From 56d0bc01e4f81b308575862a3470c8adc3ed1895 Mon Sep 17 00:00:00 2001 From: workkavint-ship-it Date: Thu, 21 May 2026 12:46:54 +0530 Subject: [PATCH 1/8] **Uninitialized scalar variable #805** struct ifreq was declared without an initializer before only the ifrn_name field was written. The remaining bytes (ifr_ifru union) were uninitialized when the full struct was passed to setsockopt with SO_BINDTODEVICE. This is undefined behaviour and a potential information leak (CWE-457, Coverity CID 56305). Changing the declaration to struct ifreq interface = {} zero-initializes all fields before use. --- Source/core/SocketPort.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Source/core/SocketPort.cpp b/Source/core/SocketPort.cpp index 30f1fe014..baed050c0 100644 --- a/Source/core/SocketPort.cpp +++ b/Source/core/SocketPort.cpp @@ -880,7 +880,7 @@ namespace Thunder { // See if we need to bind to a specific interface. if ((l_Result != INVALID_SOCKET) && (specificInterface.empty() == false)) { - struct ifreq interface; + struct ifreq interface = {}; #ifdef __APPLE__ strncpy(interface.ifr_name, specificInterface.c_str(), IFNAMSIZ - 1); int index = if_nametoindex(interface.ifr_name); From f47cc7f24bf04d5bc1ebd2db1074ec2ef4f3607b Mon Sep 17 00:00:00 2001 From: workkavint-ship-it Date: Thu, 21 May 2026 12:52:56 +0530 Subject: [PATCH 2/8] Overflowed constant #803: add Coverity annotation to mark a false positive --- Source/core/SerialPort.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Source/core/SerialPort.cpp b/Source/core/SerialPort.cpp index cd9566eb7..06276fd39 100644 --- a/Source/core/SerialPort.cpp +++ b/Source/core/SerialPort.cpp @@ -888,6 +888,9 @@ void SerialPort::Read(const uint16_t readBytes) uint32_t size = ::read(_descriptor, reinterpret_cast(&_receiveBuffer[_readBytes]), _receiveBufferSize - _readBytes); if ((size != static_cast(~0)) && (size != 0)) { + // coverity[INTEGER_OVERFLOW] - Intentional: POSIX read() returns at most the requested count + // (_receiveBufferSize - _readBytes), which is a uint16_t difference and thus <= UINT16_MAX. + // The sum _readBytes + size therefore never exceeds _receiveBufferSize, so no overflow occurs. _readBytes += size; if (_readBytes != 0) { From 4e06ef177a6177b0af4a14bee985f93eab82ae96 Mon Sep 17 00:00:00 2001 From: workkavint-ship-it Date: Thu, 21 May 2026 14:07:27 +0530 Subject: [PATCH 3/8] Out-of-bounds access #790: add Coverity annotation to mark a false positive --- Source/core/SystemInfo.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Source/core/SystemInfo.cpp b/Source/core/SystemInfo.cpp index ea88cb526..6a69347b4 100644 --- a/Source/core/SystemInfo.cpp +++ b/Source/core/SystemInfo.cpp @@ -262,6 +262,8 @@ namespace Core { uint64_t CurrentIdleTime = CpuFields[3]; // 3 is index of idle ticks time uint64_t CurrentTickCount = 0L; + // coverity[OVERRUN] - Intentional: fscanf fills at most 4 fields (matching the 4 format specifiers), + // so numFields <= 4 and i < numFields always clamps the loop within CpuFields[0..3]. for (int i = 0; i < numFields && i < 10; ++i) { CurrentTickCount += CpuFields[i]; } From 1f59d8ab44322d3d4b6b2ce79f7535a1cbe0c209 Mon Sep 17 00:00:00 2001 From: workkavint-ship-it Date: Thu, 21 May 2026 14:15:16 +0530 Subject: [PATCH 4/8] Overflowed constant #783: add Coverity annotation to mark a false positive --- Source/core/SerialPort.