Fix some issues reported by CoverityScan service

binr/rabin2/rabin2.c

@@ -427,7 +427,7 @@ int main(int argc, char **argv) {
 		if (p2) {
 			// has data
 			*p2++ = 0;
-			data = malloc (strlen (p2));
+			data = malloc (strlen (p2)+1);
 			datalen = r_hex_str2bin (p2, data);
 		} else {
 			data = NULL;

libr/anal/anal.c

@@ -231,7 +231,7 @@ R_API RAnalOp *r_anal_op_hexstr(RAnal *anal, ut64 addr, const char *str) {
 	int len;
 	ut8 *buf;
 	RAnalOp *op = R_NEW0 (RAnalOp);
-	buf = malloc (strlen (str));
+	buf = malloc (strlen (str)+1);
 	len = r_hex_str2bin (str, buf);
 	r_anal_op (anal, op, addr, buf, len);
 	return op;

libr/anal/meta.c

@@ -109,6 +109,7 @@ R_API int r_meta_cleanup(RMeta *m, ut64 from, ut64 to) {
 		return R_TRUE;
 	}
 	/* No _safe loop necessary because we break immediately after the delete. */
+	if (m)
 	r_list_foreach (m->data, iter, d) {
 		switch (d->type) {
 		case R_META_TYPE_CODE:

libr/anal/types.c

@@ -77,6 +77,7 @@ R_API int r_anal_type_frame (RAnal *anal, ut64 addr, const char *type, const cha
 R_API int r_anal_type_frame_del (RAnal *anal, ut64 addr, const char *name) {
 	//"(-)frame.%08"PFMT64x"=%s", addr, name
 	//"frame.%08"PFMT64x".%s=", addr, name
+	return R_TRUE;
 }
 
 R_API int r_anal_type_link (RAnal *anal, const char *val, ut64 addr) {

libr/asm/arch/x86/ollyasm/assembl.c

@@ -717,10 +717,10 @@ int Assemble(char *cmd,ulong ip,t_asmmodel *model,int attempt,
   nameend=asmcmd;
   strupr(sdata);
   // Prepare full mnemonic (including repeat prefix, if any).
-  if (rep==SCAN_REP) sprintf(name,"REP %s",sdata);
-  else if (rep==SCAN_REPE) sprintf(name,"REPE %s",sdata);
-  else if (rep==SCAN_REPNE) sprintf(name,"REPNE %s",sdata);
-  else strcpy(name,sdata);
+  if (rep==SCAN_REP) snprintf(name,sizeof(name)-1,"REP %s",sdata);
+  else if (rep==SCAN_REPE) snprintf(name,sizeof(name)-1,"REPE %s",sdata);
+  else if (rep==SCAN_REPNE) snprintf(name,sizeof(name)-1,"REPNE %s",sdata);
+  else strncpy(name,sdata, sizeof(name)-1);
   Scanasm(0);
   // Parse command operands (up to 3). Note: jump address is always the first
   // (and only) operand in actual command set.

libr/bin/format/mach0/mach0.c

@@ -647,10 +647,10 @@ struct r_bin_mach0_reloc_t* MACH0_(r_bin_mach0_get_relocs)(struct MACH0_(r_bin_m
 
 	if (bin->dyld_info) {
 		ut8 *opcodes, *p, *end, type, rel_type;
-		int lib_ord, seg_idx, sym_ord = -1, wordsize;
+		int lib_ord, seg_idx = -1, sym_ord = -1, wordsize;
 		size_t j, count, skip, bind_size, lazy_size;
 		st64 addend = 0;
-		ut64 addr;
+		ut64 addr = 0LL;
 
 		wordsize = MACH0_(r_bin_mach0_get_bits)(bin) / 8;
 #define CASE(T) case (T / 8): rel_type = R_BIN_RELOC_ ## T; break
@@ -808,7 +808,8 @@ struct r_bin_mach0_addr_t* MACH0_(r_bin_mach0_get_entrypoint)(struct MACH0_(r_bi
 	if (bin->entry) {
 		entry->offset = MACH0_(r_bin_mach0_addr_to_offset)(bin, bin->entry);
 		entry->addr = bin->entry;
-	} 
+	}
+	entry->addr = 0LL;
 	if (!bin->entry || (entry->offset==0)) {
 		// XXX: section name doesnt matters at all.. just check for exec flags
 		for (i = 0; i < bin->nsects; i++) {
@@ -816,7 +817,7 @@ struct r_bin_mach0_addr_t* MACH0_(r_bin_mach0_get_entrypoint)(struct MACH0_(r_bi
 				entry->offset = (ut64)bin->sects[i].offset;
 				entry->addr = (ut64)bin->sects[i].addr;
 				if (entry->addr==0) // workaround for object files
-					entry->addr=entry->offset;
+					entry->addr = entry->offset;
 				break;
 			}
 		}

