Our website uses cookies to enhance your browsing experience.
Your message has been sent. We will email you at
If you haven't received our response, please do the following:
check your Spam/Junk folder and click the
"Not Spam" button for our message.
This way, you won't miss messages from our team in the future.
We decided to search and fix potential vulnerabilities in various projects. You can call this as you wish - some kind of help to open source projects; a method of promotion or testing of the analyzer. Another way to see it as a way to attract attention to the reliability and quality of the code. In fact, the way to name these posts does not really matter - we just like doing it. This is our little hobby. So, let us have a look at our findings in the code of various projects this week - we had some time to make fixes and suggest looking at them.
PVS-Studio is a tool that detects a large number of types of vulnerabilities and errors in the code. It performs static analysis and points to code fragments that are likely to contain errors. The best effect is achieved when the static analysis is performed regularly. Ideologically, the analyzer warnings are similar to the compiler warnings. However, unlike compilers, PVS-Studio can perform deeper and more versatile code analysis. This enables it to detect errors, even in compilers: GCC; LLVM 1, 2, 3; Roslyn.
The tool supports the analysis of C, C++ and C#; works under Windows and Linux. The analyzer can be integrated as a Visual Studio plug-in.
We suggest the following materials for further investigation of the tool:
In this section we show those defects that fall under the CWE classification and are potential vulnerabilities in their core. Of course, not all weaknesses are really threatening for a project, but we wanted to show that our tool is able to detect them.
1. CryEngine V. CWE-806 (Buffer Access Using Size of Source Buffer)
V512 A call of the 'memcpy' function will lead to underflow of the buffer 'hashableData'. GeomCacheRenderNode.cpp 285
void CGeomCacheRenderNode::Render(....)
{
....
CREGeomCache* pCREGeomCache = iter->second.m_pRenderElement;
....
uint8 hashableData[] =
{
0, 0, 0, 0, 0, 0, 0, 0,
(uint8)std::distance(pCREGeomCache->....->begin(), &meshData),
(uint8)std::distance(meshData....->....begin(), &chunk),
(uint8)std::distance(meshData.m_instances.begin(), &instance)
};
memcpy(hashableData,pCREGeomCache,sizeof(pCREGeomCache)); // <=
....
}2. CryEngine V. CWE-467 (Use of sizeof() on a Pointer Type)
V568 It's odd that 'sizeof()' operator evaluates the size of a pointer to a class, but not the size of the 'this' class object. ClipVolumeManager.cpp 145
void
CClipVolumeManager::GetMemoryUsage(class ICrySizer* pSizer) const
{
pSizer->AddObject(this, sizeof(this));
for (size_t i = 0; i < m_ClipVolumes.size(); ++i)
pSizer->AddObject(m_ClipVolumes[i].m_pVolume);
}3. CryEngine V. CWE-571 (Expression is Always True)
V501 There are identical sub-expressions to the left and to the right of the '==' operator: bActive == bActive LightEntity.h 124
void SetActive(bool bActive)
{
if (bActive == bActive)
return;
m_bActive = bActive;
OnResetState();
}4. CryEngine V. CWE-476 (NULL Pointer Dereference)
V595 The 'pTrack' pointer was utilized before it was verified against nullptr. Check lines: 60, 61. AudioNode.cpp 60
void CAudioNode::Animate(SAnimContext& animContext)
{
....
const bool bMuted = gEnv->IsEditor() && (pTrack->GetFlags() &
IAnimTrack::eAnimTrackFlags_Muted);
if (!pTrack || pTrack->GetNumKeys() == 0 ||
pTrack->GetFlags() & IAnimTrack::eAnimTrackFlags_Disabled)
{
continue;
}
....
}5. CryEngine V. CWE-688 (Function Call With Incorrect Variable or Reference as Argument)
V549 The first argument of 'memcpy' function is equal to the second argument. ObjectsTree_Serialize.cpp 1135
void COctreeNode::LoadSingleObject(....)
{
....
float* pAuxDataDst = pObj->GetAuxSerializationDataPtr(....);
const float* pAuxDataSrc = StepData<float>(....);
memcpy(pAuxDataDst, pAuxDataDst, min(....) * sizeof(float));
....
}6. LLVM. CWE-476 (NULL Pointer Dereference)
V595 The 'DIExpr' pointer was utilized before it was verified against nullptr. Check lines: 949, 950. codeviewdebug.cpp 949
void CodeViewDebug::collectVariableInfo(const DISubprogram *SP) {
....
const DIExpression *DIExpr = DVInst->getDebugExpression();
bool IsSubfield = false;
unsigned StructOffset = 0;
// Handle fragments.
auto Fragment = DIExpr->getFragmentInfo(); // <=
if (DIExpr && Fragment) { // <=
IsSubfield = true;
StructOffset = Fragment->OffsetInBits / 8;
} else if (DIExpr && DIExpr->getNumElements() > 0) {
continue; // Ignore unrecognized exprs.
}
....
