New subject: [Bug 37129] Clang Static Analyzer: Buffer overflow

16 Aug 2014


      https://bugs.winehq.org/show_bug.cgi?id=37129
Bug ID: 37129
           Summary: Clang Static Analyzer: Buffer overflow
           Product: Wine
           Version: 1.7.22
          Hardware: x86-64
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs@winehq.org
          Reporter: lukebenes@hotmail.com
Clang Static Analyzer identifies a possible buffer overflow
File: tools/widl/typegen.c
Location: line 1158, column 28
Description: String copy function overflows destination buffer
static unsigned int write_new_procformatstring_type(...)
{
  char buffer[64];
  ...
  strcpy( buffer, "/* flags:" );
  if (flags & MustSize) strcat( buffer, " must size," );
  if (flags & MustFree) strcat( buffer, " must free," );
  if (flags & IsPipe) strcat( buffer, " pipe," );
  if (flags & IsIn) strcat( buffer, " in," );
  if (flags & IsOut) strcat( buffer, " out," );
  if (flags & IsReturn) strcat( buffer, " return," );
  if (flags & IsBasetype) strcat( buffer, " base type," );
  if (flags & IsByValue) strcat( buffer, " by value," );
  if (flags & IsSimpleRef) strcat( buffer, " simple ref," );
  ...
}
Even if not all the conditions are true, you still risk getting a too lengthy
string that won't suit the buffer.
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

[Bug 37129] New: Clang Static Analyzer: Buffer overflow