libr/bin/format/pe/pe.c

@@ -455,7 +455,7 @@ struct r_bin_pe_lib_t* PE_(r_bin_pe_get_libs)(struct PE_(r_bin_pe_obj_t) *bin) {
 		}
 	}
 	for (i = 0; i < j; i++) {
-		libs[i].name[PE_STRING_LENGTH] = '\0';
+		libs[i].name[PE_STRING_LENGTH-1] = '\0';
 		libs[i].last = 0;
 	}
 	libs[i].last = 1;
@@ -641,7 +641,7 @@ struct r_bin_pe_section_t* PE_(r_bin_pe_get_sections)(struct PE_(r_bin_pe_obj_t)
 	}
 	for (i = 0; i < sections_count; i++) {
 		memcpy (sections[i].name, shdr[i].Name, PE_IMAGE_SIZEOF_SHORT_NAME);
-		sections[i].name[PE_IMAGE_SIZEOF_SHORT_NAME] = '\0';
+		sections[i].name[PE_IMAGE_SIZEOF_SHORT_NAME-1] = '\0';
 		sections[i].rva = shdr[i].VirtualAddress;
 		sections[i].size = shdr[i].SizeOfRawData;
 		sections[i].vsize = shdr[i].Misc.VirtualSize;

libr/core/asm.c

@@ -188,11 +188,14 @@ static int prune_hits_in_hit_range(RList *hits, RCoreAsmHit *hit){
 	end_range =  hit->addr +  hit->len;
 	r_list_foreach_safe (hits, iter, iter_tmp, to_check_hit){
 		if (to_check_hit && is_hit_inrange(to_check_hit, start_range, end_range)) {
-			IFDBG eprintf ("Found hit that clashed (start: 0x%"PFMT64x" - end: 0x%"PFMT64x" ), 0x%"PFMT64x" len: %d (valid: %d 0x%"PFMT64x" - 0x%"PFMT64x")\n", start_range, end_range, 
-					to_check_hit->addr, to_check_hit->len, to_check_hit->valid, to_check_hit->addr, to_check_hit->addr+to_check_hit->len);
+			IFDBG eprintf ("Found hit that clashed (start: 0x%"PFMT64x
+				" - end: 0x%"PFMT64x" ), 0x%"PFMT64x" len: %d (valid: %d 0x%"PFMT64x
+				" - 0x%"PFMT64x")\n", start_range, end_range, to_check_hit->addr,
+				to_check_hit->len, to_check_hit->valid, to_check_hit->addr,
+				to_check_hit->addr+to_check_hit->len);
 			// XXX - could this be a valid decode instruction we are deleting?
 			r_list_delete (hits, iter);
-			iter->data = NULL;
+			//iter->data = NULL;
 			to_check_hit = NULL;
 			result ++;
 		} 

libr/core/cmd.c

@@ -1156,6 +1156,7 @@ next2:
 		const char *offstr;
 		char *f, *ptr2 = strchr (ptr+1, '!');
 		int sz, len;
+		addr = 0LL;
 		tmpoff = core->offset;
 		tmpbsz = core->blocksize;
 
@@ -1185,7 +1186,7 @@ repeat_arroba:
 				break;
 			case '8':
 			case 'b':
-				buf = malloc (strlen (ptr+2));
+				buf = malloc (strlen (ptr+2)+1);
 				if (!buf) {
 					eprintf ("cannot allocate\n");
 					return R_FALSE;

libr/core/cmd_anal.c

@@ -291,7 +291,7 @@ static int cmd_anal(void *data, const char *input) {
 	case '8': // TODO: rename to 'ab'?
 		if (input[1]==' ') {
 			int len;
-			ut8 *buf = malloc (strlen (input));
+			ut8 *buf = malloc (strlen (input)+1);
 			len = r_hex_str2bin (input+2, buf);
 			if (len>0)
 				r_core_anal_bytes (core, buf, len, 0);

libr/core/cmd_cmp.c

@@ -204,7 +204,7 @@ static int cmd_cmp(void *data, const char *input) {
 			eprintf ("Usage: cx 001122'\n");
 			return 0;
 		}
-		buf = (ut8*)malloc (strlen (input+2));
+		buf = (ut8*)malloc (strlen (input+2)+1);
 		ret = r_hex_str2bin (input+2, buf);
 		if (ret<1) eprintf ("Cannot parse hexpair\n");
 		else radare_compare (core, core->block, buf, ret);

