On 2010-12-20 at 21:23:26 [+0100], Michael Pfeiffer <michael.w.pfeiffer@xxxxxxxxx> wrote: > BTW does somebody know what TAINTED_SCALAR means in CID 9093: > > 51 int Scanner::GetCh() { > Event tainted_data_return: Function "fgetc" returning tainted data. > Event var_assign: Assigning: "ch" = "fgetc", which taints "ch". > 52 int ch = fgetc(fFile); > 53 fPrev = fCur; > 54 if (ch == '\n') { > 55 fCur.column = 0; > 56 fCur.line ++; > 57 } else { > 58 fCur.column ++; > 59 } > Event return_tainted_data: Returning tainted variable "ch". > 60 return ch; > 61 } > > Doesn't fgetc return an int value? It does, but the return value can also be EOF (-1). If you look at the two reported errors, you'll see that the tool is right: Event tainted_data_return: Function "Scanner::GetCh()" returns tainted data. [details] Event var_assign: Assigning: "c" = "Scanner::GetCh()", which taints "c". 126 c = GetCh(); Event tainted_data: Using tainted variable "(int)c" as an index to pointer "__ctype_b". 127 } while(isdigit(c) || c == '.'); and: Event tainted_data_return: Function "Scanner::GetCh()" returns tainted data. [details] Event var_assign: Assigning: "c" = "Scanner::GetCh()", which taints "c". 122 int c = GetCh(); Event tainted_data: Using tainted variable "(int)c" as an index to pointer "__ctype_b". 123 if (isdigit(c) || c == '.') { The specs don't say whether isdigit() should accept negative values (one could argue that negative values aren't characters and thus aren't valid arguments). Apparently our implementation doesn't. CU, Ingo