emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#71535: closed (multiple defects found by covscan in diffutils-3.10)

From: GNU bug Tracking System
Subject: bug#71535: closed (multiple defects found by covscan in diffutils-3.10)
Date: Fri, 14 Jun 2024 00:14:01 +0000 
Your message dated Thu, 13 Jun 2024 17:13:17 -0700
with message-id <a7e9c8a5-5653-41a9-8439-b0305e558cac@cs.ucla.edu>
and subject line Re: [bug-diffutils] bug#71535: multiple defects found by 
covscan in diffutils-3.10
has caused the debbugs.gnu.org bug report #71535,
regarding multiple defects found by covscan in diffutils-3.10
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
71535: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71535
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems
--- Begin Message --- Subject: multiple defects found by covscan in diffutils-3.10 Date: Thu, 13 Jun 2024 11:34:27 +0200 
There are multiple defects in opencryptoki-3.23.0 found by covscan. It
could be that some of them are false positives.
Thanks!

Error: OVERRUN (CWE-119):
diffutils-3.10/lib/nstrftime.c:689:17: assignment: Assigning:
""width"" = ""2147483647"".
diffutils-3.10/lib/nstrftime.c:1009:11: alias: Assigning: ""bufp"" =
""buf + 23UL"". ""bufp"" now points to byte 23 of ""buf"" (which
consists of 23 bytes).
diffutils-3.10/lib/nstrftime.c:1019:15: ptr_decr: Decrementing
""bufp"". ""bufp"" now points to byte 22 of ""buf"" (which consists of
23 bytes).
diffutils-3.10/lib/nstrftime.c:1048:17: decr: Decrementing ""width"".
The value of ""width"" is now 2147483646.
diffutils-3.10/lib/nstrftime.c:1051:13: assignment: Assigning: ""_w""
= ""(pad == 45 || width < 0) ? 0 : width"". The value of ""_w"" is now
2147483646.
diffutils-3.10/lib/nstrftime.c:1051:13: cond_at_most: Checking ""_n <
_w"" implies that ""_n"" may be up to 2147483645 on the true branch.
diffutils-3.10/lib/nstrftime.c:1051:13: overrun-buffer-arg:
Overrunning buffer pointed to by ""(void const *)bufp"" of 23 bytes by
passing it to a function which accesses it at byte offset 2147483666
using argument ""_n"" (which evaluates to 2147483645). [Note: The
source code implementation of the function has been overridden by a
builtin model.]
# 1049|                 }
# 1050|
# 1051|->             cpy (numlen, bufp);
# 1052|             }
# 1053|             break;"

Error: UNINIT (CWE-457):
diffutils-3.10/lib/time_rz.c:294:11: var_decl: Declaring variable
""tm_1"" without initializer.
diffutils-3.10/lib/time_rz.c:310:15: uninit_use: Using uninitialized
value ""tm_1"". Field ""tm_1.tm_gmtoff"" is uninitialized.
#  308|             if (revert_tz (old_tz) && ok)
#  309|               {
#  310|->               *tm = tm_1;
#  311|                 return t;
#  312|               }"

Error: RESOURCE_LEAK (CWE-772):
diffutils-3.10/lib/stdopen.c:51:11: open_fn: Returning handle opened
by ""open"". [Note: The source code implementation of the function has
been overridden by a user model.]
diffutils-3.10/lib/stdopen.c:51:11: var_assign: Assigning: ""full_fd""
= handle returned from ""open(""/dev/full"", mode)"".
diffutils-3.10/lib/stdopen.c:52:11: var_assign: Assigning: ""new_fd""
= ""full_fd"".
diffutils-3.10/lib/stdopen.c:62:9: leaked_handle: Handle variable
""new_fd"" going out of scope leaks the handle.
diffutils-3.10/lib/stdopen.c:62:9: leaked_handle: Handle variable
""full_fd"" going out of scope leaks the handle.
#   60|                 return 0;
#   61|               }
#   62|->         }
#   63|       }
#   64|"

