The following issues were found
stable-qsort.c
5 issues
Line: 31
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (n1 > 0 && n2 > 0) {
if (cmp(b1, b2) <= 0) {
memcpy(tmp, b1, s);
tmp += s;
b1 += s;
--n1;
} else {
memcpy(tmp, b2, s);
Reported by FlawFinder.
Line: 36
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b1 += s;
--n1;
} else {
memcpy(tmp, b2, s);
tmp += s;
b2 += s;
--n2;
}
}
Reported by FlawFinder.
Line: 43
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
if (n1 > 0)
memcpy(tmp, b1, n1 * s);
memcpy(b, t, (n - n2) * s);
}
void git_stable_qsort(void *b, size_t n, size_t s,
int (*cmp)(const void *, const void *))
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (n1 > 0)
memcpy(tmp, b1, n1 * s);
memcpy(b, t, (n - n2) * s);
}
void git_stable_qsort(void *b, size_t n, size_t s,
int (*cmp)(const void *, const void *))
{
Reported by FlawFinder.
Line: 51
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int (*cmp)(const void *, const void *))
{
const size_t size = st_mult(n, s);
char buf[1024];
if (size < sizeof(buf)) {
/* The temporary array fits on the small on-stack buffer. */
msort_with_tmp(b, n, s, cmp, buf);
} else {
Reported by FlawFinder.
trace2/tr2_sid.c
5 issues
Line: 76
Column: 15
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (tr2sid_buf.len)
return;
parent_sid = getenv(TR2_ENVVAR_PARENT_SID);
if (parent_sid && *parent_sid) {
const char *p;
for (p = parent_sid; *p; p++)
if (*p == '/')
tr2sid_nr_git_parents++;
Reported by FlawFinder.
Line: 35
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct tr2_tbuf tb_now;
git_hash_ctx ctx;
pid_t pid = getpid();
unsigned char hash[GIT_MAX_RAWSZ + 1];
char hex[GIT_MAX_HEXSZ + 1];
char hostname[HOST_NAME_MAX + 1];
tr2_tbuf_utc_datetime(&tb_now);
strbuf_addstr(&tr2sid_buf, tb_now.buf);
Reported by FlawFinder.
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
git_hash_ctx ctx;
pid_t pid = getpid();
unsigned char hash[GIT_MAX_RAWSZ + 1];
char hex[GIT_MAX_HEXSZ + 1];
char hostname[HOST_NAME_MAX + 1];
tr2_tbuf_utc_datetime(&tb_now);
strbuf_addstr(&tr2sid_buf, tb_now.buf);
Reported by FlawFinder.
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
pid_t pid = getpid();
unsigned char hash[GIT_MAX_RAWSZ + 1];
char hex[GIT_MAX_HEXSZ + 1];
char hostname[HOST_NAME_MAX + 1];
tr2_tbuf_utc_datetime(&tb_now);
strbuf_addstr(&tr2sid_buf, tb_now.buf);
strbuf_addch(&tr2sid_buf, '-');
Reported by FlawFinder.
Line: 47
Column: 35
CWE codes:
126
strbuf_add(&tr2sid_buf, "Localhost", 9);
else {
algo->init_fn(&ctx);
algo->update_fn(&ctx, hostname, strlen(hostname));
algo->final_fn(hash, &ctx);
hash_to_hex_algop_r(hex, hash, algo);
strbuf_addch(&tr2sid_buf, 'H');
strbuf_add(&tr2sid_buf, hex, 8);
}
Reported by FlawFinder.
builtin/show-ref.c
5 issues
Line: 108
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int exclude_existing(const char *match)
{
static struct string_list existing_refs = STRING_LIST_INIT_DUP;
char buf[1024];
int matchlen = match ? strlen(match) : 0;
for_each_ref(add_existing, &existing_refs);
while (fgets(buf, sizeof(buf), stdin)) {
char *ref;
Reported by FlawFinder.
Line: 64
Column: 16
CWE codes:
126
return 0;
}
if (pattern) {
int reflen = strlen(refname);
const char **p = pattern, *m;
while ((m = *p++) != NULL) {
int len = strlen(m);
if (len > reflen)
continue;
Reported by FlawFinder.
Line: 67
Column: 14
CWE codes:
126
int reflen = strlen(refname);
const char **p = pattern, *m;
while ((m = *p++) != NULL) {
int len = strlen(m);
if (len > reflen)
continue;
if (memcmp(m, refname + reflen - len, len))
continue;
if (len == reflen)
Reported by FlawFinder.
