Fix Coverity DEADCODE findings in COSE MAC and CBOR decode paths

README.md

@@ -165,6 +165,10 @@ make coverage                  # Run tests with gcov
 make coverage-force-failure    # Include crypto failure path testing
 ```
 
+<a href="https://scan.coverity.com/projects/wolfcose">
+  <img alt="Coverity Scan Build Status"
+       src="https://scan.coverity.com/projects/32918/badge.svg"/>
+</a>
 <a href="https://github.com/wolfSSL/wolfCOSE/actions">
   <img alt="CI Status"
        src="https://img.shields.io/github/actions/workflow/status/wolfSSL/wolfCOSE/build-test.yml?label=CI&logo=github"/>

src/wolfcose.c

@@ -6105,10 +6105,6 @@ int wc_CoseMac0_Create(const WOLFCOSE_KEY* key, int32_t alg,
         (payload == NULL) && (detachedPayload == NULL)) {
         ret = WOLFCOSE_E_INVALID_ARG;
     }
-    if ((ret == WOLFCOSE_SUCCESS) &&
-        (macPayload == NULL) && (macPayloadLen > 0u)) {
-        ret = WOLFCOSE_E_INVALID_ARG;
-    }
     /* Reject inconsistent (kid, kidLen) so the kid is never silently dropped. */
     if ((ret == WOLFCOSE_SUCCESS) &&
         (((kid != NULL) && (kidLen == 0u)) ||
@@ -7859,10 +7855,6 @@ int wc_CoseMac_Create(const WOLFCOSE_RECIPIENT* recipients,
                 ret = WOLFCOSE_E_CRYPTO;
             }
         }
-        if (hmacInited != 0) {
-            (void)wc_HmacFree(&hmac);
-            hmacInited = 0;
-        }
     }
     else
 #endif /* WOLFCOSE_HAVE_HMAC */
@@ -8275,10 +8267,6 @@ int wc_CoseMac_Verify(const WOLFCOSE_RECIPIENT* recipient,
                 ret = WOLFCOSE_E_CRYPTO;
             }
         }
-        if (hmacInited != 0) {
-            (void)wc_HmacFree(&hmac);
-            hmacInited = 0;
-        }
     }
     else
 #endif /* WOLFCOSE_HAVE_HMAC */

src/wolfcose_cbor.c

@@ -233,14 +233,11 @@ int wolfCose_CBOR_DecodeHead(WOLFCOSE_CBOR_CTX* ctx, WOLFCOSE_CBOR_ITEM* item)
             }
         }
 
-        /* Advance past bstr/tstr bytes using overflow-safe bounds. */
+        /* Compare the 64-bit length against remaining bytes (no size_t cast). */
         if (ret == WOLFCOSE_SUCCESS) {
             if ((item->majorType == WOLFCOSE_CBOR_BSTR) ||
                 (item->majorType == WOLFCOSE_CBOR_TSTR)) {
-                if (item->val > (uint64_t)SIZE_MAX) {
-                    ret = WOLFCOSE_E_CBOR_OVERFLOW;
-                }
-                else if ((size_t)item->val > (ctx->bufSz - ctx->idx)) {
+                if (item->val > (uint64_t)(ctx->bufSz - ctx->idx)) {
                     ret = WOLFCOSE_E_CBOR_MALFORMED;
                 }
                 else {