Error: INTEGER_OVERFLOW (CWE-190):
diffutils-3.10/lib/stackvma.c:198:23: tainted_data_return: Called
function ""read(fd, rof->buffer + rof->filled, size - rof->filled)"",
and a possible return value may be less than zero.
diffutils-3.10/lib/stackvma.c:198:23: cast_overflow: An assign that
casts to a different type, which might trigger an overflow.
diffutils-3.10/lib/stackvma.c:213:23: overflow: The expression
""rof->filled"" is considered to have possibly overflowed.
diffutils-3.10/lib/stackvma.c:198:23: overflow: The expression ""size
- rof->filled"" is deemed overflowed because at least one of its
arguments has overflowed.
diffutils-3.10/lib/stackvma.c:198:23: overflow_sink: ""size -
rof->filled"", which might have underflowed, is passed to ""read(fd,
rof->buffer + rof->filled, size - rof->filled)"". [Note: The source
code implementation of the function has been overridden by a builtin
model.]
#  196|                     for (;;)
#  197|                       {
#  198|->                       n = read (fd, rof->buffer +
rof->filled, size - rof->filled);
#  199|                         if (n < 0 && errno == EINTR)
#  200|                           goto retry;"

Error: UNINIT (CWE-457):
diffutils-3.10/src/sdiff.c:867:7: var_decl: Declaring variable
""cmd1"" without initializer.
diffutils-3.10/src/sdiff.c:964:13: uninit_use: Using uninitialized
value ""cmd1"".
#  962|                 perror_fatal (tmpname);
#  963|
#  964|->             switch (cmd1)
#  965|                 {
#  966|                 case 'd':"

Error: UNINIT (CWE-457):
diffutils-3.10/lib/sigsegv.c:1460:5: var_decl: Declaring variable
""ss"" without initializer.
diffutils-3.10/lib/sigsegv.c:1462:5: uninit_use_in_call: Using
uninitialized value ""ss"". Field ""ss.ss_sp"" is uninitialized when
calling ""sigaltstack"".
# 1460|       stack_t ss;
# 1461|       ss.ss_flags = SS_DISABLE;
# 1462|->     if (sigaltstack (&ss, (stack_t *) 0) < 0)
# 1463|         perror (""gnulib sigsegv (stackoverflow_deinstall_handler)"");
# 1464|     }"

Error: OVERRUN (CWE-119):
diffutils-3.10/src/diff.c:426:6: strlen_assign: Setting variable
""alloc"" to the return value of strlen called with argument
""optarg"".
diffutils-3.10/src/diff.c:432:6: alloc_strlen: Allocating insufficient
memory for the terminating null of the string. [Note: The source code
implementation of the function has been overridden by a builtin
model.]
#  430|      &alloc))
#  431|          xalloc_die ();
#  432|->     char *b = xmalloc (alloc);
#  433|        char *base = b;
#  434|        int changes = 0;"

Error: RESOURCE_LEAK (CWE-772):
diffutils-3.10/src/diff3.c:786:3: alloc_fn: Storage is returned from
allocation function ""create_diff3_block"".
diffutils-3.10/src/diff3.c:786:3: var_assign: Assigning: ""result"" =
storage returned from ""create_diff3_block(low[0], high[0], low[1],
high[1], lowc, highc)"".
diffutils-3.10/src/diff3.c:801:11: leaked_storage: Variable ""result""
going out of scope leaks the storage it points to.
#  799|                                 D_LENARRAY (result, FILEC) +
result_offset,
#  800|                                 D_NUMLINES (ptr, FC)))
#  801|->           return 0;
#  802|         }
#  803|"

Error: RESOURCE_LEAK (CWE-772):
diffutils-3.10/src/util.c:687:3: alloc_fn: Storage is returned from
allocation function ""xstrdup"".
diffutils-3.10/src/util.c:687:3: var_assign: Assigning: ""color_buf""
= storage returned from ""xstrdup(p)"".
diffutils-3.10/src/util.c:687:3: var_assign: Assigning: ""buf"" = ""color_buf"".
diffutils-3.10/src/util.c:795:1: leaked_storage: Variable ""buf""
going out of scope leaks the storage it points to.
diffutils-3.10/src/util.c:795:1: leaked_storage: Variable
""color_buf"" going out of scope leaks the storage it points to.
#  793|         colors_enabled = false;
#  794|       }
#  795|-> }
#  796|
#  797|   static void"

Error: UNINIT (CWE-457):
diffutils-3.10/lib/time_rz.c:294:11: var_decl: Declaring variable
""tm_1"" without initializer.
diffutils-3.10/lib/time_rz.c:306:11: uninit_use_in_call: Using
uninitialized value ""tm_1.tm_zone"" when calling ""save_abbr"".
#  304|             bool ok = 0 <= tm_1.tm_yday;
#  305|   #if HAVE_STRUCT_TM_TM_ZONE || HAVE_TZNAME
#  306|->           ok = ok && save_abbr (tz, &tm_1);
#  307|   #endif
#  308|             if (revert_tz (old_tz) && ok)"