Line: 109
Column: 25
CWE codes:
126
{
static struct string_list existing_refs = STRING_LIST_INIT_DUP;
char buf[1024];
int matchlen = match ? strlen(match) : 0;
for_each_ref(add_existing, &existing_refs);
while (fgets(buf, sizeof(buf), stdin)) {
char *ref;
int len = strlen(buf);
Reported by FlawFinder.
Line: 114
Column: 13
CWE codes:
126
for_each_ref(add_existing, &existing_refs);
while (fgets(buf, sizeof(buf), stdin)) {
char *ref;
int len = strlen(buf);
if (len > 0 && buf[len - 1] == '\n')
buf[--len] = '\0';
if (3 <= len && !strcmp(buf + len - 3, "^{}")) {
len -= 3;
Reported by FlawFinder.
t/helper/test-simple-ipc.c
5 issues
Line: 309
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int spawn_server(pid_t *pid)
{
char test_tool_exe[MAX_PATH];
struct strvec args = STRVEC_INIT;
int in, out;
GetModuleFileNameA(NULL, test_tool_exe, MAX_PATH);
Reported by FlawFinder.
Line: 315
Column: 7
CWE codes:
362
GetModuleFileNameA(NULL, test_tool_exe, MAX_PATH);
in = open("/dev/null", O_RDONLY);
out = open("/dev/null", O_WRONLY);
strvec_push(&args, test_tool_exe);
strvec_push(&args, "simple-ipc");
strvec_push(&args, "run-daemon");
Reported by FlawFinder.
Line: 316
Column: 8
CWE codes:
362
GetModuleFileNameA(NULL, test_tool_exe, MAX_PATH);
in = open("/dev/null", O_RDONLY);
out = open("/dev/null", O_WRONLY);
strvec_push(&args, test_tool_exe);
strvec_push(&args, "simple-ipc");
strvec_push(&args, "run-daemon");
strvec_pushf(&args, "--name=%s", cl_args.path);
Reported by FlawFinder.
Line: 127
Column: 17
CWE codes:
126
int ret;
if (skip_prefix(received, "sendbytes ", &p))
len_ballast = strlen(p);
/*
* Verify that the ballast is n copies of a single letter.
* And that the multi-threaded IO layer didn't cross the streams.
*/
Reported by FlawFinder.
Line: 198
Column: 39
CWE codes:
126
if (!strcmp(command, "ping")) {
const char *answer = "pong";
return reply_cb(reply_data, answer, strlen(answer));
}
if (!strcmp(command, "big"))
return app__big_command(reply_cb, reply_data);
Reported by FlawFinder.
log-tree.c
5 issues
Line: 980
CWE codes:
562
log.commit = commit;
log.parent = NULL;
opt->loginfo = &log;
opt->diffopt.no_free = 1;
if (opt->line_level_traverse)
return line_log_print(opt, commit);
Reported by Cppcheck.
Line: 806
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cmit_fmt_is_mail(ctx.fmt) && opt->idiff_oid1) {
struct diff_queue_struct dq;
memcpy(&dq, &diff_queued_diff, sizeof(diff_queued_diff));
DIFF_QUEUE_CLEAR(&diff_queued_diff);
next_commentary_block(opt, NULL);
fprintf_ln(opt->diffopt.file, "%s", opt->idiff_title);
show_interdiff(opt->idiff_oid1, opt->idiff_oid2, 2,
Reported by FlawFinder.
Line: 826
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
.diffopt = &opts
};
memcpy(&dq, &diff_queued_diff, sizeof(diff_queued_diff));
DIFF_QUEUE_CLEAR(&diff_queued_diff);
next_commentary_block(opt, NULL);
fprintf_ln(opt->diffopt.file, "%s", opt->rdiff_title);
/*
Reported by FlawFinder.
Line: 148
Column: 29
CWE codes:
126
struct object_id original_oid;
if (!read_replace_refs)
return 0;
if (get_oid_hex(refname + strlen(git_replace_ref_base),
&original_oid)) {
warning("invalid replace ref %s", refname);
return 0;
}
obj = parse_object(the_repository, &original_oid);
Reported by FlawFinder.
