From be99c6e2c0515088b7974f154d16cc689d4e952b Mon Sep 17 00:00:00 2001
From: aidan garske <aidangarske03@gmail.com>
Date: Mon, 22 Jun 2026 18:09:14 -0700
Subject: [PATCH] Fix Coverity DEADCODE findings in COSE MAC and CBOR decode
 paths

---
 README.md           |  4 ++++
 src/wolfcose.c      | 12 ------------
 src/wolfcose_cbor.c |  7 ++-----
 3 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/README.md b/README.md
index 7899374..cf196a5 100644
--- a/README.md
+++ b/README.md
@@ -165,6 +165,10 @@ make coverage                  # Run tests with gcov
 make coverage-force-failure    # Include crypto failure path testing
 ```
 
+<a href="https://scan.coverity.com/projects/wolfcose">
+  <img alt="Coverity Scan Build Status"
+       src="https://scan.coverity.com/projects/32918/badge.svg"/>
+</a>
 <a href="https://github.com/wolfSSL/wolfCOSE/actions">
   <img alt="CI Status"
        src="https://img.shields.io/github/actions/workflow/status/wolfSSL/wolfCOSE/build-test.yml?label=CI&logo=github"/>
diff --git a/src/wolfcose.c b/src/wolfcose.c
index c4c4ca9..47d24a2 100644
--- a/src/wolfcose.c
+++ b/src/wolfcose.c
@@ -6105,10 +6105,6 @@ int wc_CoseMac0_Create(const WOLFCOSE_KEY* key, int32_t alg,
         (payload == NULL) && (detachedPayload == NULL)) {
         ret = WOLFCOSE_E_INVALID_ARG;
     }
-    if ((ret == WOLFCOSE_SUCCESS) &&
-        (macPayload == NULL) && (macPayloadLen > 0u)) {
-        ret = WOLFCOSE_E_INVALID_ARG;
-    }
     /* Reject inconsistent (kid, kidLen) so the kid is never silently dropped. */
     if ((ret == WOLFCOSE_SUCCESS) &&
         (((kid != NULL) && (kidLen == 0u)) ||
@@ -7859,10 +7855,6 @@ int wc_CoseMac_Create(const WOLFCOSE_RECIPIENT* recipients,
                 ret = WOLFCOSE_E_CRYPTO;
             }
         }
-        if (hmacInited != 0) {
-            (void)wc_HmacFree(&hmac);
-            hmacInited = 0;
-        }
     }
     else
 #endif /* WOLFCOSE_HAVE_HMAC */
@@ -8275,10 +8267,6 @@ int wc_CoseMac_Verify(const WOLFCOSE_RECIPIENT* recipient,
                 ret = WOLFCOSE_E_CRYPTO;
             }
         }
-        if (hmacInited != 0) {
-            (void)wc_HmacFree(&hmac);
-            hmacInited = 0;
-        }
     }
     else
 #endif /* WOLFCOSE_HAVE_HMAC */
diff --git a/src/wolfcose_cbor.c b/src/wolfcose_cbor.c
index 3a0011c..ae66cc4 100644
--- a/src/wolfcose_cbor.c
+++ b/src/wolfcose_cbor.c
@@ -233,14 +233,11 @@ int wolfCose_CBOR_DecodeHead(WOLFCOSE_CBOR_CTX* ctx, WOLFCOSE_CBOR_ITEM* item)
             }
         }
 
-        /* Advance past bstr/tstr bytes using overflow-safe bounds. */
+        /* Compare the 64-bit length against remaining bytes (no size_t cast). */
         if (ret == WOLFCOSE_SUCCESS) {
             if ((item->majorType == WOLFCOSE_CBOR_BSTR) ||
                 (item->majorType == WOLFCOSE_CBOR_TSTR)) {
-                if (item->val > (uint64_t)SIZE_MAX) {
-                    ret = WOLFCOSE_E_CBOR_OVERFLOW;
-                }
-                else if ((size_t)item->val > (ctx->bufSz - ctx->idx)) {
+                if (item->val > (uint64_t)(ctx->bufSz - ctx->idx)) {
                     ret = WOLFCOSE_E_CBOR_MALFORMED;
                 }
                 else {