libr/core/cmd_meta.c

@@ -244,8 +244,8 @@ static int cmd_meta(void *data, const char *input) {
 					if (pattern && varsub)
 					for (i = 0; i < R_ANAL_VARSUBS; i++)
 						if (f->varsubs[i].pat[0] == '\0' || !strcmp (f->varsubs[i].pat, pattern)) {
-							strncpy (f->varsubs[i].pat, pattern, 1023);
-							strncpy (f->varsubs[i].sub, varsub, 1023);
+							strncpy (f->varsubs[i].pat, pattern, sizeof (f->varsubs[i].pat)-1);
+							strncpy (f->varsubs[i].sub, varsub, sizeof (f->varsubs[i].sub)-1);
 							break;
 						}
 				} else eprintf ("Error: Function not found\n");

libr/core/cmd_search.c

@@ -54,7 +54,7 @@ R_API int r_core_search_preludes(RCore *core) {
 	ut64 to = core->offset+0xffffff; // hacky!
 	// TODO: this is x86 only
 	if (prelude && *prelude) {
-		ut8 *kw = malloc (strlen (prelude));
+		ut8 *kw = malloc (strlen (prelude)+1);
 		int kwlen = r_hex_str2bin (prelude, kw);
 		ret = r_core_search_prelude (core, from, to, kw, kwlen, NULL, 0);
 		free (kw);
@@ -244,7 +244,6 @@ static int r_core_search_rop(RCore *core, ut64 from, ut64 to, int opt) {
 	RAnalOp aop;
 	int roplen, i, delta = to-from;
 	ut64 ropat;
-	int oplen = 0;
 	if (delta<1)
 		return R_FALSE;
 	buf = malloc (delta);
@@ -252,6 +251,7 @@ static int r_core_search_rop(RCore *core, ut64 from, ut64 to, int opt) {
 	for (i=0; i<delta; i++) {
 		if (r_anal_op (core->anal, &aop, from+i, buf+i, delta-i)) {
 			int ret = r_asm_disassemble (core->assembler, &asmop, buf+i, delta-i);
+			if (ret>0)
 			switch (aop.type) {
 			case R_ANAL_OP_TYPE_TRAP:
 			case R_ANAL_OP_TYPE_RET:

libr/core/io.c

@@ -61,7 +61,7 @@ R_API int r_core_write_op(RCore *core, const char *arg, char op) {
 
 	// XXX we can work with config.block instead of dupping it
 	buf = (ut8 *)malloc (core->blocksize);
-	str = (char *)malloc (strlen (arg));
+	str = (char *)malloc (strlen (arg)+1);
 	if (buf == NULL || str == NULL)
 		goto beach;
 	memcpy (buf, core->block, core->blocksize);

libr/db/db.c

@@ -65,8 +65,8 @@ static int _r_db_add_internal(struct r_db_t *db, int key, void *b) {
 			block->data[0] = b;
 			block->data[1] = NULL;
 		} else {
-			for(len=0;block->data[len];len++);
-			block->data = realloc(block->data, sizeof(void *)*(len+1));
+			for (len=0; block->data[len]; len++);
+			block->data = realloc (block->data, sizeof (void *)*(len+2));
 			block->data[len] = b;
 			block->data[len+1] = NULL;
 		}

libr/flags/flags.c

@@ -261,10 +261,12 @@ R_API int r_flag_rename(RFlag *f, RFlagItem *item, const char *name) {
 	if (list) {
 		RFlagItem *item = r_list_get_top (list);
 		if (r_list_empty (list)) {
-			r_list_free (list);
+			//r_list_free (list);
 			r_hashtable64_remove (f->ht_name, hash);
+		} else {
+			r_hashtable64_remove (f->ht_name, hash);
+			r_list_delete_data (list, item);
 		}
-		r_list_delete_data (list, item);
 		if (!r_flag_item_set_name (item, name)) {
 			r_list_append (list, item);
 			return R_FALSE;