Line: 372
Column: 52
CWE codes:
126
const char *suffix = info->patch_suffix;
int nr = info->nr;
int start_len = filename->len;
int max_len = start_len + info->patch_name_max - (strlen(suffix) + 1);
if (info->reroll_count) {
struct strbuf temp = STRBUF_INIT;
strbuf_addf(&temp, "v%s", info->reroll_count);
Reported by FlawFinder.
t/helper/test-run-command.c
5 issues
Line: 261
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} else {
arg_count = 1 + (my_random() % 5);
for (j = 0; j < arg_count; j++) {
char buf[20];
size_t min_len = 1;
size_t arg_len = min_len +
(my_random() % (ARRAY_SIZE(buf) - min_len));
for (k = 0; k < arg_len; k++)
Reported by FlawFinder.
Line: 334
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int inherit_handle(const char *argv0)
{
struct child_process cp = CHILD_PROCESS_INIT;
char path[PATH_MAX];
int tmp;
/* First, open an inheritable handle */
xsnprintf(path, sizeof(path), "out-XXXXXX");
tmp = xmkstemp(path);
Reported by FlawFinder.
Line: 411
Column: 9
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (!strcmp(argv[1], "run-command"))
exit(run_command(&proc));
jobs = atoi(argv[2]);
proc.argv = (const char **)argv + 3;
if (!strcmp(argv[1], "run-command-parallel"))
exit(run_processes_parallel(jobs, parallel_next,
NULL, NULL, &proc));
Reported by FlawFinder.
Line: 290
Column: 9
CWE codes:
126
ret = error("incorrectly quoted arg: '%s', "
"echoed back as '%s'",
arg, out.buf + k);
k += strlen(out.buf + k) + 1;
}
if (k != out.len)
ret = error("got %d bytes, but consumed only %d",
(int)out.len, (int)k);
Reported by FlawFinder.
Line: 322
Column: 19
CWE codes:
126
static int quote_echo(int argc, const char **argv)
{
while (argc > 1) {
fwrite(argv[1], strlen(argv[1]), 1, stdout);
fputc('\0', stdout);
argv++;
argc--;
}
Reported by FlawFinder.
trace.c
5 issues
Line: 40
Column: 46
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (key->initialized)
return key->fd;
trace = override_envvar ? override_envvar : getenv(key->key);
if (!trace || !strcmp(trace, "") ||
!strcmp(trace, "0") || !strcasecmp(trace, "false"))
key->fd = 0;
else if (!strcmp(trace, "1") || !strcasecmp(trace, "true"))
Reported by FlawFinder.
Line: 48
Column: 13
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
else if (!strcmp(trace, "1") || !strcasecmp(trace, "true"))
key->fd = STDERR_FILENO;
else if (strlen(trace) == 1 && isdigit(*trace))
key->fd = atoi(trace);
else if (is_absolute_path(trace)) {
int fd = open(trace, O_WRONLY | O_APPEND | O_CREAT, 0666);
if (fd == -1) {
warning("could not open '%s' for tracing: %s",
trace, strerror(errno));
Reported by FlawFinder.
Line: 50
Column: 12
CWE codes:
362
else if (strlen(trace) == 1 && isdigit(*trace))
key->fd = atoi(trace);
else if (is_absolute_path(trace)) {
int fd = open(trace, O_WRONLY | O_APPEND | O_CREAT, 0666);
if (fd == -1) {
warning("could not open '%s' for tracing: %s",
trace, strerror(errno));
trace_disable(key);
} else {
Reported by FlawFinder.
Line: 47
Column: 11
CWE codes:
126
key->fd = 0;
else if (!strcmp(trace, "1") || !strcasecmp(trace, "true"))
key->fd = STDERR_FILENO;
else if (strlen(trace) == 1 && isdigit(*trace))
key->fd = atoi(trace);
else if (is_absolute_path(trace)) {
int fd = open(trace, O_WRONLY | O_APPEND | O_CREAT, 0666);
if (fd == -1) {
warning("could not open '%s' for tracing: %s",
Reported by FlawFinder.
Line: 221
Column: 22
CWE codes:
126
strbuf_addf(&buf, "performance: %.9f s", (double) nanos / 1000000000);
if (format && *format) {
if (perf_indent >= strlen(space))
BUG("Too deep indentation");
strbuf_addf(&buf, ":%.*s ", perf_indent, space);
strbuf_vaddf(&buf, format, ap);
}
Reported by FlawFinder.
compat/setenv.c
5 issues
Line: 15
Column: 12
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
}
if (!replace) {
char *oldval = NULL;
oldval = getenv(name);
if (oldval) return 0;
}
namelen = strlen(name);
valuelen = strlen(value);
Reported by FlawFinder.
