[PATCH 0/4] v4l-utils: Some fixes for Coverity issues

[PATCH 0/4] v4l-utils: Some fixes for Coverity issues

[Gregor Jasny]

Hello,

the following patches fix issues that the Coverity static analyzer found
in v4l-utils.

Please review.

Thanks,
Gregor

Gregor Jasny (4):
  xc3082: Fix use after free in free_firmware()
  libdvbv5: Fix reallocation in parse_lcn
  rds-ctl: Always terminate strings properly
  libdvbv5: Fix copy and paste error in parse_service()

 lib/libdvbv5/descriptors.c            |  6 +++---
 utils/rds-ctl/rds-ctl.cpp             | 14 +++++++-------
 utils/xc3028-firmware/firmware-tool.c |  2 +-
 3 files changed, 11 insertions(+), 11 deletions(-)

-- 
1.8.3.2

[PATCH 1/4] xc3082: Fix use after free in free_firmware()

[Gregor Jasny]

Detected by Coverity Scanner.

CC: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
---
 utils/xc3028-firmware/firmware-tool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/xc3028-firmware/firmware-tool.c b/utils/xc3028-firmware/firmware-tool.c
index b2e9de4..a7850df 100644
--- a/utils/xc3028-firmware/firmware-tool.c
+++ b/utils/xc3028-firmware/firmware-tool.c
@@ -86,13 +86,13 @@ static struct firmware* alloc_firmware(void) {
 
 static void free_firmware(struct firmware *f) {
 	free(f->name);
-	free(f->desc);
 	if(f->desc) {
 		unsigned int i = 0;
 		for(i = 0; i < f->nr_desc; ++ i) {
 			free(f->desc[i].data);
 		}
 	}
+	free(f->desc);
 	free(f);
 }
 
-- 
1.8.3.2

[PATCH 2/4] libdvbv5: Fix reallocation in parse_lcn

[Gregor Jasny]

Detected by Coverity.

Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
CC: Mauro Carvalho Chehab <mchehab@infradead.org>
---
 lib/libdvbv5/descriptors.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libdvbv5/descriptors.c b/lib/libdvbv5/descriptors.c
index 73338d8..99d8fa3 100644
--- a/lib/libdvbv5/descriptors.c
+++ b/lib/libdvbv5/descriptors.c
@@ -758,7 +758,7 @@ static void parse_lcn(struct nit_table *nit_table,
 	for (i = 0; i < dlen; i+= 4, p+= 4) {
 		struct lcn_table **lcn = &nit_table->lcn;
 
-		*lcn = realloc(*lcn, (n + 1) * sizeof(*lcn));
+		*lcn = realloc(*lcn, (n + 1) * sizeof(**lcn));
 		(*lcn)[n].service_id = p[0] << 8 | p[1];
 		(*lcn)[n].lcn = (p[2] << 8 | p[3]) & 0x3ff;
 		nit_table->lcn_len++;
-- 
1.8.3.2

[PATCH 3/4] rds-ctl: Always terminate strings properly

[Gregor Jasny]

Detected by Coverity.

Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
CC: Hans Verkuil <hverkuil@xs4all.nl>
---
 utils/rds-ctl/rds-ctl.cpp | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/utils/rds-ctl/rds-ctl.cpp b/utils/rds-ctl/rds-ctl.cpp
index a9fe2a8..74972eb 100644
--- a/utils/rds-ctl/rds-ctl.cpp
+++ b/utils/rds-ctl/rds-ctl.cpp
@@ -762,13 +762,11 @@ static int parse_cl(int argc, char **argv)
 		params.options[(int)opt] = 1;
 		switch (opt) {
 		case OptSetDevice:
-			strncpy(params.fd_name, optarg, 80);
+			strncpy(params.fd_name, optarg, sizeof(params.fd_name));
 			if (optarg[0] >= '0' && optarg[0] <= '9' && strlen(optarg) <= 3) {
-				static char newdev[20];
-
-				sprintf(newdev, "/dev/radio%s", optarg);
-				strncpy(params.fd_name, newdev, 20);
+				snprintf(params.fd_name, sizeof(params.fd_name), "/dev/radio%s", optarg);
 			}
+			params.fd_name[sizeof(params.fd_name) - 1] = '\0';
 			break;
 		case OptSetFreq:
 			params.freq = strtod(optarg, NULL);
@@ -786,7 +784,8 @@ static int parse_cl(int argc, char **argv)
 		{
 			if (access(optarg, F_OK) != -1) {
 				params.filemode_active = true;
-				strncpy(params.fd_name, optarg, 80);
+				strncpy(params.fd_name, optarg, sizeof(params.fd_name));
+				params.fd_name[sizeof(params.fd_name) - 1] = '\0';
 			} else {
 				fprintf(stderr, "Unable to open file: %s\n", optarg);
 				return -1;
@@ -1006,7 +1005,8 @@ int main(int argc, char **argv)
 			fprintf(stderr, "No RDS-capable device found\n");
 			exit(1);
 		}
-		strncpy(params.fd_name, devices[0].c_str(), 80);
+		strncpy(params.fd_name, devices[0].c_str(), sizeof(params.fd_name));
+		params.fd_name[sizeof(params.fd_name) - 1] = '\0';
 		printf("Using device: %s\n", params.fd_name);
 	}
 	if ((fd = test_open(params.fd_name, O_RDONLY | O_NONBLOCK)) < 0) {
-- 
1.8.3.2

