On 2010-12-20 at 22:27:21 [+0100], Ingo Weinhold <ingo_weinhold@xxxxxx> wrote: > > On 2010-12-20 at 21:23:26 [+0100], Michael Pfeiffer > <michael.w.pfeiffer@xxxxxxxxx> wrote: > > BTW does somebody know what TAINTED_SCALAR means in CID 9093: > > > > 51 int Scanner::GetCh() { > > Event tainted_data_return: Function "fgetc" returning tainted data. > > Event var_assign: Assigning: "ch" = "fgetc", which taints "ch". > > 52 int ch = fgetc(fFile); > > 53 fPrev = fCur; > > 54 if (ch == '\n') { > > 55 fCur.column = 0; > > 56 fCur.line ++; > > 57 } else { > > 58 fCur.column ++; > > 59 } > > Event return_tainted_data: Returning tainted variable "ch". > > 60 return ch; > > 61 } > > > > Doesn't fgetc return an int value? > > It does, but the return value can also be EOF (-1). If you look at the two > reported errors, you'll see that the tool is right: > > Event tainted_data_return: Function "Scanner::GetCh()" returns tainted data. > [details] > Event var_assign: Assigning: "c" = "Scanner::GetCh()", which taints "c". > 126 c = GetCh(); > Event tainted_data: Using tainted variable "(int)c" as an index to pointer > "__ctype_b". > 127 } while(isdigit(c) || c == '.'); accessing __ctype_b[] with negative indices between -127 and 0 should be supported by our implementation, as the __ctype_b pointer has been crafted to point at the "middle" of an array. I guess Coverity has not much chance of finding our that accessing __ctype_b with certain negative indices is fine, but I'll have a look at these issues later today. > > and: > > Event tainted_data_return: Function "Scanner::GetCh()" returns tainted data. > [details] > Event var_assign: Assigning: "c" = "Scanner::GetCh()", which taints "c". > 122 int c = GetCh(); > Event tainted_data: Using tainted variable "(int)c" as an index to pointer > "__ctype_b". > 123 if (isdigit(c) || c == '.') { > > The specs don't say whether isdigit() should accept negative values (one > could argue that negative values aren't characters and thus aren't valid > arguments). Apparently our implementation doesn't. IIRC, the specs mention that EOF is a legal argument to all the ctype functions/macros. So at least that value has to be supported. cheers, Oliver