[bug #66076] [xditview] Unsafe string handling in xditview.c

bug-groff

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #66076] [xditview] Unsafe string handling in xditview.c

From:	Lukas
Subject:	[bug #66076] [xditview] Unsafe string handling in xditview.c
Date:	Mon, 12 Aug 2024 07:06:36 -0400 (EDT)

URL:
  <https://savannah.gnu.org/bugs/?66076>

                 Summary: [xditview] Unsafe string handling in xditview.c
                   Group: GNU roff
               Submitter: ljavorsk
               Submitted: Mon 12 Aug 2024 11:06:32 AM UTC
                Category: Macro package - others/general
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Mon 12 Aug 2024 11:06:32 AM UTC By: Lukas <ljavorsk>
There is an unsafe string handling in the src/devices/xditview/xditview.c
file. Since the "file_name" variable comes from the arguments, it should be
handled safely, because it could be tainted.
These defects were identified by SAST analyzers (combination of
coverity,snyk,cppcheck,gcc,clang,shellcheck,unicontrol), and from 98 findings
these are few that I believe are NOT false positives.

Here is the SAST report:
Error: STRING_SIZE (CWE-120):
groff-1.23.0/src/devices/xditview/xditview.c:209: string_size_argv: "argv"
contains strings with unknown size.
groff-1.23.0/src/devices/xditview/xditview.c:260: var_assign_var: Assigning:
"file_name" = "argv[1]". Both are now tainted.
groff-1.23.0/src/devices/xditview/xditview.c:284: string_size: Passing string
"file_name" of unknown size to "NewFile", which expects a string of a
particular size.
#  282|       XtGetValues (dvi, pageNumberArgs, 1);
#  283|       if (file_name)
#  284|->         NewFile (file_name);
#  285|       /* NewFile modifies current_file_name, so do this here. */
#  286|       if (app_resources.filename)

Possible remedy:
Commits are in the attachments

Please let me know if you believe these are indeed false positives and why.
Thank you so much for your collaboration.







    _______________________________________________________
File Attachments:


-------------------------------------------------------
Name: 0001-Safely-handle-the-name-argument-in-NewFile-func.patch  Size: 977B
<https://file.savannah.gnu.org/file/0001-Safely-handle-the-name-argument-in-NewFile-func.patch?file_id=56344>

    AGPL NOTICE

These attachments are served by Savane. You can download the corresponding
source code of Savane at
https://git.savannah.nongnu.org/cgit/administration/savane.git/snapshot/savane-d76bf983d304f2acfc08b5b4a201839fd9edec71.tar.gz

    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?66076>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #66076] [xditview] Unsafe string handling in xditview.c, Lukas <=
- [bug #66076] [xditview] unsafe string handling in xditview.c, G. Branden Robinson, 2024/08/14

Prev by Date: [bug #66054] [troff] permit special characters as source hyphenation codes
Next by Date: [bug #66078] [refer] Typo in the array elements comparison in src/preproc/refer/ref.cpp
Previous by thread: [bug #65052] [troff] `cf` behavioral anomalies
Next by thread: [bug #66076] [xditview] unsafe string handling in xditview.c
Index(es):
- Date
- Thread