[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freedesktop-xorg
Subject:    Re: some potential security issue for edid-decode
From:       Seth Arnold <seth.arnold () canonical ! com>
Date:       2016-09-29 23:08:20
Message-ID: 20160929230820.GN8176 () hunt
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Thu, Sep 29, 2016 at 09:14:52AM -0700, Alan Coopersmith wrote:
> On 09/29/16 07:48 AM, shirish =E0=A4=B6=E0=A4=BF=E0=A4=B0=E0=A5=80=E0=A4=
=B7 wrote:
> >Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
> >Number of rules (primarily dangerous function names) in C/C++ ruleset: 1=
69
> >./JSON/i-nex-edid.c:137:  [2] (buffer) char:
> >  Statically-sized arrays can be improperly restricted, leading to poten=
tial
> >  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, =
use
> >  functions that limit length, or ensure that the size is larger than the
> >  maximum possible length.
> >    static char name[4];
[...]

If all this tool is doing is reporting static allocations and C functions
that can be misused it doesn't seem particularly useful. Static array
allocations are a fact of programming in C, and very nearly every API is
unsafe when used incorrectly. That's just what C is. It might be nice to
guide an audit but on its own it doesn't seem too revealing.

I strongly recommend cppcheck instead. It's not perfect, but it is
surprisingly good.

Thanks

["signature.asc" (application/pgp-signature)]
[Attachment #6 (text/plain)]

_______________________________________________
xorg@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: https://lists.x.org/mailman/listinfo/xorg
Your subscription address: %(user_address)s

[prev in list] [next in list] [prev in thread] [next in thread]