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Source/core/SerialPort.cpp b/Source/core/SerialPort.cpp index 06276fd39..4221d8cda 100644 --- a/Source/core/SerialPort.cpp +++ b/Source/core/SerialPort.cpp @@ -848,6 +848,9 @@ void SerialPort::Read(const uint16_t readBytes) if (_sendOffset < _sendBytes) { uint32_t sendSize; + // coverity[overflow_sink] - False positive: _sendBytes and _sendOffset are uint16_t (max 65535), + // SendData() returns uint16_t, and POSIX guarantees write() returns at most count bytes. + // The guard above ensures _sendBytes > _sendOffset, so neither subtraction nor addition can overflow. sendSize = write(_descriptor, reinterpret_cast(&_sendBuffer[_sendOffset]), _sendBytes - _sendOffset); From 36c28123611579268a860d87bbc3a057c71a3ec7 Mon Sep 17 00:00:00 2001 From: workkavint-ship-it Date: Thu, 21 May 2026 14:54:41 +0530 Subject: [PATCH 5/8] Out-of-bounds access #754 #770: add Coverity annotation to mark a false positive --- Source/cryptalgo/HMAC.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Source/cryptalgo/HMAC.h b/Source/cryptalgo/HMAC.h index 41bea0e88..837047de2 100644 --- a/Source/cryptalgo/HMAC.h +++ b/Source/cryptalgo/HMAC.h @@ -70,7 +70,10 @@ namespace Crypto { } // We have a suitable key, move it to the inner and outer pads + // coverity[overrun] - False positive (#754): keyLength is always <= sizeof(_innerKeyPad) (64); + // when keyLength == 64 the memset count is 0, so no bytes are written. ::memset(&_innerKeyPad[keyLength], 0x36, sizeof(_innerKeyPad) - keyLength); + // coverity[overrun] - False positive (#770): same reasoning as above for _outerKeyPad. ::memset(&_outerKeyPad[keyLength], 0x5C, sizeof(_outerKeyPad) - keyLength); /* XOR key with inner keypad and outer key pad values */ From 7137a82b358dd4b91dbcd027292dc261c21a4401 Mon Sep 17 00:00:00 2001 From: workkavint-ship-it Date: Thu, 21 May 2026 15:23:16 +0530 Subject: [PATCH 6/8] **Fix: Improper use of negative value #757** readlink() returns ssize_t which can be -1 on failure. Assigning the return value directly to size_t caused the negative value to wrap to SIZE_MAX, resulting in an out-of-bounds write when used as an index into info.filename. Added a return value check before indexing. --- Source/core/ResourceMonitor.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Source/core/ResourceMonitor.h b/Source/core/ResourceMonitor.h index e0522e106..7450ee803 100644 --- a/Source/core/ResourceMonitor.h +++ b/Source/core/ResourceMonitor.h @@ -209,8 +209,8 @@ namespace Core { char procfn[64]; snprintf(procfn, sizeof(procfn), "/proc/self/fd/%d", info.descriptor); - size_t len = readlink(procfn, info.filename, sizeof(info.filename) - 1); - info.filename[len] = '\0'; + ssize_t len = readlink(procfn, info.filename, sizeof(info.filename) - 1); + info.filename[len >= 0 ? len : 0] = '\0'; #endif #ifdef __WINDOWS__ info.monitor = 0; From e7928a381ab7be7f7f79deb1d9c6af4f98ff135d Mon Sep 17 00:00:00 2001 From: workkavint-ship-it