GNU bug report logs - #72251
defect found by covscan in diffutils-3.10 (gnulibs)

Previous Next

Package: diffutils;

Reported by: Wasser Mai <wasser19641 <at> gmail.com>

Date: Tue, 23 Jul 2024 06:39:01 UTC

Severity: normal

Tags: notabug

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Wasser Mai <wasser19641 <at> gmail.com>
To: 72251 <at> debbugs.gnu.org
Subject: bug#72251: defect found by covscan in diffutils-3.10 (gnulibs)
Date: Mon, 22 Jul 2024 19:29:18 +0200

There's a following defect in diffutils-3.10 (gnulib) found by
covscan. The memory dfa->eclosure points to is not initialized. It
looks like a true positive.

Error: UNINIT (CWE-457):
diffutils-3.10/lib/regcomp.c:1134: alloc_fn: Calling "malloc" which
returns uninitialized memory.
diffutils-3.10/lib/regcomp.c:1134: assign: Assigning: "dfa->eclosures"
= "(re_node_set *)malloc(dfa->nodes_alloc * 24UL)", which points to
uninitialized data.
diffutils-3.10/lib/regcomp.c:1177: uninit_use_in_call: Using
uninitialized value "dfa->eclosures->elems" when calling
"calc_inveclosure".
diffutils-3.10/lib/regcomp.c:1177: uninit_use_in_call: Using
uninitialized value "dfa->eclosures->nelem" when calling
"calc_inveclosure".
# 1226|         if (__glibc_unlikely (dfa->inveclosures == NULL))
# 1227|           return REG_ESPACE;
# 1228|->       ret = calc_inveclosure (dfa);
# 1229|       }
# 1230|

maybe add a loop to iterate through all elements and call
re_node_set_init_empty to initialize each element like this?

diff -up diffutils-3.10/lib/regcomp.c.orig diffutils-3.10/lib/regcomp.c
--- diffutils-3.10/lib/regcomp.c.orig   2024-07-22 19:06:27.783986757 +0200
+++ diffutils-3.10/lib/regcomp.c        2024-07-22 19:10:41.303397164 +0200
@@ -1136,6 +1136,10 @@ analyze (regex_t *preg)
                       || dfa->edests == NULL || dfa->eclosures == NULL))
    return REG_ESPACE;

+  // Initialize each element (for example, set them all to an empty node set)
+  for (Idx i = 0; i < dfa->nodes_alloc; ++i) {
+    re_node_set_init_empty(dfa->eclosures + i);
+  }
  dfa->subexp_map = re_malloc (Idx, preg->re_nsub);
  if (dfa->subexp_map != NULL)
    {

Thanks!
Wasser
This bug report was last modified 59 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.