.35/gd.c:101:3: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gd.c:101:3: cond_true: Condition "i < sy", taking true branch +gd-2.0.35/gd.c:105:4: cond_false: Condition "!im->pixels[i]", taking false branch +gd-2.0.35/gd.c:114:4: if_end: End of if statement +gd-2.0.35/gd.c:116:5: loop: Jumping back to the beginning of the loop +gd-2.0.35/gd.c:101:3: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gd.c:101:3: cond_true: Condition "i < sy", taking true branch +gd-2.0.35/gd.c:105:4: cond_false: Condition "!im->pixels[i]", taking false branch +gd-2.0.35/gd.c:114:4: if_end: End of if statement +gd-2.0.35/gd.c:116:5: loop: Jumping back to the beginning of the loop +gd-2.0.35/gd.c:101:3: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gd.c:101:3: cond_false: Condition "i < sy", taking false branch +gd-2.0.35/gd.c:116:5: loop_end: Reached end of loop +gd-2.0.35/gd.c:124:3: cond_true: Condition "i < 256", taking true branch +gd-2.0.35/gd.c:130:5: loop: Jumping back to the beginning of the loop +gd-2.0.35/gd.c:124:3: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gd.c:124:3: cond_true: Condition "i < 256", taking true branch +gd-2.0.35/gd.c:130:5: loop: Jumping back to the beginning of the loop +gd-2.0.35/gd.c:124:3: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gd.c:124:3: cond_false: Condition "i < 256", taking false branch +gd-2.0.35/gd.c:130:5: loop_end: Reached end of loop +gd-2.0.35/gd.c:137:3: return_alloc: Returning allocated memory "im". +gd-2.0.35/gd.c:2857: var_assign: Assigning: "im" = storage returned from "gdImageCreate(w, h)". +gd-2.0.35/gd.c:2858: cond_false: Condition "!im", taking false branch +gd-2.0.35/gd.c:2860: if_end: End of if statement +gd-2.0.35/gd.c:2862: noescape: Resource "im" is not freed or pointed-to in function "gdImageColorAllocate(gdImagePtr, int, int, int)". +gd-2.0.35/gd.c:478:51: noescape: "gdImageColorAllocate(gdImagePtr, int, int, int)" does not free or save its pointer parameter "im". +gd-2.0.35/gd.c:2863: noescape: Resource "im" is not freed or pointed-to in function "gdImageColorAllocate(gdImagePtr, int, int, int)". +gd-2.0.35/gd.c:478:51: noescape: "gdImageColorAllocate(gdImagePtr, int, int, int)" does not free or save its pointer parameter "im". +gd-2.0.35/gd.c:2866: cond_false: Condition "i < bytes", taking false branch +gd-2.0.35/gd.c:2913: loop_end: Reached end of loop +gd-2.0.35/gd.c:2916: leaked_storage: Variable "im" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-404): [#def29] +gd-2.0.35/gdft.c:881: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:883: cond_true: Condition "(strex->flags & 1) == 1", taking true branch +gd-2.0.35/gdft.c:888: alloc_fn: Storage is returned from allocation function "gdCacheCreate(int, gdCacheTestFn_t, gdCacheFetchFn_t, gdCacheReleaseFn_t)". +gd-2.0.35/gdcache.c:73:3: alloc_fn: Storage is returned from allocation function "gdMalloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: alloc_fn: Storage is returned from allocation function "malloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: return_alloc_fn: Directly returning storage allocated by "malloc(size_t)". +gd-2.0.35/gdcache.c:73:3: var_assign: Assigning: "head" = "gdMalloc(48UL)". +gd-2.0.35/gdcache.c:74:2: cond_false: Condition "!head", taking false branch +gd-2.0.35/gdcache.c:76:2: if_end: End of if statement +gd-2.0.35/gdcache.c:83:3: return_alloc: Returning allocated memory "head". +gd-2.0.35/gdft.c:888: var_assign: Assigning: "tc_cache" = storage returned from "gdCacheCreate(32, tweenColorTest(void *, void *), tweenColorFetch(char **, void *), tweenColorRelease(void *))". +gd-2.0.35/gdft.c:893: cond_true: Condition "!fontCache", taking true branch +gd-2.0.35/gdft.c:895: cond_false: Condition "gdFontCacheSetup() != 0", taking false branch +gd-2.0.35/gdft.c:899: if_end: End of if statement +gd-2.0.35/gdft.c:905: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:906: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:909: if_end: End of if statement +gd-2.0.35/gdft.c:912: cond_false: Condition "!font", taking false branch +gd-2.0.35/gdft.c:917: if_end: End of if statement +gd-2.0.35/gdft.c:921: cond_true: Condition "brect", taking true branch +gd-2.0.35/gdft.c:935: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:937: cond_true: Condition "strex->flags & 4", taking true branch +gd-2.0.35/gdft.c:942: cond_true: Condition "strex->flags & 0x10", taking true branch +gd-2.0.35/gdft.c:948: cond_true: Condition "strex->flags & 2", taking true branch +gd-2.0.35/gdft.c:953: cond_true: Condition "strex->flags & 0x80", taking true branch +gd-2.0.35/gdft.c:954: cond_false: Condition "0", taking false branch +gd-2.0.35/gdft.c:954: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:956: