[prev in list] [next in list] [prev in thread] [next in thread]
List: freedesktop-xorg
Subject: Re: some potential security issue for edid-decode
From: Seth Arnold <seth.arnold () canonical ! com>
Date: 2016-09-29 23:08:20
Message-ID: 20160929230820.GN8176 () hunt
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Thu, Sep 29, 2016 at 09:14:52AM -0700, Alan Coopersmith wrote:
> On 09/29/16 07:48 AM, shirish =E0=A4=B6=E0=A4=BF=E0=A4=B0=E0=A5=80=E0=A4=
=B7 wrote:
> >Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
> >Number of rules (primarily dangerous function names) in C/C++ ruleset: 1=
69
> >./JSON/i-nex-edid.c:137: [2] (buffer) char:
> > Statically-sized arrays can be improperly restricted, leading to poten=
tial
> > overflows or other issues (CWE-119:CWE-120). Perform bounds checking, =
use
> > functions that limit length, or ensure that the size is larger than the
> > maximum possible length.
> > static char name[4];
[...]
If all this tool is doing is reporting static allocations and C functions
that can be misused it doesn't seem particularly useful. Static array
allocations are a fact of programming in C, and very nearly every API is
unsafe when used incorrectly. That's just what C is. It might be nice to
guide an audit but on its own it doesn't seem too revealing.
I strongly recommend cppcheck instead. It's not perfect, but it is
surprisingly good.
Thanks
["signature.asc" (application/pgp-signature)]
[Attachment #6 (text/plain)]
_______________________________________________
xorg@lists.x.org: X.Org support
Archives: http://lists.freedesktop.org/archives/xorg
Info: https://lists.x.org/mailman/listinfo/xorg
Your subscription address: %(user_address)s
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic