[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Octave-bug-tracker] [bug #55437] Files in editor are reported as modifi
|
From: |
Markus Mützel |
|
Subject: |
[Octave-bug-tracker] [bug #55437] Files in editor are reported as modified while heavily parsing date strings with datenum() |
|
Date: |
Thu, 20 May 2021 11:10:06 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.62 |
Follow-up Comment #8, bug #55437 (project octave):
GitHub CodeQL generated the following reports that might be related to this
issue:
https://github.com/gnu-octave/octave/security/code-scanning
Use of potentially dangerous function
liboctave/system/oct-time.cc#L278 • Detected 17 days ago by CodeQL
Use of potentially dangerous function
liboctave/system/oct-time.cc#L288 • Detected 17 days ago by CodeQL
Use of potentially dangerous function
libinterp/corefcn/__ftp__.cc#L176 • Detected 17 days ago by CodeQL
The reports contain the following details:
> This rule finds calls to functions that are dangerous to use. Currently, it
checks for calls to gmtime, localtime, ctime and asctime.
>
> The time related functions such as gmtime fill data into a tm struct or char
array in shared memory and then returns a pointer to that memory. If the
function is called from multiple places in the same program, and especially if
it is called from multiple threads in the same program, then the calls will
overwrite each other's data.
>
> = Recommendation =
> Replace calls to gmtime with gmtime_r. With gmtime_r, the application code
manages allocation of the tm struct. That way, separate calls to the function
can use their own storage.
>
> Similarly replace calls to localtime with localtime_r, calls to ctime with
ctime_r and calls to asctime with asctime_r.
>
> = Example =
> The following example checks the local time in two ways:
// BAD: using gmtime
int is_morning_bad() {
const time_t now_seconds = time(NULL);
struct tm *now = gmtime(&now_seconds);
return (now->tm_hour < 12);
}
// GOOD: using gmtime_r
int is_morning_good() {
const time_t now_seconds = time(NULL);
struct tm now;
gmtime_r(&now_seconds, &now);
return (now.tm_hour < 12);
}
> The first version uses gmtime, so it is vulnerable to its data being
overwritten by another thread. Even if this code is not used in a
multi-threaded context right now, future changes may make the program
multi-threaded. The second version of the code uses gmtime_r. Since it
allocates a new tm struct on every call, it is immune to other calls to gmtime
or gmtime_r.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?55437>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- [Octave-bug-tracker] [bug #55437] Files in editor are reported as modified while heavily parsing date strings with datenum(),
Markus Mützel <=