Date: Thu, 21 May 2026 15:55:10 +0530 Subject: [PATCH 7/8] **Fix: resource leak on open() returning fd 0 #750 #744 #743 #706 #696** Fixed incorrect open() return value checks in ProcessInfo.cpp (Jiffies, ProcessName, Shared, FindChildren, and Resident). The code previously used > 0, which incorrectly treated file descriptor 0 as failure even though it is a valid return value from open(). Updated all checks to != -1 to follow the correct POSIX convention and prevent potential file descriptor leaks. --- Source/core/ProcessInfo.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Source/core/ProcessInfo.cpp b/Source/core/ProcessInfo.cpp index 233cad552..0f4809c63 100644 --- a/Source/core/ProcessInfo.cpp +++ b/Source/core/ProcessInfo.cpp @@ -93,7 +93,7 @@ namespace Core { snprintf(procpath, sizeof(procpath), "/proc/%u/comm", pid); - if ((fd = open(procpath, O_RDONLY)) > 0) { + if ((fd = open(procpath, O_RDONLY)) != -1) { ssize_t size; if ((size = read(fd, buffer, maxLength - 1)) > 0) { if (buffer[size - 1] == '\n') { @@ -145,7 +145,7 @@ namespace Core { int fd; snprintf(buffer, sizeof(buffer), "/proc/%d/stat", pid); - if ((fd = open(buffer, O_RDONLY)) > 0) { + if ((fd = open(buffer, O_RDONLY)) != -1) { if (read(fd, buffer, sizeof(buffer) - sizeof(buffer[0])) > 0) { int ppid = 0; sscanf(buffer, "%*d (%*[^)]) %*c %d", &ppid); @@ -423,7 +423,7 @@ namespace Core { int VmSize = 0; snprintf(buffer, sizeof(buffer), "/proc/%d/statm", _pid); - if ((fd = open(buffer, O_RDONLY)) > 0) { + if ((fd = open(buffer, O_RDONLY)) != -1) { ssize_t readAmount = 0; if ((readAmount = read(fd, buffer, sizeof(buffer))) > 0) { ssize_t nulIndex = std::min(readAmount, static_cast(sizeof(buffer) - 1)); @@ -454,7 +454,7 @@ namespace Core { int VmRSS = 0; snprintf(buffer, sizeof(buffer), "/proc/%d/statm", _pid); - if ((fd = open(buffer, O_RDONLY)) > 0) { + if ((fd = open(buffer, O_RDONLY)) != -1) { ssize_t readAmount = 0; if ((readAmount = read(fd, buffer, sizeof(buffer))) > 0) { ssize_t nulIndex = std::min(readAmount, static_cast(sizeof(buffer) - 1)); @@ -485,7 +485,7 @@ namespace Core { int Share = 0; snprintf(buffer, sizeof(buffer), "/proc/%d/statm", _pid); - if ((fd = open(buffer, O_RDONLY)) > 0) { + if ((fd = open(buffer, O_RDONLY)) != -1) { ssize_t readAmount = 0; if ((readAmount = read(fd, buffer, sizeof(buffer))) > 0) { ssize_t nulIndex = std::min(readAmount, static_cast(sizeof(buffer) - 1)); From 7fe0123e66d1c048e32346f3a41e3c05d39acf89 Mon Sep 17 00:00:00 2001 From: workkavint-ship-it Date: Mon, 25 May 2026 11:45:47 +0530 Subject: [PATCH 8/8] Fix incorrect file descriptor check after open() in ProcessInfo mentioned by copilot --- Source/core/ProcessInfo.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Source/core/ProcessInfo.cpp b/Source/core/ProcessInfo.cpp index 0f4809c63..f187a1ad6 100644 --- a/Source/core/ProcessInfo.cpp +++ b/Source/core/ProcessInfo.cpp @@ -93,7 +93,7 @@ namespace Core { snprintf(procpath, sizeof(procpath), "/proc/%u/comm", pid); - if ((fd = open(procpath, O_RDONLY)) != -1) { + if ((fd = open(procpath, O_RDONLY)) > 0) { ssize_t size; if ((size = read(fd, buffer, maxLength - 1)) > 0) { if (buffer[size - 1] == '\n') {