I guess when you are going through the Code in your mind, you assume the file this Code is reading has some well-structured data. The SonarCloud analyzer does not know what “well-structured data” means, so it cannot assume the same.
In particular, here is a possible execution scenario in which the read value would be garbage (not a “garbage” read from the file, but “garbage” as in uninitialized memory: a single-byte file (pcFilename).
pu8PoolData is assigned a 1-byte buffer on l.481 (note how it is not multiplied by the sizeof(iso_u8) in the malloc expression, so the following code is prone to buffer overrun if iso_u8 is different from 1 byte, but let’s assume it is 1 byte for the rest of this walkthrough).
Then this single byte is read to on l.485. u32PoolSize remains equal to 1 and pu8PoolData still points to a 1-byte buffer.
<fast forward to the reducePool function (meanwhile, no changes to u32PoolSize and pu8PoolData)>
On the first iteration of the while loop l.569u32PoolSrcIdx is 0, u32PoolSize is 1, and pu8PoolDataInOut points to a 1-byte buffer.
poolData is initialized with the value of pu8PoolDataInOut (since u32PoolSrcIdx is 0) on l.572.
Finally, the Code accesses poolData[2]. However, poolData (being equal to pu8PoolDataInOut, which is equal to pu8PoolData) still points to a 1-byte buffer. The Code treats it as an array of elements of type iso_u8 which we assumed to be 1 byte. Thus the Code tries to read a 3-rd byte of a 1-byte buffer, and that is a garbage value.