if_end: End of if statement +gd-2.0.35/gdft.c:969: cond_false: Condition "FT_Set_Char_Size(face, 0, (FT_F26Dot6)(ptsize * 64), 300, 300)", taking false branch +gd-2.0.35/gdft.c:974: if_end: End of if statement +gd-2.0.35/gdft.c:976: cond_true: Condition "render", taking true branch +gd-2.0.35/gdft.c:980: cond_false: Condition "FT_Set_Char_Size(face, 0, (FT_F26Dot6)(ptsize * 64), hdpi, vdpi)", taking false branch +gd-2.0.35/gdft.c:985: if_end: End of if statement +gd-2.0.35/gdft.c:988: cond_true: Condition "fg < 0", taking true branch +gd-2.0.35/gdft.c:993: cond_true: Condition "i < face->num_charmaps", taking true branch +gd-2.0.35/gdft.c:998: cond_true: Condition "encoding == 0", taking true branch +gd-2.0.35/gdft.c:1000: cond_true: Condition "charmap->encoding == FT_ENCODING_MS_SYMBOL", taking true branch +gd-2.0.35/gdft.c:1006: break: Breaking from loop +gd-2.0.35/gdft.c:1070: loop_end: Reached end of loop +gd-2.0.35/gdft.c:1071: cond_true: Condition "encodingfound", taking true branch +gd-2.0.35/gdft.c:1074: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:1080: if_end: End of if statement +gd-2.0.35/gdft.c:1083: cond_false: Condition "encoding == 1", taking false branch +gd-2.0.35/gdft.c:1098: else_branch: Reached else branch +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_true: Condition "ch == 13", taking true branch +gd-2.0.35/gdft.c:1122: continue: Continuing loop +gd-2.0.35/gdft.c:1355: loop: Looping back +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_true: Condition "ch == 13", taking true branch +gd-2.0.35/gdft.c:1122: continue: Continuing loop +gd-2.0.35/gdft.c:1355: loop: Looping back +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_false: Condition "ch == 13", taking false branch +gd-2.0.35/gdft.c:1123: if_end: End of if statement +gd-2.0.35/gdft.c:1125: cond_true: Condition "ch == 10", taking true branch +gd-2.0.35/gdft.c:1133: continue: Continuing loop +gd-2.0.35/gdft.c:1355: loop: Looping back +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_false: Condition "ch == 13", taking false branch +gd-2.0.35/gdft.c:1123: if_end: End of if statement +gd-2.0.35/gdft.c:1125: cond_false: Condition "ch == 10", taking false branch +gd-2.0.35/gdft.c:1134: if_end: End of if statement +gd-2.0.35/gdft.c:1137: switch: Switch case value "0" +gd-2.0.35/gdft.c:1139: switch_case: Reached case "0" +gd-2.0.35/gdft.c:1147: cond_true: Condition "charmap->encoding == FT_ENCODING_MS_SYMBOL", taking true branch +gd-2.0.35/gdft.c:1160: break: Breaking from switch +gd-2.0.35/gdft.c:1218: switch_end: Reached end of switch +gd-2.0.35/gdft.c:1224: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:1224: cond_false: Condition "strex->flags & 8", taking false branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "!(face->face_flags & (4L /* 1L << 2 */))", taking true branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "face->face_flags & (64L /* 1L << 6 */)", taking true branch +gd-2.0.35/gdft.c:1224: cond_false: Condition "previous", taking false branch +gd-2.0.35/gdft.c:1231: else_branch: Reached else branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "i", taking true branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "strex->flags & 0x10", taking true branch +gd-2.0.35/gdft.c:1242: cond_true: Condition "!xshow_alloc", taking true branch +gd-2.0.35/gdft.c:1245: cond_false: Condition "!strex->xshow", taking false branch +gd-2.0.35/gdft.c:1247: if_end: End of if statement +gd-2.0.35/gdft.c:1249: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:1256: if_end: End of if statement +gd-2.0.35/gdft.c:1264: cond_false: Condition "err", taking false branch +gd-2.0.35/gdft.c:1269: if_end: End of if statement +gd-2.0.35/gdft.c:1273: cond_true: Condition "brect", taking true branch +gd-2.0.35/gdft.c:1281: cond_false: Condition "ch == 32", taking false branch +gd-2.0.35/gdft.c:1286: else_branch: Reached else branch +gd-2.0.35/gdft.c:1295: cond_false: Condition "i == 0", taking false branch +gd-2.0.35/gdft.c:1301: else_branch: Reached else branch +gd-2.0.35/gdft.c:1302: cond_true: Condition "glyph_min.x < total_min.x", taking true branch +gd-2.0.35/gdft.c:1304: cond_true: Condition "glyph_min.y < total_min.y", taking true branch +gd-2.0.35/gdft.c:1306: cond_true: Condition "glyph_max.x > total_max.x", taking true branch +gd-2.0.35/gdft.c:1308: cond_true: Condition "glyph_max.y > total_max.y", taking true branch +gd-2.0.35/gdft.c:1313: cond_true: Condition "render", taking true branch +gd-2.0.35/gdft.c:1319: cond_false: Condition "err", taking false branch +gd-2.0.35/gdft.c:1324: if_end: End of if statement +gd-2.0.35/gdft.c:1329: cond_true: Condition "image->format != FT_GLYPH_FORMAT_BITMAP", taking true branch +gd-2.0.35/gdft.c:1332: cond_false: Condition "err", taking false branch +gd-2.0.35/gdft.c:1337: if_end: End of if statement +gd-2.0.35/gdft.c:1344: noescape: Resource "tc_cache" is not freed or pointed-to in function "gdft_draw_bitmap(gdCache_head_t *, gdImage *, int, FT_Bitmap, int, int)". +gd-2.0.35/gdft.c:614:36: noescape: "gdft_draw_bitmap(gdCache_head_t *, gdImage *, int, FT_Bitmap, int, int)" does not free or save its pointer parameter "tc_cache". +gd-2.0.35/gdft.c:1355: loop: Jumping back to the beginning of the loop +gd-2.0.35/gdft.c:1110: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_false: Condition "ch == 13", taking false branch +gd-2.0.35/gdft.c:1123: if_end: End of if statement +gd-2.0.35/gdft.c:1125: cond_false: Condition "ch == 10", taking false branch +gd-2.0.35/gdft.c:1134: if_end: End of if statement +gd-2.0.35/gdft.c:1137: switch: Switch case value "0" +gd-2.0.35/gdft.c:1139: switch_case: Reached case "0" +gd-2.0.35/gdft.c:1147: cond_true: Condition "charmap->encoding == FT_ENCODING_MS_SYMBOL", taking true branch +gd-2.0.35/gdft.c:1160: break: Breaking from switch +gd-2.0.35/gdft.c:1218: switch_end: Reached end of switch +gd-2.0.35/gdft.c:1224: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:1224: cond_false: Condition "strex->flags & 8", taking false branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "!(face->face_flags & (4L /* 1L << 2 */))", taking true branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "face->face_flags & (64L /* 1L << 6 */)", taking true branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "previous", taking true branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "glyph_index", taking true branch +gd-2.0.35/gdft.c:1229: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:1231: if_end: End of if statement +gd-2.0.35/gdft.c:1238: cond_true: Condition "i", taking true branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "strex->flags & 0x10", taking true branch +gd-2.0.35/gdft.c:1242: cond_false: Condition "!xshow_alloc", taking false branch +gd-2.0.35/gdft.c:1250: else_branch: Reached else branch +gd-2.0.35/gdft.c:1250: cond_true: Condition "xshow_pos + 20 > xshow_alloc", taking true branch +gd-2.0.35/gdft.c:1253: cond_false: Condition "!strex->xshow", taking false branch +gd-2.0.35/gdft.c:1255: if_end: End of if statement +gd-2.0.35/gdft.c:1264: cond_false: Condition "err", taking false branch +gd-2.0.35/gdft.c:1269: if_end: End of if statement +gd-2.0.35/gdft.c:1273: cond_true: Condition "brect", taking true branch +gd-2.0.35/gdft.c:1281: cond_false: Condition "ch == 32", taking false branch +gd-2.0.35/gdft.c:1286: else_branch: Reached else branch +gd-2.0.35/gdft.c:1295: cond_false: Condition "i == 0", taking false branch +gd-2.0.35/gdft.c:1301: else_branch: Reached else branch +gd-2.0.35/gdft.c:1302: cond_true: Condition "glyph_min.x < total_min.x", taking true branch +gd-2.0.35/gdft.c:1304: cond_true: Condition "glyph_min.y < total_min.y", taking true branch +gd-2.0.35/gdft.c:1306: cond_true: Condition "glyph_max.x > total_max.x", taking true branch +gd-2.0.35/gdft.c:1308: cond_true: Condition "glyph_max.y > total_max.y", taking true branch +gd-2.0.35/gdft.c:1313: cond_true: Condition "render", taking true branch +gd-2.0.35/gdft.c:1319: cond_false: Condition "err", taking false branch +gd-2.0.35/gdft.c:1324: if_end: End of if statement +gd-2.0.35/gdft.c:1329: cond_true: Condition "image->format != FT_GLYPH_FORMAT_BITMAP", taking true branch +gd-2.0.35/gdft.c:1332: cond_false: Condition "err", taking false branch +gd-2.0.35/gdft.c:1337: if_end: End of if statement +gd-2.0.35/gdft.c:1344: noescape: Resource "tc_cache" is not freed or pointed-to in function "gdft_draw_bitmap(gdCache_head_t *, gdImage *, int, FT_Bitmap, int, int)". +gd-2.0.35/gdft.c:614:36: noescape: "gdft_draw_bitmap(gdCache_head_t *, gdImage *, int, FT_Bitmap, int, int)" does not free or save its pointer parameter "tc_cache". +gd-2.0.35/gdft.c:1355: loop: Jumping back to the beginning of the loop +gd-2.0.35/gdft.c:1110: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_false: Condition "ch == 13", taking false branch +gd-2.0.35/gdft.c:1123: if_end: End of if statement +gd-2.0.35/gdft.c:1125: cond_false: Condition "ch == 10", taking false branch +gd-2.0.35/gdft.c:1134: if_end: End of if statement +gd-2.0.35/gdft.c:1137: switch: Switch case value "0" +gd-2.0.35/gdft.c:1139: switch_case: Reached case "0" +gd-2.0.35/gdft.c:1147: cond_true: Condition "charmap->encoding == FT_ENCODING_MS_SYMBOL", taking true branch +gd-2.0.35/gdft.c:1160: break: Breaking from switch +gd-2.0.35/gdft.c:1218: switch_end: Reached end of switch +gd-2.0.35/gdft.c:1224: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:1224: cond_false: Condition "strex->flags & 8", taking false branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "!(face->face_flags & (4L /* 1L << 2 */))", taking true branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "face->face_flags & (64L /* 1L << 6 */)", taking true branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "previous", taking true branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "glyph_index", taking true branch +gd-2.0.35/gdft.c:1229: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:1231: if_end: End of if statement +gd-2.0.35/gdft.c:1238: cond_true: Condition "i", taking true branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "strex->flags & 0x10", taking true branch +gd-2.0.35/gdft.c:1242: cond_false: Condition "!xshow_alloc", taking false branch +gd-2.0.35/gdft.c:1250: else_branch: Reached else branch +gd-2.0.35/gdft.c:1250: cond_true: Condition "xshow_pos + 20 > xshow_alloc", taking true branch +gd-2.0.35/gdft.c:1253: cond_true: Condition "!strex->xshow", taking true branch +gd-2.0.35/gdft.c:1254: leaked_storage: Variable "tc_cache" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-404): [#def30] +gd-2.0.35/gdft.c:881: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:883: cond_true: Condition "(strex->flags & 1) == 1", taking true branch +gd-2.0.35/gdft.c:888: alloc_fn: Storage is returned from allocation function "gdCacheCreate(int, gdCacheTestFn_t, gdCacheFetchFn_t, gdCacheReleaseFn_t)". +gd-2.0.35/gdcache.c:73:3: alloc_fn: Storage is returned from allocation function "gdMalloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: alloc_fn: Storage is returned from allocation function "malloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: return_alloc_fn: Directly returning storage allocated by "malloc(size_t)". +gd-2.0.35/gdcache.c:73:3: var_assign: Assigning: "head" = "gdMalloc(48UL)". +gd-2.0.35/gdcache.c:74:2: cond_false: Condition "!head", taking false branch +gd-2.0.35/gdcache.c:76:2: if_end: End of if statement +gd-2.0.35/gdcache.c:83:3: return_alloc: Returning allocated memory "head". +gd-2.0.35/gdft.c:888: var_assign: Assigning: "tc_cache" = storage returned from "gdCacheCreate(32, tweenColorTest(void *, void *), tweenColorFetch(char **, void *), tweenColorRelease(void *))". +gd-2.0.35/gdft.c:893: cond_true: Condition "!fontCache", taking true branch +gd-2.0.35/gdft.c:895: cond_false: Condition "gdFontCacheSetup() != 0", taking false branch +gd-2.0.35/gdft.c:899: if_end: End of if statement +gd-2.0.35/gdft.c:905: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:906: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:909: if_end: End of if statement +gd-2.0.35/gdft.c:912: cond_false: Condition "!font", taking false branch +gd-2.0.35/gdft.c:917: if_end: End of if statement +gd-2.0.35/gdft.c:921: cond_true: Condition "brect", taking true branch +gd-2.0.35/gdft.c:935: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:937: cond_true: Condition "strex->flags & 4", taking true branch +gd-2.0.35/gdft.c:942: cond_true: Condition "strex->flags & 0x10", taking true branch +gd-2.0.35/gdft.c:948: cond_true: Condition "strex->flags & 2", taking true branch +gd-2.0.35/gdft.c:953: cond_true: Condition "strex->flags & 0x80", taking true branch +gd-2.0.35/gdft.c:954: cond_false: Condition "0", taking false branch +gd-2.0.35/gdft.c:954: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:956: if_end: End of if statement +gd-2.0.35/gdft.c:969: cond_false: Condition "FT_Set_Char_Size(face, 0, (FT_F26Dot6)(ptsize * 64), 300, 300)", taking false branch +gd-2.0.35/gdft.c:974: if_end: End of if statement +gd-2.0.35/gdft.c:976: cond_true: Condition "render", taking true branch +gd-2.0.35/gdft.c:980: cond_false: Condition "FT_Set_Char_Size(face, 0, (FT_F26Dot6)(ptsize * 64), hdpi, vdpi)", taking false branch +gd-2.0.35/gdft.c:985: if_end: End of if statement +gd-2.0.35/gdft.c:988: cond_true: Condition "fg < 0", taking true branch +gd-2.0.35/gdft.c:993: cond_true: Condition "i < face->num_charmaps", taking true branch +gd-2.0.35/gdft.c:998: cond_true: Condition "encoding == 0", taking true branch +gd-2.0.35/gdft.c:1000: cond_false: Condition "charmap->encoding == FT_ENCODING_MS_SYMBOL", taking false branch +gd-2.0.35/gdft.c:1000: cond_false: Condition "charmap->encoding == FT_ENCODING_UNICODE", taking false branch +gd-2.0.35/gdft.c:1000: cond_false: Condition "charmap->encoding == FT_ENCODING_ADOBE_CUSTOM", taking false branch +gd-2.0.35/gdft.c:1000: cond_false: Condition "charmap->encoding == FT_ENCODING_ADOBE_STANDARD", taking false branch +gd-2.0.35/gdft.c:1007: if_end: End of if statement +gd-2.0.35/gdft.c:1008: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:1040: if_end: End of if statement +gd-2.0.35/gdft.c:1070: loop: Jumping back to the beginning of the loop +gd-2.0.35/gdft.c:993: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gdft.c:993: cond_true: Condition "i < face->num_charmaps", taking true branch +gd-2.0.35/gdft.c:998: cond_true: Condition "encoding == 0", taking true branch +gd-2.0.35/gdft.c:1000: cond_false: Condition "charmap->encoding == FT_ENCODING_MS_SYMBOL", taking false branch +gd-2.0.35/gdft.c:1000: cond_false: Condition "charmap->encoding == FT_ENCODING_UNICODE", taking false branch +gd-2.0.35/gdft.c:1000: cond_false: Condition "charmap->encoding == FT_ENCODING_ADOBE_CUSTOM", taking false branch +gd-2.0.35/gdft.c:1000: cond_false: Condition "charmap->encoding == FT_ENCODING_ADOBE_STANDARD", taking false branch +gd-2.0.35/gdft.c:1007: if_end: End of if statement +gd-2.0.35/gdft.c:1008: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:1040: if_end: End of if statement +gd-2.0.35/gdft.c:1070: loop: Jumping back to the beginning of the loop +gd-2.0.35/gdft.c:993: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gdft.c:993: cond_false: Condition "i < face->num_charmaps", taking false branch +gd-2.0.35/gdft.c:1070: loop_end: Reached end of loop +gd-2.0.35/gdft.c:1071: cond_false: Condition "encodingfound", taking false branch +gd-2.0.35/gdft.c:1076: else_branch: Reached else branch +gd-2.0.35/gdft.c:1079: leaked_storage: Variable "tc_cache" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK (CWE-404): [#def31] +gd-2.0.35/gdft.c:881: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:883: cond_true: Condition "(strex->flags & 1) == 1", taking true branch +gd-2.0.35/gdft.c:888: alloc_fn: Storage is returned from allocation function "gdCacheCreate(int, gdCacheTestFn_t, gdCacheFetchFn_t, gdCacheReleaseFn_t)". +gd-2.0.35/gdcache.c:73:3: alloc_fn: Storage is returned from allocation function "gdMalloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: alloc_fn: Storage is returned from allocation function "malloc(size_t)". +gd-2.0.35/gdhelpers.c:85:3: return_alloc_fn: Directly returning storage allocated by "malloc(size_t)". +gd-2.0.35/gdcache.c:73:3: var_assign: Assigning: "head" = "gdMalloc(48UL)". +gd-2.0.35/gdcache.c:74:2: cond_false: Condition "!head", taking false branch +gd-2.0.35/gdcache.c:76:2: if_end: End of if statement +gd-2.0.35/gdcache.c:83:3: return_alloc: Returning allocated memory "head". +gd-2.0.35/gdft.c:888: var_assign: Assigning: "tc_cache" = storage returned from "gdCacheCreate(32, tweenColorTest(void *, void *), tweenColorFetch(char **, void *), tweenColorRelease(void *))". +gd-2.0.35/gdft.c:893: cond_true: Condition "!fontCache", taking true branch +gd-2.0.35/gdft.c:895: cond_false: Condition "gdFontCacheSetup() != 0", taking false branch +gd-2.0.35/gdft.c:899: if_end: End of if statement +gd-2.0.35/gdft.c:905: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:906: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:909: if_end: End of if statement +gd-2.0.35/gdft.c:912: cond_false: Condition "!font", taking false branch +gd-2.0.35/gdft.c:917: if_end: End of if statement +gd-2.0.35/gdft.c:921: cond_true: Condition "brect", taking true branch +gd-2.0.35/gdft.c:935: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:937: cond_true: Condition "strex->flags & 4", taking true branch +gd-2.0.35/gdft.c:942: cond_true: Condition "strex->flags & 0x10", taking true branch +gd-2.0.35/gdft.c:948: cond_true: Condition "strex->flags & 2", taking true branch +gd-2.0.35/gdft.c:953: cond_true: Condition "strex->flags & 0x80", taking true branch +gd-2.0.35/gdft.c:954: cond_false: Condition "0", taking false branch +gd-2.0.35/gdft.c:954: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:956: if_end: End of if statement +gd-2.0.35/gdft.c:969: cond_false: Condition "FT_Set_Char_Size(face, 0, (FT_F26Dot6)(ptsize * 64), 300, 300)", taking false branch +gd-2.0.35/gdft.c:974: if_end: End of if statement +gd-2.0.35/gdft.c:976: cond_true: Condition "render", taking true branch +gd-2.0.35/gdft.c:980: cond_false: Condition "FT_Set_Char_Size(face, 0, (FT_F26Dot6)(ptsize * 64), hdpi, vdpi)", taking false branch +gd-2.0.35/gdft.c:985: if_end: End of if statement +gd-2.0.35/gdft.c:988: cond_true: Condition "fg < 0", taking true branch +gd-2.0.35/gdft.c:993: cond_true: Condition "i < face->num_charmaps", taking true branch +gd-2.0.35/gdft.c:998: cond_true: Condition "encoding == 0", taking true branch +gd-2.0.35/gdft.c:1000: cond_true: Condition "charmap->encoding == FT_ENCODING_MS_SYMBOL", taking true branch +gd-2.0.35/gdft.c:1006: break: Breaking from loop +gd-2.0.35/gdft.c:1070: loop_end: Reached end of loop +gd-2.0.35/gdft.c:1071: cond_true: Condition "encodingfound", taking true branch +gd-2.0.35/gdft.c:1074: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gdft.c:1080: if_end: End of if statement +gd-2.0.35/gdft.c:1083: cond_false: Condition "encoding == 1", taking false branch +gd-2.0.35/gdft.c:1098: else_branch: Reached else branch +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_true: Condition "ch == 13", taking true branch +gd-2.0.35/gdft.c:1122: continue: Continuing loop +gd-2.0.35/gdft.c:1355: loop: Looping back +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_true: Condition "ch == 13", taking true branch +gd-2.0.35/gdft.c:1122: continue: Continuing loop +gd-2.0.35/gdft.c:1355: loop: Looping back +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_false: Condition "ch == 13", taking false branch +gd-2.0.35/gdft.c:1123: if_end: End of if statement +gd-2.0.35/gdft.c:1125: cond_true: Condition "ch == 10", taking true branch +gd-2.0.35/gdft.c:1133: continue: Continuing loop +gd-2.0.35/gdft.c:1355: loop: Looping back +gd-2.0.35/gdft.c:1110: cond_true: Condition "*next", taking true branch +gd-2.0.35/gdft.c:1117: cond_false: Condition "ch == 13", taking false branch +gd-2.0.35/gdft.c:1123: if_end: End of if statement +gd-2.0.35/gdft.c:1125: cond_false: Condition "ch == 10", taking false branch +gd-2.0.35/gdft.c:1134: if_end: End of if statement +gd-2.0.35/gdft.c:1137: switch: Switch case value "0" +gd-2.0.35/gdft.c:1139: switch_case: Reached case "0" +gd-2.0.35/gdft.c:1147: cond_true: Condition "charmap->encoding == FT_ENCODING_MS_SYMBOL", taking true branch +gd-2.0.35/gdft.c:1160: break: Breaking from switch +gd-2.0.35/gdft.c:1218: switch_end: Reached end of switch +gd-2.0.35/gdft.c:1224: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:1224: cond_false: Condition "strex->flags & 8", taking false branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "!(face->face_flags & (4L /* 1L << 2 */))", taking true branch +gd-2.0.35/gdft.c:1224: cond_true: Condition "face->face_flags & (64L /* 1L << 6 */)", taking true branch +gd-2.0.35/gdft.c:1224: cond_false: Condition "previous", taking false branch +gd-2.0.35/gdft.c:1231: else_branch: Reached else branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "i", taking true branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "strex", taking true branch +gd-2.0.35/gdft.c:1238: cond_true: Condition "strex->flags & 0x10", taking true branch +gd-2.0.35/gdft.c:1242: cond_true: Condition "!xshow_alloc", taking true branch +gd-2.0.35/gdft.c:1245: cond_true: Condition "!strex->xshow", taking true branch +gd-2.0.35/gdft.c:1246: leaked_storage: Variable "tc_cache" going out of scope leaks the storage it points to. + + +diff -up gd-2.0.35/gd.c.sa2 gd-2.0.35/gd.c +--- gd-2.0.35/gd.c.sa2 2012-12-05 17:01:03.989841899 +0100 ++++ gd-2.0.35/gd.c 2012-12-05 17:06:58.283055944 +0100 +@@ -2028,12 +2028,17 @@ void _gdImageFillTiled(gdImagePtr im, in + for (--i ; i >= 0; i--) { + gdFree(pts[i]); + } ++ gdFree(pts); + return; + } + } + + stack = (struct seg *)gdMalloc(sizeof(struct seg) * ((int)(im->sy*im->sx)/4)); + if (!stack) { ++ for (i=0; isy;i++) { ++ gdFree(pts[i]); ++ } ++ gdFree(pts); + return; + } + sp = stack; +@@ -2441,6 +2446,7 @@ BGD_DECLARE(void) gdImageCopyResized (gd + + sty = (int *) gdMalloc (sizeof (int) * srcH); + if (!sty) { ++ gdFree(stx); + return; + } + +@@ -2908,7 +2914,6 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro + } + /* Shouldn't happen */ + fprintf (stderr, "Error: bug in gdImageCreateFromXbm!\n"); +- return 0; + fail: + gdImageDestroy (im); + return 0; +diff -up gd-2.0.35/gdft.c.sa2 gd-2.0.35/gdft.c +--- gd-2.0.35/gdft.c.sa2 2012-12-05 17:30:16.884852950 +0100 ++++ gd-2.0.35/gdft.c 2012-12-05 17:11:42.635217211 +0100 +@@ -1076,6 +1076,7 @@ BGD_DECLARE(char *) gdImageStringFTEx (g + { + /* No character set found! */ + gdMutexUnlock (gdFontCacheMutex); ++ gdCacheDelete (tc_cache); + return "No character set found"; + } + +@@ -1243,6 +1244,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d + xshow_alloc = 100; + strex->xshow = gdMalloc(xshow_alloc); + if (!strex->xshow) { ++ gdCacheDelete (tc_cache); + return 0; + } + xshow_pos = 0; +@@ -1251,6 +1253,7 @@ fprintf(stderr,"dpi=%d,%d metric_res=%d + xshow_alloc += 100; + strex->xshow = gdRealloc(strex->xshow, xshow_alloc); + if (!strex->xshow) { ++ gdCacheDelete (tc_cache); + return 0; + } + } diff --git a/gd-sa3.patch b/gd-sa3.patch new file mode 100644 index 0000000..62ee2ea --- /dev/null +++ b/gd-sa3.patch @@ -0,0 +1,31 @@ +The following issue has been found by Coverity static analysis tool. + +Error: STRING_OVERFLOW (CWE-120): [#def53] +gd-2.0.35/annotate.c:42: cond_false: Condition "argc != 3", taking false branch +gd-2.0.35/annotate.c:60: if_end: End of if statement +gd-2.0.35/annotate.c:64: cond_false: Condition "!in", taking false branch +gd-2.0.35/annotate.c:68: if_end: End of if statement +gd-2.0.35/annotate.c:75: cond_false: Condition "!im", taking false branch +gd-2.0.35/annotate.c:79: if_end: End of if statement +gd-2.0.35/annotate.c:80: cond_true: Condition "fgets(s, 1024 /* sizeof (s) */, stdin)", taking true branch +gd-2.0.35/annotate.c:85: cond_false: Condition "!st", taking false branch +gd-2.0.35/annotate.c:89: if_end: End of if statement +gd-2.0.35/annotate.c:90: cond_true: Condition "!