[bug #66081] [troff] Possible accessing uninitialized array in env.cpp

Lukas Javorsky Mon, 12 Aug 2024 07:19:54 -0700

URL:
  <https://savannah.gnu.org/bugs/?66081>


                 Summary: [troff] Possible accessing uninitialized array in
env.cpp
                   Group: GNU roff
               Submitter: ljavorsk
               Submitted: Mon 12 Aug 2024 02:19:21 PM UTC
                Category: None
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Mon 12 Aug 2024 02:19:21 PM UTC By: Lukas Javorsky <ljavorsk>
In case that `strtok` returns `null`, we break early from for-loop before
initializing any values to sizes. We then access uninitialized values. Only
other case where we break out of the loop is when `lower` is 0, and we do only
after adding this 0 to `sizes`. Function `init_size_table` uses "\0" to detect
end of the array, so in this case we shouldn't be accessing any uninitialized
values.Using uninitialized elements "x" and "y" could cause undefined
behavior. It's safer to initialize them to "0" to ensure it doesn't happen.

These defects were identified by SAST analyzers (combination of
coverity,snyk,cppcheck,gcc,clang,shellcheck,unicontrol), and from 98 findings
these are few that I believe are NOT false positives.

Error: UNINIT (CWE-457):
groff-1.23.0/src/roff/troff/env.cpp:1256: alloc_fn: Calling "operator new[]"
which returns uninitialized memory.
groff-1.23.0/src/roff/troff/env.cpp:1256: assign: Assigning: "sizes" = "new
int[n]", which points to uninitialized data.
groff-1.23.0/src/roff/troff/env.cpp:1291: uninit_use_in_call: Using
uninitialized value "*sizes" when calling "init_size_table".
# 1289|       p = strtok(0, " \t");
# 1290|     }
# 1291|->   font_size::init_size_table(sizes);
# 1292|   }
# 1293|
Possible remedy:
Commits are in the attachments

Please let me know if you believe these are indeed false positives and why.
Thank you so much for your collaboration.






    _______________________________________________________
File Attachments:


-------------------------------------------------------
Name: 0001-Fix-uninitialized-memory-usage-in-override_sizes-by-.patch  Size:
1KiB
<https://file.savannah.gnu.org/file/0001-Fix-uninitialized-memory-usage-in-override_sizes-by-.patch?file_id=56348>

    AGPL NOTICE

These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://git.savannah.nongnu.org/cgit/administration/savane.git/snapshot/savane-d76bf983d304f2acfc08b5b4a201839fd9edec71.tar.gz

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?66081>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature

[bug #66081] [troff] Possible accessing uninitialized array in env.cpp

Reply via email to