I guess when you are going through the Code in your mind, you assume the file this Code is reading has some well-structured data. The SonarCloud analyzer does not know what “well-structured data” means, so it cannot assume the same.
In particular, here is a possible execution scenario in which the read value would be garbage (not a “garbage” read from the file, but “garbage” as in uninitialized memory: a single-byte file (pcFilename).
pu8PoolData is assigned a 1-byte buffer on l.481 (note how it is not multiplied by the sizeof(iso_u8) in the malloc expression, so the following code is prone to buffer overrun if iso_u8 is different from 1 byte, but let’s assume it is 1 byte for the rest of this walkthrough).
Then this single byte is read to on l.485. u32PoolSize remains equal to 1 and pu8PoolData still points to a 1-byte buffer.
<fast forward to the reducePool function (meanwhile, no changes to u32PoolSize and pu8PoolData)>
On the first iteration of the while loop l.569u32PoolSrcIdx is 0, u32PoolSize is 1, and pu8PoolDataInOut points to a 1-byte buffer.
poolData is initialized with the value of pu8PoolDataInOut (since u32PoolSrcIdx is 0) on l.572.
Finally, the Code accesses poolData. However, poolData (being equal to pu8PoolDataInOut, which is equal to pu8PoolData) still points to a 1-byte buffer. The Code treats it as an array of elements of type iso_u8 which we assumed to be 1 byte. Thus the Code tries to read a 3-rd byte of a 1-byte buffer, and that is a garbage value.