Error: BAD_FREE (CWE-763):
diffutils-3.10/src/analyze.c:692:11: offset_free: ""free"" frees
address offset from ""cmp->file[f].linbuf"".
#  690|           {
#  691|             free (cmp->file[f].equivs);
#  692|->           free (cmp->file[f].linbuf + cmp->file[f].linbuf_base);
#  693|           }
#  694|"

Error: OVERRUN (CWE-119):
diffutils-3.10/lib/nstrftime.c:689:17: assignment: Assigning:
""width"" = ""2147483647"".
diffutils-3.10/lib/nstrftime.c:885:15: assignment: Assigning: ""_w"" =
""(pad == 45 || width < 0) ? 0 : width"". The value of ""_w"" is now
2147483647.
diffutils-3.10/lib/nstrftime.c:885:15: cond_between: Checking ""_n <
_w"" implies that ""_n"" is between 0 and 2147483646 (inclusive) on
the true branch.
diffutils-3.10/lib/nstrftime.c:885:15: overrun-buffer-arg: Overrunning
buffer pointed to by ""(void const *)(ubuf + 1)"" of 1024 bytes by
passing it to a function which accesses it at byte offset 2147483646
using argument ""_n"" (which evaluates to 2147483646). [Note: The
source code implementation of the function has been overridden by a
builtin model.]
#  883|               len = strftime (ubuf, sizeof ubuf, ufmt, tp);
#  884|               if (len != 0)
#  885|->               cpy (len - 1, ubuf + 1);
#  886|             }
#  887|             break;"

Error: BAD_ALLOC_ARITHMETIC (CWE-131):
diffutils-3.10/src/ifdef.c:364:28: bad_alloc_arithmetic: Adding an
offset to the result of a call to ""__builtin_alloca"" might indicate
an under-allocation.
diffutils-3.10/src/ifdef.c:364:28: remediation: Did you intend for the
size argument to be ""spec_prefix_len + pI_len + 2UL + 32UL - 1UL +
31UL""?
#  362|               size_t spec_prefix_len = f - spec - 2;
#  363|               size_t pI_len = sizeof pI - 1;
#  364|->             char *format = xmalloca (spec_prefix_len + pI_len + 2);
#  365|               char *p = mempcpy (format, spec, spec_prefix_len);
#  366|               p = stpcpy (p, pI);"

Error: UNINIT (CWE-457):
diffutils-3.10/lib/diffseq.h:388:11: var_decl: Declaring variable
""bxbest"" without initializer.
diffutils-3.10/lib/diffseq.h:436:15: uninit_use: Using uninitialized
value ""bxbest"".
#  434|             else
#  435|               {
#  436|->               part->xmid = bxbest;
#  437|                 part->ymid = bxybest - bxbest;
#  438|                 part->lo_minimal = false;"

Error: UNINIT (CWE-457):
diffutils-3.10/lib/diffseq.h:386:11: var_decl: Declaring variable
""fxbest"" without initializer.
diffutils-3.10/lib/diffseq.h:429:15: uninit_use: Using uninitialized
value ""fxbest"".
#  427|             if ((xlim + ylim) - bxybest < fxybest - (xoff + yoff))
#  428|               {
#  429|->               part->xmid = fxbest;
#  430|                 part->ymid = fxybest - fxbest;
#  431|                 part->lo_minimal = true;"

Error: RESOURCE_LEAK (CWE-772):
diffutils-3.10/src/diff3.c:786:3: alloc_fn: Storage is returned from
allocation function ""create_diff3_block"".
diffutils-3.10/src/diff3.c:786:3: var_assign: Assigning: ""result"" =
storage returned from ""create_diff3_block(low[0], high[0], low[1],
high[1], lowc, highc)"".
diffutils-3.10/src/diff3.c:830:13: leaked_storage: Variable ""result""
going out of scope leaks the storage it points to.
#  828|                                   D_LENARRAY (result, FILE0 +
d) + result_offset,
#  829|                                   D_NUMLINES (ptr, FO)))
#  830|->             return 0;
#  831|
#  832|             /* Catch the lines between here and the next diff */"

--- End Message ---
--- Begin Message --- Subject: Re: [bug-diffutils] bug#71535: multiple defects found by covscan in diffutils-3.10 Date: Thu, 13 Jun 2024 17:13:17 -0700 User-agent: Mozilla Thunderbird Thanks. Yes, they're all false alarms with the possible exception of the stackvma.c which is a false alarm on every platform I know of but perhaps we can make it bulletproof for hypothetical platforms. If I have time I'll look into the stackvma.c thing, though that's in Gnulib. Closing the bug report for now.

--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]