[bug #66080] [pic] Using uninitialized elements of the "place" structure in "place::follow" function

[Lukas Javorsky]

URL:
  <https://savannah.gnu.org/bugs/?66080>

                 Summary: [pic] Using uninitialized elements of the "place"
structure in "place::follow" function
                   Group: GNU roff
               Submitter: ljavorsk
               Submitted: Mon 12 Aug 2024 02:03:39 PM UTC
                Category: Preprocessor pic
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Mon 12 Aug 2024 02:03:39 PM UTC By: Lukas Javorsky <ljavorsk>
Using uninitialized elements "x" and "y" could cause undefined behavior. It's
safer to initialize them to "0" to ensure it doesn't happen.

These defects were identified by SAST analyzers (combination of
coverity,snyk,cppcheck,gcc,clang,shellcheck,unicontrol), and from 98 findings
these are few that I believe are NOT false positives.

Error: UNINIT (CWE-457):
groff-1.23.0/src/preproc/pic/object.cpp:894: var_decl: Declaring variable
"here" without initializer.
groff-1.23.0/src/preproc/pic/object.cpp:896: uninit_use_in_call: Using
uninitialized value "here". Field "here.x" is uninitialized when calling
"follow".
#  894|         place here;
#  895|         here.obj = p;
#  896|->       if (!with->follow(here, &offset))
#  897|           return 0;
#  898|         pos -= offset;

Possible remedy:
Commits are in the attachments

Please let me know if you believe these are indeed false positives and why.
Thank you so much for your collaboration.






    _______________________________________________________
File Attachments:


-------------------------------------------------------
Name: 0001-Initialize-x-and-y-elements-of-the-here-structure.patch  Size: 834B
<https://file.savannah.gnu.org/file/0001-Initialize-x-and-y-elements-of-the-here-structure.patch?file_id=56347>

    AGPL NOTICE

These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://git.savannah.nongnu.org/cgit/administration/savane.git/snapshot/savane-d76bf983d304f2acfc08b5b4a201839fd9edec71.tar.gz

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?66080>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature