The following issues were found
src/third_party/mozjs-60/extract/js/src/vm/CodeCoverage.cpp
4 issues
Line: 612
Column: 26
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
bool
LCovRuntime::fillWithFilename(char *name, size_t length)
{
const char* outDir = getenv("JS_CODE_COVERAGE_OUTPUT_DIR");
if (!outDir || *outDir == 0)
return false;
int64_t timestamp = static_cast<double>(PRMJ_Now()) / PRMJ_USEC_PER_SEC;
static mozilla::Atomic<size_t> globalRuntimeId(0);
Reported by FlawFinder.
Line: 572
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
// hexadecimal code.
outTN_.put("TN:");
if (cx->runtime()->compartmentNameCallback) {
char name[1024];
{
// Hazard analysis cannot tell that the callback does not GC.
JS::AutoSuppressGCAnalysis nogc;
(*cx->runtime()->compartmentNameCallback)(cx, comp, name, sizeof(name));
}
Reported by FlawFinder.
Line: 633
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void
LCovRuntime::init()
{
char name[1024];
if (!fillWithFilename(name, sizeof(name)))
return;
// If we cannot open the file, report a warning.
if (!out_.init(name))
Reported by FlawFinder.
Line: 650
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
out_.finish();
if (isEmpty_) {
char name[1024];
if (!fillWithFilename(name, sizeof(name)))
return;
remove(name);
}
}
Reported by FlawFinder.
src/third_party/mozjs-60/extract/js/src/vm/BytecodeUtil.h
4 issues
Line: 153
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
SET_UINT16(jsbytecode* pc, uint16_t i)
{
#if MOZ_LITTLE_ENDIAN
memcpy(pc + 1, &i, sizeof(i));
#else
pc[1] = UINT16_LO(i);
pc[2] = UINT16_HI(i);
#endif
}
Reported by FlawFinder.
Line: 174
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
// Do a single 32-bit load (for opcode and operand), then shift off the
// opcode.
uint32_t result;
memcpy(&result, pc, 4);
return result >> 8;
#else
return unsigned((pc[3] << 16) | (pc[2] << 8) | pc[1]);
#endif
}
Reported by FlawFinder.
Line: 187
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MOZ_ASSERT(i < (1 << 24));
#if MOZ_LITTLE_ENDIAN
memcpy(pc + 1, &i, 3);
#else
pc[1] = jsbytecode(i);
pc[2] = jsbytecode(i >> 8);
pc[3] = jsbytecode(i >> 16);
#endif
Reported by FlawFinder.
Line: 220
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
SET_UINT32(jsbytecode* pc, uint32_t u)
{
#if MOZ_LITTLE_ENDIAN
memcpy(pc + 1, &u, sizeof(u));
#else
pc[1] = jsbytecode(u);
pc[2] = jsbytecode(u >> 8);
pc[3] = jsbytecode(u >> 16);
pc[4] = jsbytecode(u >> 24);
Reported by FlawFinder.
src/third_party/wiredtiger/test/manydbs/manydbs.c
4 issues
Line: 33
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define HOME_SIZE 512
#define HOME_BASE "WT_TEST"
static char home[HOME_SIZE]; /* Base home directory */
static char hometmp[HOME_SIZE]; /* Each conn home directory */
static const char *const uri = "table:main";
#define WTOPEN_CFG_COMMON \
"create,log=(file_max=10M,archive=false,enabled)," \
Reported by FlawFinder.
Line: 34
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define HOME_SIZE 512
#define HOME_BASE "WT_TEST"
static char home[HOME_SIZE]; /* Base home directory */
static char hometmp[HOME_SIZE]; /* Each conn home directory */
static const char *const uri = "table:main";
#define WTOPEN_CFG_COMMON \
"create,log=(file_max=10M,archive=false,enabled)," \
"statistics=(fast),statistics_log=(wait=5),"
Reported by FlawFinder.
Line: 145
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint64_t cond_reset, cond_wait;
uint64_t *cond_reset_orig;
int cfg, ch, dbs, i;
char cmd[128];
const char *working_dir, *wt_cfg;
bool idle;
(void)testutil_set_progname(argv);
Reported by FlawFinder.
Line: 157
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
while ((ch = __wt_getopt(progname, argc, argv, "D:h:I")) != EOF)
switch (ch) {
case 'D':
dbs = atoi(__wt_optarg);
break;
case 'h':
working_dir = __wt_optarg;
break;
case 'I':
Reported by FlawFinder.
src/mongo/db/exec/sbe/stages/exchange.cpp
4 issues
Line: 210
Column: 24
CWE codes:
362
return ctx.getAccessor(slot);
}
void ExchangeConsumer::open(bool reOpen) {
auto optTimer(getOptTimer(_opCtx));
_commonStats.opens++;
if (reOpen) {
Reported by FlawFinder.
