[mariadb/f18] Add Coverity patches to git

Honza Horak hhorak at fedoraproject.org
Mon Oct 14 15:16:00 UTC 2013 

commit e1a5cda9476db8db9b46acaff781df6ab2327fb3
Author: Honza Horák <hhorak at redhat.com>
Date:   Mon Oct 14 16:02:47 2013 +0200

    Add Coverity patches to git

 mariadb-covscan-signexpr.patch    |   16 ++++++++
 mariadb-covscan-stroverflow.patch |   73 +++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 0 deletions(-)
---
diff --git a/mariadb-covscan-signexpr.patch b/mariadb-covscan-signexpr.patch
new file mode 100644
index 0000000..1bbb3db
--- /dev/null
+++ b/mariadb-covscan-signexpr.patch
@@ -0,0 +1,16 @@
+This issue has been found by Coverity - static analysis tool.
+
+mysql-5.5.31/strings/ctype-ucs2.c:1707:sign_extension – Suspicious implicit sign extension: "s[0]" with type "unsigned char" (8 bits, unsigned) is promoted in "(s[0] << 24) + (s[1] << 16) + (s[2] << 8) + s[3]" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "(s[0] << 24) + (s[1] << 16) + (s[2] << 8) + s[3]" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
+
+diff -up mysql-5.5.31/strings/ctype-ucs2.c.covscan1 mysql-5.5.31/strings/ctype-ucs2.c
+--- mysql-5.5.31/strings/ctype-ucs2.c.covscan1	2013-06-14 12:12:29.663300314 +0200
++++ mysql-5.5.31/strings/ctype-ucs2.c	2013-06-14 12:13:07.809299646 +0200
+@@ -1704,7 +1704,7 @@ my_utf32_uni(CHARSET_INFO *cs __attribut
+ {
+   if (s + 4 > e)
+     return MY_CS_TOOSMALL4;
+-  *pwc= (s[0] << 24) + (s[1] << 16) + (s[2] << 8) + (s[3]);
++  *pwc= (((my_wc_t)s[0]) << 24) + (s[1] << 16) + (s[2] << 8) + (s[3]);
+   return 4;
+ }
+ 
diff --git a/mariadb-covscan-stroverflow.patch b/mariadb-covscan-stroverflow.patch
new file mode 100644
index 0000000..d671b45
--- /dev/null
+++ b/mariadb-covscan-stroverflow.patch
@@ -0,0 +1,73 @@
+The following problems have been found by Coverity - static analysis tool.
+
+mysql-5.5.31/plugin/semisync/semisync_master.cc:672:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. 
+
+mysql-5.5.31/plugin/semisync/semisync_master.cc:661:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function. 
+
+mysql-5.5.31/plugin/semisync/semisync_master.cc:555:parameter_as_source – Note: This defect has an elevated risk because the source argument is a parameter of the current function.
+
+diff -up mysql-5.5.31/plugin/semisync/semisync_master.cc.covscan-stroverflow mysql-5.5.31/plugin/semisync/semisync_master.cc
+--- mysql-5.5.31/plugin/semisync/semisync_master.cc.covscan-stroverflow	2013-06-17 09:04:47.214621154 +0200
++++ mysql-5.5.31/plugin/semisync/semisync_master.cc	2013-06-17 09:08:32.189617218 +0200
+@@ -552,7 +552,8 @@ int ReplSemiSyncMaster::reportReplyBinlo
+ 
+   if (need_copy_send_pos)
+   {
+-    strcpy(reply_file_name_, log_file_name);
++    strncpy(reply_file_name_, log_file_name, sizeof(reply_file_name_)-1);
++    reply_file_name_[sizeof(reply_file_name_)-1] = '\0';
+     reply_file_pos_ = log_file_pos;
+     reply_file_name_inited_ = true;
+ 
+@@ -658,7 +659,8 @@ int ReplSemiSyncMaster::commitTrx(const
+         if (cmp <= 0)
+ 	{
+           /* This thd has a lower position, let's update the minimum info. */
+-          strcpy(wait_file_name_, trx_wait_binlog_name);
++          strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1);
++          wait_file_name_[sizeof(wait_file_name_)-1] = '\0';
+           wait_file_pos_ = trx_wait_binlog_pos;
+ 
+           rpl_semi_sync_master_wait_pos_backtraverse++;
+@@ -669,7 +671,8 @@ int ReplSemiSyncMaster::commitTrx(const
+       }
+       else
+       {
+-        strcpy(wait_file_name_, trx_wait_binlog_name);
++        strncpy(wait_file_name_, trx_wait_binlog_name, sizeof(wait_file_name_)-1);
++        wait_file_name_[sizeof(wait_file_name_)-1] = '\0';
+         wait_file_pos_ = trx_wait_binlog_pos;
+         wait_file_name_inited_ = true;
+ 
+
+mysql-5.5.31/sql/rpl_handler.cc:306:fixed_size_dest – You might overrun the 512 byte fixed-size string "log_info->log_file" by copying "log_file + dirname_length(log_file)" without checking the length. diff -up mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow mysql-5.5.31/sql/rpl_handler.cc
+
+--- mysql-5.5.31/sql/rpl_handler.cc.covscan-stroverflow	2013-06-17 10:51:04.940509594 +0200
++++ mysql-5.5.31/sql/rpl_handler.cc	2013-06-17 10:51:08.959509523 +0200
+@@ -303,7 +303,8 @@ int Binlog_storage_delegate::after_flush
+     my_pthread_setspecific_ptr(RPL_TRANS_BINLOG_INFO, log_info);
+   }
+     
+-  strcpy(log_info->log_file, log_file+dirname_length(log_file));
++  strncpy(log_info->log_file, log_file+dirname_length(log_file), sizeof(log_info->log_file)-1);
++  log_info->log_file[sizeof(log_info->log_file)-1] = '\0';
+   log_info->log_pos = log_pos;
+   
+   int ret= 0;
+
+
+mysql-5.5.31/sql/sp_rcontext.h:87:buffer_size_warning – Calling strncpy with a maximum size argument of 512 bytes on destination array "this->m_message" of size 512 bytes might leave the destination string unterminated. 
+
+diff -up mysql-5.5.31/sql/sp_rcontext.h.covscan-stroverflow mysql-5.5.31/sql/sp_rcontext.h
+--- mysql-5.5.31/sql/sp_rcontext.h.covscan-stroverflow	2013-06-17 13:28:32.540344334 +0200
++++ mysql-5.5.31/sql/sp_rcontext.h	2013-06-17 13:29:23.673343443 +0200
+@@ -84,7 +84,8 @@ public:
+     memcpy(m_sql_state, sqlstate, SQLSTATE_LENGTH);
+     m_sql_state[SQLSTATE_LENGTH]= '\0';
+ 
+-    strncpy(m_message, msg, MYSQL_ERRMSG_SIZE);
++    strncpy(m_message, msg, sizeof(m_message)-1);
++    m_message[sizeof(m_message)-1] = '\0';
+   }
+ 
+   void clear()

More information about the scm-commits mailing list