Fixes for scan-build warnings with ASN, PKCS12 and PKCS7.

wolfcrypt/src/asn.c

@@ -3818,7 +3818,7 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz,
     const byte** n, word32* nSz, const byte** e, word32* eSz)
 {
     int ret = 0;
-    int length;
+    int length = 0;
 #if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA)
     byte b;
 #endif
@@ -12369,10 +12369,11 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file)
         WOLFSSL_MSG("wc_SetSubjectKeyId memory Problem");
         return MEMORY_E;
     }
+    derSz = MAX_PUBLIC_KEY_SZ;
 
-    derSz = wc_PemPubKeyToDer(file, der, MAX_PUBLIC_KEY_SZ);
-    if (derSz <= 0)
-    {
+    XMEMSET(der, 0, derSz);
+    derSz = wc_PemPubKeyToDer(file, der, derSz);
+    if (derSz <= 0) {
         XFREE(der, cert->heap, DYNAMIC_TYPE_CERT);
         return derSz;
     }

wolfcrypt/src/pkcs12.c

@@ -416,7 +416,7 @@ static int GetSignData(WC_PKCS12* pkcs12, const byte* mem, word32* idx,
         ERROR_OUT(ASN_PARSE_E, exit_gsd);
     }
 
-    if ((ret = GetLength(mem, &curIdx, &size, totalSz)) <= 0) {
+    if ((ret = GetLength(mem, &curIdx, &size, totalSz)) < 0) {
         goto exit_gsd;
     }
     mac->saltSz = size;
@@ -1050,7 +1050,7 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
                     /* put the new node into the list */
                     if (certList != NULL) {
                         WOLFSSL_MSG("Pushing new cert onto queue");
-                        tailList->next = node;
+                        certList->next = node;
                         tailList = node;
                     }
                     else {
@@ -1108,6 +1108,7 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
         /* free list, not wanted */
         wc_FreeCertList(certList, pkcs12->heap);
     }
+    (void)tailList; /* not used */
 
     ret = 0; /* success */
 

wolfcrypt/src/pkcs7.c

@@ -5464,6 +5464,14 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz,
         issuerSKIDSeqSz = SetExplicit(0, issuerSKIDSz + KEYID_SIZE,
                                       issuerSKIDSeq);
     } else {
+        FreeDecodedCert(decoded);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(serial,       pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(keyAlgArray,  pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(decoded,      pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return PKCS7_RECIP_E;
     }
 
@@ -6731,7 +6739,7 @@ int wc_PKCS7_AddRecipient_KEKRI(PKCS7* pkcs7, int keyWrapOID, byte* kek,
     word32 recipSeqSz = 0, verSz = 0;
     word32 kekIdSeqSz = 0, kekIdOctetStrSz = 0;
     word32 otherAttSeqSz = 0, encAlgoIdSz = 0, encKeyOctetStrSz = 0;
-    word32 encryptedKeySz;
+    int encryptedKeySz;
 
     int timeSz = 0;
 #ifndef NO_ASN_TIME
@@ -6783,15 +6791,19 @@ int wc_PKCS7_AddRecipient_KEKRI(PKCS7* pkcs7, int keyWrapOID, byte* kek,
     encryptedKeySz = wc_PKCS7_KeyWrap(pkcs7->cek, pkcs7->cekSz, kek, kekSz,
                                       encryptedKey, encryptedKeySz, keyWrapOID,
                                       direction);
-    if (encryptedKeySz <= 0) {
+    if (encryptedKeySz < 0) {
     #ifdef WOLFSSL_SMALL_STACK
         XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
     #endif
         XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return encryptedKeySz;
     }
-
-    if (encryptedKeySz > MAX_ENCRYPTED_KEY_SZ) {
+    /* handle a zero size encKey case as WC_KEY_SIZE_E */
+    if (encryptedKeySz == 0 || encryptedKeySz > MAX_ENCRYPTED_KEY_SZ) {
+    #ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
+    #endif
+        XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
         return WC_KEY_SIZE_E;
     }