Hi Andy, It turns out there was no easy way to give you the Coverity test results directly. For the runs to be useful, you really need a viewer, and we are limited by the licenses as to who can use the viewer.
We have a copy of 0.9.8a in our source tree, and I made the changes to our copy of 0.9.8a. I attached the diffs. I apologize for making these changes against our own copy of the sources, that means the resulting diffs can't be used directly as a patch against your CVS repository since the file revisions will be different. Hopefully this is still useful as you can still use the file names and line numbers. I will work on getting rsynch set up and getting a local copy of your CVS repository so I can submit proper patches in the future. -David > -----Original Message----- > From: Andy Polyakov [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 18, 2005 7:41 AM > To: openssl-dev@openssl.org; David Hartman > Cc: Andrew Schnable > Subject: Re: Problems Identified in Static Source Analysis > > Hi, > > > We recently ran Coverity, a static source analysis tool, against OpenSSL > > 0.9.7 and 0.9.8. We found a number of problems such as the potential to > > access null pointers, lack of error checking on return codes, etc. > > There are in the neighborhood of 25 errors that we considered worth > fixing. > > > > Would you like us to contribute these fixes back to the project? > > Yes. > > > If so, > > what would be the best format for submitting them? > > Coverity report itself by all means preferred, as more eyeballs on > deciding on what's worth fixing and in which branch is better. If > disclosure on public list such as openssl-dev is not appropriate, send > it to openssl-team. > > > Would you like the diffs or raw sources? > > See "HOW TO CONTRIBUTE TO OpenSSL" paragraph in ./README for formalized > description. > > > Also, which branch would be best? > > The normal workflow goes as following: 1. HEAD [see > http://www.openssl.org/source/repos.html], 2. backport to released > versions. Backports to 0.9.8 are currently very common, while backports > to 0.9.7 are rather rare. Meaning that HEAD is by all means preferred, > but as long as we're not talking about changed functionality or new > features, 0.9.8 is OK for the moment, as it has not diverged too much. A.
coverity_8a.diffs
Description: coverity_8a.diffs
