some potential security issue for edid-decode

Seth Arnold seth.arnold at canonical.com
Thu Sep 29 23:08:20 UTC 2016


On Thu, Sep 29, 2016 at 09:14:52AM -0700, Alan Coopersmith wrote:
> On 09/29/16 07:48 AM, shirish शिरीष wrote:
> >Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
> >Number of rules (primarily dangerous function names) in C/C++ ruleset: 169
> >./JSON/i-nex-edid.c:137:  [2] (buffer) char:
> >  Statically-sized arrays can be improperly restricted, leading to potential
> >  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
> >  functions that limit length, or ensure that the size is larger than the
> >  maximum possible length.
> >    static char name[4];
[...]

If all this tool is doing is reporting static allocations and C functions
that can be misused it doesn't seem particularly useful. Static array
allocations are a fact of programming in C, and very nearly every API is
unsafe when used incorrectly. That's just what C is. It might be nice to
guide an audit but on its own it doesn't seem too revealing.

I strongly recommend cppcheck instead. It's not perfect, but it is
surprisingly good.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg/attachments/20160929/f1c19449/attachment.sig>


More information about the xorg mailing list