[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #66081] [troff] Possible accessing uninitialized array in env.cpp
From: |
Lukas Javorsky |
Subject: |
[bug #66081] [troff] Possible accessing uninitialized array in env.cpp |
Date: |
Mon, 12 Aug 2024 10:19:24 -0400 (EDT) |
URL:
<https://savannah.gnu.org/bugs/?66081>
Summary: [troff] Possible accessing uninitialized array in
env.cpp
Group: GNU roff
Submitter: ljavorsk
Submitted: Mon 12 Aug 2024 02:19:21 PM UTC
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
_______________________________________________________
Follow-up Comments:
-------------------------------------------------------
Date: Mon 12 Aug 2024 02:19:21 PM UTC By: Lukas Javorsky <ljavorsk>
In case that `strtok` returns `null`, we break early from for-loop before
initializing any values to sizes. We then access uninitialized values. Only
other case where we break out of the loop is when `lower` is 0, and we do only
after adding this 0 to `sizes`. Function `init_size_table` uses "\0" to detect
end of the array, so in this case we shouldn't be accessing any uninitialized
values.Using uninitialized elements "x" and "y" could cause undefined
behavior. It's safer to initialize them to "0" to ensure it doesn't happen.
These defects were identified by SAST analyzers (combination of
coverity,snyk,cppcheck,gcc,clang,shellcheck,unicontrol), and from 98 findings
these are few that I believe are NOT false positives.
Error: UNINIT (CWE-457):
groff-1.23.0/src/roff/troff/env.cpp:1256: alloc_fn: Calling "operator new[]"
which returns uninitialized memory.
groff-1.23.0/src/roff/troff/env.cpp:1256: assign: Assigning: "sizes" = "new
int[n]", which points to uninitialized data.
groff-1.23.0/src/roff/troff/env.cpp:1291: uninit_use_in_call: Using
uninitialized value "*sizes" when calling "init_size_table".
# 1289| p = strtok(0, " \t");
# 1290| }
# 1291|-> font_size::init_size_table(sizes);
# 1292| }
# 1293|
Possible remedy:
Commits are in the attachments
Please let me know if you believe these are indeed false positives and why.
Thank you so much for your collaboration.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Name: 0001-Fix-uninitialized-memory-usage-in-override_sizes-by-.patch Size:
1KiB
<https://file.savannah.gnu.org/file/0001-Fix-uninitialized-memory-usage-in-override_sizes-by-.patch?file_id=56348>
AGPL NOTICE
These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://git.savannah.nongnu.org/cgit/administration/savane.git/snapshot/savane-d76bf983d304f2acfc08b5b4a201839fd9edec71.tar.gz
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?66081>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
signature.asc
Description: PGP signature
- [bug #66081] [troff] Possible accessing uninitialized array in env.cpp,
Lukas Javorsky <=