libr/fs/fs.c

@@ -496,7 +496,7 @@ R_API char *r_fs_name (RFS *fs, ut64 offset) {
 
 	for (i=0; fstypes[i].name; i++) {
 		RFSType *f = &fstypes[i];
-		len = R_MIN (f->buflen, sizeof (buf));
+		len = R_MIN (f->buflen, sizeof (buf)-1);
 		fs->iob.read_at (fs->iob.io, offset + f->bufoff, buf, len);
 		if (f->buflen>0 && !memcmp (buf, f->buf, f->buflen)) {
 			ret = R_TRUE;
@@ -606,17 +606,18 @@ R_API int r_fs_prompt (RFS *fs, const char *root) {
 				eprintf ("%s %s\n", r->path, r->p->name);
 			}
 		} else if (!memcmp (buf, "get ", 4)) {
+			char *s;
 			input = buf+3;
 			while (input[0] == ' ')
 				input++;
+			s = malloc (strlen (str) + strlen (input) + 2);
 			if (input[0] == '/') {
-				if (root)
-					strncpy (str, root, sizeof (str)-1);
-				else str[0] = 0;
-			} else strncpy (str, path, sizeof (str)-1);
-			strcat (str, "/");
-			strcat (str, input);
-			file = r_fs_open (fs, str);
+				if (root) strcpy (s, root);
+				else *s = 0;
+			} else strcpy (s, path);
+			strcat (s, "/");
+			strcat (s, input);
+			file = r_fs_open (fs, s);
 			if (file) {
 				r_fs_read (fs, file, 0, file->size);
 				r_file_dump (input, file->data, file->size);
@@ -625,9 +626,10 @@ R_API int r_fs_prompt (RFS *fs, const char *root) {
 			} else {
 				input -= 2; //OMFG!!!! O_O
 				memcpy (input, "./", 2);
-				if (!r_fs_dir_dump (fs, str, input))
+				if (!r_fs_dir_dump (fs, s, input))
 					printf ("Cannot open file\n");
 			}
+			free (s);
 		} else if (!memcmp (buf, "help", 4) || !strcmp (buf, "?")) {
 			eprintf (
 			"Commands:\n"

libr/magic/apprentice.c

@@ -1725,23 +1725,24 @@ static int apprentice_compile(RMagic *ms, struct r_magic **magicp, ut32 *nmagicp
 
 	if (write(fd, ar, sizeof(ar)) != (ssize_t)sizeof(ar)) {
 		file_error(ms, errno, "error writing `%s'", dbname);
-		goto out;
+		goto beach;
 	}
 
 	if (lseek(fd, (off_t)sizeof(struct r_magic), SEEK_SET)
 	    != sizeof(struct r_magic)) {
 		file_error(ms, errno, "error seeking `%s'", dbname);
-		goto out;
+		goto beach;
 	}
 
 	if (write(fd, *magicp, (sizeof(struct r_magic) * *nmagicp)) 
 	    != (ssize_t)(sizeof(struct r_magic) * *nmagicp)) {
 		file_error(ms, errno, "error writing `%s'", dbname);
-		goto out;
+		goto beach;
 	}
 
-	(void)close(fd);
 	rv = 0;
+beach:
+	(void)close(fd);
 out:
 	free(dbname);
 	return rv;

libr/search/keyword.c

@@ -55,8 +55,8 @@ R_API RSearchKeyword* r_search_keyword_new_hex(const char *kwstr, const char *bm
 	ut8 *kw, *bm;
 	int bmlen, kwlen;
 	if (kwstr != NULL) {
-		kw = malloc (strlen (kwstr));
-		bm = malloc (strlen (bmstr));
+		kw = malloc (strlen (kwstr)+1);
+		bm = malloc (strlen (bmstr)+1);
 		if (kw != NULL && bm != NULL) {
 			bmlen = r_hex_str2bin (bmstr, (ut8*)bm);
 			kwlen = r_hex_str2bin (kwstr, (ut8*)kw);

libr/util/str.c

@@ -1236,3 +1236,5 @@ R_API void r_str_truncate_cmd(char *string) {
 		}
 	}
 }
+
+// STATIC/DYNAMIC STRINGS API

libr/util/sys.c

@@ -282,14 +282,14 @@ R_API int r_sys_cmd_str_full(const char *cmd, const char *input, char **output,
 		if (pipe (sh_out)) {
 			close (sh_in[0]);
 			close (sh_in[1]);
+			close (sh_out[0]);
+			close (sh_out[1]);
 			return R_FALSE;
 		}
 	}
 	if (pipe (sh_err)) {
 		close (sh_in[0]);
 		close (sh_in[1]);
-		close (sh_out[0]);
-		close (sh_out[1]);
 		return R_FALSE;
 	}
 
@@ -589,7 +589,7 @@ R_API char *r_sys_pid_to_path(int pid) {
 	int ret;
 	char buf[128], pathbuf[1024];
 	snprintf (buf, sizeof (buf), "/proc/%d/exe", pid);
-	ret = readlink (buf, pathbuf, sizeof (pathbuf));
+	ret = readlink (buf, pathbuf, sizeof (pathbuf)-1);
 	if (ret<1)
 		return NULL;
 	pathbuf[ret] = 0;

shlr/java/class.c

@@ -950,9 +950,9 @@ R_API RBinJavaAttrInfo* r_bin_java_get_attr_from_field(RBinJavaField *field, R_B
 		rvalue: NULL or the first occurrence of attr_type after pos
 	
 	*/
-	RBinJavaAttrInfo *attr, *item;
+	RBinJavaAttrInfo *attr = NULL, *item;
 	RListIter *iter; 
-	ut32 i;
+	ut32 i = 0;
 
 	if (field) {
 		r_list_foreach (field->attributes, iter, item) {