[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Parfait analysis of GNU sed 4.2.2
From: |
Paolo Bonzini |
Subject: |
Re: Parfait analysis of GNU sed 4.2.2 |
Date: |
Thu, 14 Feb 2013 22:32:23 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130110 Thunderbird/17.0.2 |
Il 14/02/2013 19:10, Rich Burridge ha scritto:
> Hi,
>
> I'm in the process of updating the version of GNU sed that's in
> the Oracle Solaris O/S to 4.2.2. Part of this update requires
> a security audit, including running the Parfait static code analysis
> tool on the GNU sed code.
>
> For more information on parfait, see the paper:
>
> http://labs.oracle.com/projects/downunder/publications/pepm09.pdf
>
> Anyhoo, parfait found the following error:
>
> Error: Buffer overrun
> Buffer overflow (CWE 120): In array dereference of
> ((char*)(word_limit + -1))[12] with index '-1+12'
> Array size is 32000 bytes, -1+12 is -20
> at line 257 of components/sed/sed-4.2.2/sed/fmt.c in function
> 'get_paragraph'.
> Read outside array bounds (CWE 125): In array dereference of
> ((char*)(word_limit + -1))[12] with index '-1+12'
> Array size is 32000 bytes, -1+12 is -20
> at line 257 of components/sed/sed-4.2.2/sed/fmt.c in function
> 'get_paragraph'.
>
> You might wish to review this and see if it is a real problem that
> need addressing (as opposed to a false positive).
It's a false positive.
Function get_line always advances word_limit by one or more, and there
is always at least one invocation of get_line after the assignment
word_limit = words;
Paolo