[haiku-development] Re: New Coverity scan results online: r39894 nightly-raw gcc4 build

  • From: Oliver Tappe <zooey@xxxxxxxxxxxxxxx>
  • To: haiku-development@xxxxxxxxxxxxx
  • Date: Tue, 21 Dec 2010 16:25:13 +0100

On 2010-12-20 at 22:27:21 [+0100], Ingo Weinhold <ingo_weinhold@xxxxxx> wrote:
> 
> On 2010-12-20 at 21:23:26 [+0100], Michael Pfeiffer
> <michael.w.pfeiffer@xxxxxxxxx> wrote:
> > BTW does somebody know what TAINTED_SCALAR means in CID 9093:
> > 
> > 51       int Scanner::GetCh() {
> > Event tainted_data_return: Function "fgetc" returning tainted data.
> > Event var_assign: Assigning: "ch" = "fgetc", which taints "ch".
> > 52           int ch = fgetc(fFile);
> > 53           fPrev = fCur;
> > 54           if (ch == '\n') {
> > 55               fCur.column = 0;
> > 56               fCur.line ++;
> > 57           } else {
> > 58               fCur.column ++;
> > 59        }
> > Event return_tainted_data: Returning tainted variable "ch".
> > 60           return ch;
> > 61       }
> > 
> > Doesn't fgetc return an int value?
> 
> It does, but the return value can also be EOF (-1). If you look at the two
> reported errors, you'll see that the tool is right:
> 
> Event tainted_data_return: Function "Scanner::GetCh()" returns tainted data.
> [details]
> Event var_assign: Assigning: "c" = "Scanner::GetCh()", which taints "c".
> 126                  c = GetCh();
> Event tainted_data: Using tainted variable "(int)c" as an index to pointer
> "__ctype_b".
> 127              } while(isdigit(c) || c == '.');    

accessing __ctype_b[] with negative indices between -127 and 0 should be 
supported by our implementation, as the __ctype_b pointer has been crafted to 
point at the "middle" of an array. 
I guess Coverity has not much chance of finding our that accessing __ctype_b 
with certain negative indices is fine, but I'll have a look at these issues 
later today.

> 
> and:
> 
> Event tainted_data_return: Function "Scanner::GetCh()" returns tainted data.
> [details]
> Event var_assign: Assigning: "c" = "Scanner::GetCh()", which taints "c".
> 122          int c = GetCh();
> Event tainted_data: Using tainted variable "(int)c" as an index to pointer
> "__ctype_b".
> 123          if (isdigit(c) || c == '.') {
> 
> The specs don't say whether isdigit() should accept negative values (one
> could argue that negative values aren't characters and thus aren't valid
> arguments). Apparently our implementation doesn't.

IIRC, the specs mention that EOF is a legal argument to all the ctype 
functions/macros. So at least that value has to be supported.

cheers,
        Oliver

Other related posts:

  1. Home
  2. haiku-development
  3. Archive
  4. 12-2010