[bug #66076] [xditview] Unsafe string handling in xditview.c

Lukas Mon, 12 Aug 2024 04:06:48 -0700

URL:
  <https://savannah.gnu.org/bugs/?66076>


                 Summary: [xditview] Unsafe string handling in xditview.c
                   Group: GNU roff
               Submitter: ljavorsk
               Submitted: Mon 12 Aug 2024 11:06:32 AM UTC
                Category: Macro package - others/general
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Mon 12 Aug 2024 11:06:32 AM UTC By: Lukas <ljavorsk>
There is an unsafe string handling in the src/devices/xditview/xditview.c
file. Since the "file_name" variable comes from the arguments, it should be
handled safely, because it could be tainted.
These defects were identified by SAST analyzers (combination of
coverity,snyk,cppcheck,gcc,clang,shellcheck,unicontrol), and from 98 findings
these are few that I believe are NOT false positives.

Here is the SAST report:
Error: STRING_SIZE (CWE-120):
groff-1.23.0/src/devices/xditview/xditview.c:209: string_size_argv: "argv"
contains strings with unknown size.
groff-1.23.0/src/devices/xditview/xditview.c:260: var_assign_var: Assigning:
"file_name" = "argv[1]". Both are now tainted.
groff-1.23.0/src/devices/xditview/xditview.c:284: string_size: Passing string
"file_name" of unknown size to "NewFile", which expects a string of a
particular size.
#  282|       XtGetValues (dvi, pageNumberArgs, 1);
#  283|       if (file_name)
#  284|->         NewFile (file_name);
#  285|       /* NewFile modifies current_file_name, so do this here. */
#  286|       if (app_resources.filename)

Possible remedy:
Commits are in the attachments

Please let me know if you believe these are indeed false positives and why.
Thank you so much for your collaboration.







    _______________________________________________________
File Attachments:


-------------------------------------------------------
Name: 0001-Safely-handle-the-name-argument-in-NewFile-func.patch  Size: 977B
<https://file.savannah.gnu.org/file/0001-Safely-handle-the-name-argument-in-NewFile-func.patch?file_id=56344>

    AGPL NOTICE

These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://git.savannah.nongnu.org/cgit/administration/savane.git/snapshot/savane-d76bf983d304f2acfc08b5b4a201839fd9edec71.tar.gz

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?66076>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature

[bug #66076] [xditview] Unsafe string handling in xditview.c

Reply via email to