[PATCH 4/4] libdvbv5: Fix copy and paste error in parse_service()

[Gregor Jasny]

Detected by Coverity.

Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
CC: Mauro Carvalho Chehab <mchehab@infradead.org>
CC: André Roth <neolynx@gmail.com>
---
 lib/libdvbv5/descriptors.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/libdvbv5/descriptors.c b/lib/libdvbv5/descriptors.c
index 99d8fa3..9b6b050 100644
--- a/lib/libdvbv5/descriptors.c
+++ b/lib/libdvbv5/descriptors.c
@@ -787,9 +787,9 @@ static void parse_service(struct dvb_v5_fe_parms *parms, struct service_table *s
 	if (verbose) {
 		if (service_table->provider_name)
 			printf("Provider %s", service_table->provider_name);
-		if (service_table->service_alias)
+		if (service_table->provider_alias)
 			printf("(%s)", service_table->provider_alias);
-		if (service_table->provider_name || service_table->service_alias)
+		if (service_table->provider_name || service_table->provider_alias)
 			printf("\n");
 		if (service_table->service_name)
 			printf("Service %s", service_table->service_name);
-- 
1.8.3.2

Re: [PATCH 3/4] rds-ctl: Always terminate strings properly

[Hans Verkuil]

On Thu 25 July 2013 15:09:33 Gregor Jasny wrote:
> Detected by Coverity.
> 
> Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
> CC: Hans Verkuil <hverkuil@xs4all.nl>

Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>

Thanks!

	Hans

> ---
>  utils/rds-ctl/rds-ctl.cpp | 14 +++++++-------
>  1 file changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/utils/rds-ctl/rds-ctl.cpp b/utils/rds-ctl/rds-ctl.cpp
> index a9fe2a8..74972eb 100644
> --- a/utils/rds-ctl/rds-ctl.cpp
> +++ b/utils/rds-ctl/rds-ctl.cpp
> @@ -762,13 +762,11 @@ static int parse_cl(int argc, char **argv)
>  		params.options[(int)opt] = 1;
>  		switch (opt) {
>  		case OptSetDevice:
> -			strncpy(params.fd_name, optarg, 80);
> +			strncpy(params.fd_name, optarg, sizeof(params.fd_name));
>  			if (optarg[0] >= '0' && optarg[0] <= '9' && strlen(optarg) <= 3) {
> -				static char newdev[20];
> -
> -				sprintf(newdev, "/dev/radio%s", optarg);
> -				strncpy(params.fd_name, newdev, 20);
> +				snprintf(params.fd_name, sizeof(params.fd_name), "/dev/radio%s", optarg);
>  			}
> +			params.fd_name[sizeof(params.fd_name) - 1] = '\0';
>  			break;
>  		case OptSetFreq:
>  			params.freq = strtod(optarg, NULL);
> @@ -786,7 +784,8 @@ static int parse_cl(int argc, char **argv)
>  		{
>  			if (access(optarg, F_OK) != -1) {
>  				params.filemode_active = true;
> -				strncpy(params.fd_name, optarg, 80);
> +				strncpy(params.fd_name, optarg, sizeof(params.fd_name));
> +				params.fd_name[sizeof(params.fd_name) - 1] = '\0';
>  			} else {
>  				fprintf(stderr, "Unable to open file: %s\n", optarg);
>  				return -1;
> @@ -1006,7 +1005,8 @@ int main(int argc, char **argv)
>  			fprintf(stderr, "No RDS-capable device found\n");
>  			exit(1);
>  		}
> -		strncpy(params.fd_name, devices[0].c_str(), 80);
> +		strncpy(params.fd_name, devices[0].c_str(), sizeof(params.fd_name));
> +		params.fd_name[sizeof(params.fd_name) - 1] = '\0';
>  		printf("Using device: %s\n", params.fd_name);
>  	}
>  	if ((fd = test_open(params.fd_name, O_RDONLY | O_NONBLOCK)) < 0) {
>