__coverity_strcmp(st, "font")", taking true branch +gd-2.0.35/annotate.c:93: cond_false: Condition "!st", taking false branch +gd-2.0.35/annotate.c:96: if_end: End of if statement +gd-2.0.35/annotate.c:97: fixed_size_dest: You might overrun the 1024 byte fixed-size string "font" by copying "st" without checking the length. + +diff -up gd-2.0.35/annotate.c.sa3 gd-2.0.35/annotate.c +--- gd-2.0.35/annotate.c.sa3 2012-12-05 17:26:21.157729019 +0100 ++++ gd-2.0.35/annotate.c 2012-12-05 17:27:31.762762209 +0100 +@@ -94,6 +94,10 @@ main (int argc, char *argv[]) + { + goto badLine; + } ++ if (strlen(st) >= sizeof(font) - 1) ++ { ++ goto badLine; ++ } + strcpy (font, st); + } + else if (!strcmp (st, "align")) diff --git a/gd-sa4.patch b/gd-sa4.patch new file mode 100644 index 0000000..50d33d0 --- /dev/null +++ b/gd-sa4.patch @@ -0,0 +1,148 @@ +The following issue has been found by Coverity static analysis tool. + +Error: FORWARD_NULL (CWE-476): [#def5] +gd-2.0.35/gd_topal.c:1790: assign_zero: Assigning: "cquantize" = "NULL". +gd-2.0.35/gd_topal.c:1798: cond_false: Condition "cimP", taking false branch +gd-2.0.35/gd_topal.c:1804: else_branch: Reached else branch +gd-2.0.35/gd_topal.c:1807: cond_false: Condition "!oim->trueColor", taking false branch +gd-2.0.35/gd_topal.c:1815: if_end: End of if statement +gd-2.0.35/gd_topal.c:1819: cond_true: Condition "oim->transparent >= 0", taking true branch +gd-2.0.35/gd_topal.c:1823: cond_true: Condition "colorsWanted > maxColors", taking true branch +gd-2.0.35/gd_topal.c:1827: cond_true: Condition "!cimP", taking true branch +gd-2.0.35/gd_topal.c:1829: cond_false: Condition "!nim->pixels", taking false branch +gd-2.0.35/gd_topal.c:1833: if_end: End of if statement +gd-2.0.35/gd_topal.c:1834: cond_true: Condition "i < nim->sy", taking true branch +gd-2.0.35/gd_topal.c:1837: cond_true: Condition "!nim->pixels[i]", taking true branch +gd-2.0.35/gd_topal.c:1839: goto: Jumping to label "outOfMemory" +gd-2.0.35/gd_topal.c:2027: label: Reached label "outOfMemory" +gd-2.0.35/gd_topal.c:2028: cond_true: Condition "oim->trueColor", taking true branch +gd-2.0.35/gd_topal.c:2030: cond_true: Condition "!cimP", taking true branch +gd-2.0.35/gd_topal.c:2032: cond_true: Condition "i < nim->sy", taking true branch +gd-2.0.35/gd_topal.c:2034: cond_true: Condition "nim->pixels[i]", taking true branch +gd-2.0.35/gd_topal.c:2038: loop: Jumping back to the beginning of the loop +gd-2.0.35/gd_topal.c:2032: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gd_topal.c:2032: cond_true: Condition "i < nim->sy", taking true branch +gd-2.0.35/gd_topal.c:2034: cond_true: Condition "nim->pixels[i]", taking true branch +gd-2.0.35/gd_topal.c:2038: loop: Jumping back to the beginning of the loop +gd-2.0.35/gd_topal.c:2032: loop_begin: Jumped back to beginning of loop +gd-2.0.35/gd_topal.c:2032: cond_false: Condition "i < nim->sy", taking false branch +gd-2.0.35/gd_topal.c:2038: loop_end: Reached end of loop +gd-2.0.35/gd_topal.c:2039: cond_true: Condition "nim->pixels", taking true branch +gd-2.0.35/gd_topal.c:2044: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gd_topal.c:2047: if_end: End of if statement +gd-2.0.35/gd_topal.c:2050: cond_true: Condition "i < (32 /* 1 << 5 */)", taking true branch +gd-2.0.35/gd_topal.c:2052: var_deref_op: Dereferencing null pointer "cquantize". + +Error: FORWARD_NULL (CWE-476): [#def6] +gd-2.0.35/gd_topal.c:1798: cond_true: Condition "cimP", taking true branch +gd-2.0.35/gd_topal.c:1801: cond_false: Condition "!nim", taking false branch +gd-2.0.35/gd_topal.c:1803: if_end: End of if statement +gd-2.0.35/gd_topal.c:1804: if_fallthrough: Falling through to end of if statement +gd-2.0.35/gd_topal.c:1806: if_end: End of if statement +gd-2.0.35/gd_topal.c:1807: cond_false: Condition "!oim->trueColor", taking false branch +gd-2.0.35/gd_topal.c:1815: if_end: End of if statement +gd-2.0.35/gd_topal.c:1819: cond_true: Condition "oim->transparent >= 0", taking true branch +gd-2.0.35/gd_topal.c:1823: cond_true: Condition "colorsWanted > maxColors", taking true branch +gd-2.0.35/gd_topal.c:1827: cond_false: Condition "!cimP", taking false branch +gd-2.0.35/gd_topal.c:1842: if_end: End of if statement +gd-2.0.35/gd_topal.c:1857: cond_true: Condition "!cquantize", taking true branch +gd-2.0.35/gd_topal.c:1857: var_compare_op: Comparing "cquantize" to null implies that "cquantize" might be null. +gd-2.0.35/gd_topal.c:1860: goto: Jumping to label "outOfMemory" +gd-2.0.35/gd_topal.c:2027: label: Reached label "outOfMemory" +gd-2.0.35/gd_topal.c:2028: cond_true: Condition "oim->trueColor", taking true branch +gd-2.0.35/gd_topal.c:2030: cond_false: Condition "!cimP", taking false branch +gd-2.0.35/gd_topal.c:2044: else_branch: Reached else branch +gd-2.0.35/gd_topal.c:2050: cond_true: Condition "i < (32 /* 1 << 5 */)", taking true branch +gd-2.0.35/gd_topal.c:2052: var_deref_op: Dereferencing null pointer "cquantize". + +Error: FORWARD_NULL (CWE-476): [#def7] +gd-2.0.35/gd_topal.c:1798: cond_false: Condition "cimP", taking false branch +gd-2.0.35/gd_topal.c:1804: else_branch: Reached else branch +gd-2.0.35/gd_topal.c:1807: cond_false: Condition "!oim->trueColor", taking false branch +gd-2.0.35/gd_topal.c:1815: if_end: End of if statement +gd-2.0.35/gd_topal.c:1819: cond_true: Condition "oim->transparent >= 0", taking true branch +gd-2.0.35/gd_topal.c:1823: cond_true: Condition "colorsWanted > maxColors", taking true branch +gd-2.0.35/gd_topal.c:1827: cond_true: Condition "!cimP", taking true branch +gd-2.0.35/gd_topal.c:1829: cond_true: Condition "!nim->pixels", taking true branch +gd-2.0.35/gd_topal.c:1829: var_compare_op: Comparing "nim->pixels" to null implies that "nim->pixels" might be null. +gd-2.0.35/gd_topal.c:1832: goto: Jumping to label "outOfMemory" +gd-2.0.35/gd_topal.c:2027: label: Reached label "outOfMemory" +gd-2.0.35/gd_topal.c:2028: cond_true: Condition "oim->trueColor", taking true branch +gd-2.0.35/gd_topal.c:2030: cond_true: Condition "!cimP", taking true branch +gd-2.0.35/gd_topal.c:2032: cond_true: Condition "i < nim->sy", taking true branch +gd-2.0.35/gd_topal.c:2034: var_deref_op: Dereferencing null pointer "nim->pixels". + + +diff -up gd-2.0.35/gd_topal.c.sa4 gd-2.0.35/gd_topal.c +--- gd-2.0.35/gd_topal.c.sa4 2012-12-10 13:30:19.666363149 +0100 ++++ gd-2.0.35/gd_topal.c 2012-12-10 13:37:50.550729535 +0100 +@@ -2029,15 +2029,15 @@ outOfMemory: + { + if (!cimP) { + /* On failure only */ +- for (i = 0; i < nim->sy; i++) +- { +- if (nim->pixels[i]) +- { +- gdFree (nim->pixels[i]); +- } +- } + if (nim->pixels) + { ++ for (i = 0; i < nim->sy; i++) ++ { ++ if (nim->pixels[i]) ++ { ++ gdFree (nim->pixels[i]); ++ } ++ } + gdFree (nim->pixels); + } + nim->pixels = 0; +@@ -2047,27 +2047,27 @@ outOfMemory: + } + } + success: +- for (i = 0; i < HIST_C0_ELEMS; i++) +- { +- if (cquantize->histogram[i]) +- { +- gdFree (cquantize->histogram[i]); +- } +- } +- if (cquantize->histogram) +- { +- gdFree (cquantize->histogram); +- } +- if (cquantize->fserrors) +- { +- gdFree (cquantize->fserrors); +- } +- if (cquantize->error_limiter_storage) +- { +- gdFree (cquantize->error_limiter_storage); +- } + if (cquantize) + { ++ for (i = 0; i < HIST_C0_ELEMS; i++) ++ { ++ if (cquantize->histogram[i]) ++ { ++ gdFree (cquantize->histogram[i]); ++ } ++ } ++ if (cquantize->histogram) ++ { ++ gdFree (cquantize->histogram); ++ } ++ if (cquantize->fserrors) ++ { ++ gdFree (cquantize->fserrors); ++ } ++ if (cquantize->error_limiter_storage) ++ { ++ gdFree (cquantize->error_limiter_storage); ++ } + gdFree (cquantize); + } + diff --git a/gd.spec b/gd.spec index 2d2dfea..f3a8664 100644 --- a/gd.spec +++ b/gd.spec @@ -1,7 +1,7 @@ Summary: A graphics library for quick creation of PNG or JPEG images Name: gd Version: 2.0.35 -Release: 19%{?dist} +Release: 20%{?dist} Group: System Environment/Libraries License: MIT URL: http://www.libgd.org/Main_Page @@ -17,6 +17,10 @@ Patch9: gd-2.0.34-fonts.patch Patch10: gd-2.0.35-time.patch Patch11: gd-2.0.35-security3.patch Patch12: gd-2.0.35-runtests.patch +Patch13: gd-sa1.patch +Patch14: gd-sa2.patch +Patch15: gd-sa3.patch +Patch16: gd-sa4.patch BuildRequires: freetype-devel, fontconfig-devel, libX11-devel, libXpm-devel BuildRequires: libjpeg-devel, libpng-devel, zlib-devel, pkgconfig # we need cmake for building test suite @@ -66,6 +70,10 @@ files for gd, a graphics library for creating PNG and JPEG graphics. %patch10 -p1 -b .time %patch11 -p1 -b .sec3 %patch12 -p1 -b .runtests +%patch13 -p1 -b .sa1 +%patch14 -p1 -b .sa2 +%patch15 -p1 -b .sa3 +%patch16 -p1 -b .sa4 %build %configure --disable-rpath @@ -109,6 +117,9 @@ popd %{_libdir}/pkgconfig/gdlib.pc %changelog +* Mon Mar 25 2013 Honza Horak - 2.0.35-20 +- Fix issues found by Coverity + * Tue Aug 28 2012 Honza Horak - 2.0.35-19 - Spec file cleanup - Compile and run test suite during build