From 9d74090cea256021e68b204c4770a5df28398cbd Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 1 May 2017 15:59:09 -0400
Subject: [PATCH 20/22] dp.h: Try to make covscan believe format() is checking
 its bounds.

covscan doesn't grok that size and off wind up being proxies for buf's
NULL check.  Hilarity ensues.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/dp.h | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/dp.h b/src/dp.h
index d6775a6..c14a9ec 100644
--- a/src/dp.h
+++ b/src/dp.h
@@ -28,11 +28,17 @@
 #include "ucs2.h"
 
 #define format(buf, size, off, dp_type, fmt, args...) ({		\
-		ssize_t _x = 0;						\
-		if ((off) >= 0) {					\
-			_x = snprintf(((buf)+(off)),			\
-			       ((size)?((size)-(off)):0),		\
-			       fmt, ## args);				\
+		ssize_t _insize = 0;					\
+		void *_inbuf = NULL;					\
+		if ((buf) != NULL && (size) > 0) {			\
+			_inbuf = (buf) + (off);				\
+			_insize = (size) - (off);			\
+		}							\
+		if ((off) >= 0 &&					\
+		    ((buf == NULL && _insize == 0) ||			\
+		     (buf != NULL && _insize >= 0))) {			\
+			ssize_t _x = 0;					\
+			_x = snprintf(_inbuf, _insize, fmt, ## args);	\
 			if (_x < 0) {					\
 				efi_error(				\
 					"could not build %s DP string",	\
-- 
2.12.2