}Bug Report: https://bugs.llvm.org/show_bug.cgi?id=32430
7. LLVM. CWE-476 (NULL Pointer Dereference)
V595 The 'Initializer' pointer was utilized before it was verified against nullptr. Check lines: 335, 338. semaoverload.cpp 335
NarrowingKind
StandardConversionSequence::getNarrowingKind(....) const {
....
const Expr *Initializer = IgnoreNarrowingConversion(Converted);
if (Initializer->isValueDependent()) // <=
return NK_Dependent_Narrowing;
if (Initializer && // <=
Initializer->isIntegerConstantExpr(IntConstantValue, Ctx)){
....
}Bug Report: https://bugs.llvm.org/show_bug.cgi?id=32447
8. RPCS3. CWE-570 (Expression is Always False)
V547 Expression 'sock < 0' is always false. Unsigned type value is never < 0. sys_net.cpp 695
#ifdef _WIN32
using socket_t = SOCKET;
#else
using socket_t = int;
#endif
s32 socket(s32 family, s32 type, s32 protocol)
{
....
socket_t sock = ::socket(family, type, protocol);
if (sock < 0)
{
libnet.error("socket()....", get_errno() = get_last_error());
return -1;
}
....
}Pull Request: https://github.com/RPCS3/rpcs3/pull/2543
1. CoreCLR
V778 Two similar code fragments were found. Perhaps, this is a typo and 'IMAGE_LOADED_FOR_INTROSPECTION' variable should be used instead of 'IMAGE_LOADED'. cee_dac peimage.cpp 811
void PEImage::EnumMemoryRegions(CLRDataEnumMemoryFlags flags)
{
....
if (m_pLayouts[IMAGE_LOADED].IsValid() &&
m_pLayouts[IMAGE_LOADED]!=NULL)
m_pLayouts[IMAGE_LOADED]->EnumMemoryRegions(flags);
if (m_pLayouts[IMAGE_LOADED_FOR_INTROSPECTION].IsValid() &&
m_pLayouts[IMAGE_LOADED]!=NULL) // <=
m_pLayouts[IMAGE_LOADED_FOR_INTROSPECTION]->
EnumMemoryRegions(flags);
}Pull Request: https://github.com/dotnet/coreclr/pull/10450
2. CoreCLR
V778 Two similar code fragments were found. Perhaps, this is a typo and 'weight2' variable should be used instead of 'weight1'. clrjit lclvars.cpp 2702
int __cdecl Compiler::RefCntCmp(const void* op1, const void* op2)
{
....
if (weight1)
{
....
if (varTypeIsGC(dsc1->TypeGet()))
{
weight1 += BB_UNITY_WEIGHT / 2;
}
if (dsc1->lvRegister)
{
weight1 += BB_UNITY_WEIGHT / 2;
}
}
if (weight1)
{
....
if (varTypeIsGC(dsc2->TypeGet()))
{
weight1 += BB_UNITY_WEIGHT / 2; // <=
}
if (dsc2->lvRegister)
{
weight2 += BB_UNITY_WEIGHT / 2;
}
}
....
}Pull Request: https://github.com/dotnet/coreclr/pull/10450
3. CoreCLR
V778 Two similar code fragments were found. Perhaps, this is a typo and 'g_szBuf_ProperName' variable should be used instead of 'g_szBuf_UnquotedProperName'. ildasm dasm.cpp 486
void Uninit()
{
....
if (g_szBuf_UnquotedProperName != NULL)
{
SDELETE(g_szBuf_UnquotedProperName);
}
if (g_szBuf_UnquotedProperName != NULL) // <=
{
SDELETE(g_szBuf_ProperName);
}
....
}Pull Request: https://github.com/dotnet/coreclr/pull/10450
4. LLVM
V778 Two similar code fragments were found. Perhaps, this is a typo and 'FS' variable should be used instead of 'TS'. hexagonearlyifconv.cpp 549
bool HexagonEarlyIfConversion::isProfitable(....) const
{
....
unsigned TS = 0, FS = 0, Spare = 0;
if (FP.TrueB) {
TS = std::distance(FP.TrueB->begin(),
FP.TrueB->getFirstTerminator());
if (TS < HEXAGON_PACKET_SIZE)
Spare += HEXAGON_PACKET_SIZE-TS; // <=
}
if (FP.FalseB) {
FS = std::distance(FP.FalseB->begin(),
FP.FalseB->getFirstTerminator());
if (FS < HEXAGON_PACKET_SIZE)
Spare += HEXAGON_PACKET_SIZE-TS; // <=
}
unsigned TotalIn = TS+FS;
....
}Bug Report: https://bugs.llvm.org/show_bug.cgi?id=32480
We suggest downloading PVS-Studio analyzer and trying to check your project:
To remove the restrictions of a demo version, you can contact us and we will provide a temporary license key for you.
For a quick introduction to the analyzer, you can use the tools, tracking the runs of the compiler and collect all the necessary information for the analysis. See the description of the utilities CLMonitoring and pvs-studio-analyzer. If you are working with a classic type of project in Visual Studio, everything is much simpler: you should just choose in PVS-Studio menu a command "Check Solution".
0
0
0
0