Line: 27
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -1;
}
memcpy(envstr, name, namelen);
envstr[namelen] = '=';
memcpy(envstr + namelen + 1, value, valuelen);
envstr[namelen + valuelen + 1] = 0;
out = putenv(envstr);
Reported by FlawFinder.
Line: 29
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(envstr, name, namelen);
envstr[namelen] = '=';
memcpy(envstr + namelen + 1, value, valuelen);
envstr[namelen + valuelen + 1] = 0;
out = putenv(envstr);
/* putenv(3) makes the argument string part of the environment,
* and changing that string modifies the environment --- which
Reported by FlawFinder.
Line: 19
Column: 12
CWE codes:
126
if (oldval) return 0;
}
namelen = strlen(name);
valuelen = strlen(value);
envstr = malloc(st_add3(namelen, valuelen, 2));
if (!envstr) {
errno = ENOMEM;
return -1;
Reported by FlawFinder.
Line: 20
Column: 13
CWE codes:
126
}
namelen = strlen(name);
valuelen = strlen(value);
envstr = malloc(st_add3(namelen, valuelen, 2));
if (!envstr) {
errno = ENOMEM;
return -1;
}
Reported by FlawFinder.
compat/qsort_s.c
5 issues
Line: 32
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (n1 > 0 && n2 > 0) {
if (cmp(b1, b2, ctx) <= 0) {
memcpy(tmp, b1, s);
tmp += s;
b1 += s;
--n1;
} else {
memcpy(tmp, b2, s);
Reported by FlawFinder.
Line: 37
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
b1 += s;
--n1;
} else {
memcpy(tmp, b2, s);
tmp += s;
b2 += s;
--n2;
}
}
Reported by FlawFinder.
Line: 44
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
if (n1 > 0)
memcpy(tmp, b1, n1 * s);
memcpy(b, t, (n - n2) * s);
}
int git_qsort_s(void *b, size_t n, size_t s,
int (*cmp)(const void *, const void *, void *), void *ctx)
Reported by FlawFinder.
Line: 45
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (n1 > 0)
memcpy(tmp, b1, n1 * s);
memcpy(b, t, (n - n2) * s);
}
int git_qsort_s(void *b, size_t n, size_t s,
int (*cmp)(const void *, const void *, void *), void *ctx)
{
Reported by FlawFinder.
Line: 52
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int (*cmp)(const void *, const void *, void *), void *ctx)
{
const size_t size = st_mult(n, s);
char buf[1024];
if (!n)
return 0;
if (!b || !cmp)
return -1;
Reported by FlawFinder.
line-log.c
5 issues
Line: 362
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void dump_line_log_data(struct line_log_data *r)
{
char buf[4096];
while (r) {
snprintf(buf, 4096, "file %s\n", r->path);
dump_range_set(&r->ranges, buf);
r = r->next;
}
Reported by FlawFinder.
Line: 789
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct diff_queue_struct *src)
{
assert(src != dst);
memcpy(dst, src, sizeof(struct diff_queue_struct));
DIFF_QUEUE_CLEAR(src);
}
static void filter_diffs_for_paths(struct line_log_data *range, int keep_deletions)
{
Reported by FlawFinder.
Line: 1131
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rg = rg->next;
assert(rg);
rg->pair = diff_filepair_dup(queue->queue[i]);
memcpy(&rg->diff, pairdiff, sizeof(struct diff_ranges));
}
free(pairdiff);
}
return changed;
Reported by FlawFinder.
Line: 586
Column: 44
CWE codes:
126
range_part = xstrndup(item->string, name_part - item->string);
name_part++;
full_name = prefix_path(prefix, prefix ? strlen(prefix) : 0,
name_part);
spec = alloc_filespec(full_name);
fill_blob_sha1(r, commit, spec);
fill_line_ends(r, spec, &lines, &ends);
Reported by FlawFinder.
Line: 1169
Column: 31
CWE codes:
126
return 0;
while (!result && range) {
fill_bloom_key(range->path, strlen(range->path), &key, rev->bloom_filter_settings);
if (bloom_filter_contains(filter, &key, rev->bloom_filter_settings))
result = 1;
clear_bloom_key(&key);
Reported by FlawFinder.