Line: 486
Column: 12
CWE codes:
362
try {
p->prepare(ctx);
p->open(false);
auto status = p->getNext();
if (status != PlanState::IS_EOF) {
uasserted(4822837, "producer returned invalid state");
}
Reported by FlawFinder.
Line: 519
Column: 24
CWE codes:
362
value::SlotAccessor* ExchangeProducer::getAccessor(CompileCtx& ctx, value::SlotId slot) {
return _children[0]->getAccessor(ctx, slot);
}
void ExchangeProducer::open(bool reOpen) {
auto optTimer(getOptTimer(_opCtx));
_commonStats.opens++;
if (reOpen) {
uasserted(4822839, "exchange producer cannot be reopened");
Reported by FlawFinder.
Line: 526
Column: 19
CWE codes:
362
if (reOpen) {
uasserted(4822839, "exchange producer cannot be reopened");
}
_children[0]->open(reOpen);
}
bool ExchangeProducer::appendData(size_t consumerId) {
auto buffer = getBuffer(consumerId);
// Detect early out.
if (!buffer) {
Reported by FlawFinder.
src/third_party/mozjs-60/extract/js/src/jsapi.h
4 issues
Line: 813
Column: 91
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
} /* namespace JS */
extern JS_PUBLIC_API(bool)
JS_StrictlyEqual(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* equal);
extern JS_PUBLIC_API(bool)
JS_LooselyEqual(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* equal);
extern JS_PUBLIC_API(bool)
Reported by FlawFinder.
Line: 816
Column: 90
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
JS_StrictlyEqual(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* equal);
extern JS_PUBLIC_API(bool)
JS_LooselyEqual(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* equal);
extern JS_PUBLIC_API(bool)
JS_SameValue(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* same);
/** True iff fun is the global eval function. */
Reported by FlawFinder.
Line: 4990
Column: 16
CWE codes:
126
size_t length() const {
if (!mBytes)
return 0;
return strlen(mBytes);
}
private:
char* mBytes;
MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
Reported by FlawFinder.
Line: 5415
Column: 52
CWE codes:
126
}
void initBorrowedMessage(const char* messageArg) {
MOZ_ASSERT(!message_);
message_ = JS::ConstUTF8CharsZ(messageArg, strlen(messageArg));
}
JSString* newMessageString(JSContext* cx);
private:
Reported by FlawFinder.
src/third_party/mozjs-60/extract/js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp
4 issues
Line: 3464
Column: 29
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
case MSimdBinaryComp::greaterThan:
masm.vpcmpgtb(rhs, lhs, output);
return;
case MSimdBinaryComp::equal:
masm.vpcmpeqb(rhs, lhs, output);
return;
case MSimdBinaryComp::lessThan:
// src := rhs
if (rhs.kind() == Operand::FPREG)
Reported by FlawFinder.
Line: 3524
Column: 29
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
case MSimdBinaryComp::greaterThan:
masm.vpcmpgtw(rhs, lhs, output);
return;
case MSimdBinaryComp::equal:
masm.vpcmpeqw(rhs, lhs, output);
return;
case MSimdBinaryComp::lessThan:
// src := rhs
if (rhs.kind() == Operand::FPREG)
Reported by FlawFinder.
Line: 3583
Column: 29
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
case MSimdBinaryComp::greaterThan:
masm.packedGreaterThanInt32x4(rhs, lhs);
return;
case MSimdBinaryComp::equal:
masm.packedEqualInt32x4(rhs, lhs);
return;
case MSimdBinaryComp::lessThan:
// src := rhs
if (rhs.kind() == Operand::FPREG)
Reported by FlawFinder.
Line: 3635
Column: 29
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
MSimdBinaryComp::Operation op = ins->operation();
switch (op) {
case MSimdBinaryComp::equal:
masm.vcmpeqps(rhs, lhs, output);
return;
case MSimdBinaryComp::lessThan:
masm.vcmpltps(rhs, lhs, output);
return;
Reported by FlawFinder.
src/third_party/mozjs-60/extract/js/src/jit/x86-shared/Patching-x86-shared.h
4 issues
Line: 19
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GetPointer(const void* where)
{
void* res;
memcpy(&res, (const char*)where - sizeof(void*), sizeof(void*));
return res;
}
inline void
SetPointer(void* where, const void* value)
Reported by FlawFinder.
Line: 26
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
inline void
SetPointer(void* where, const void* value)
{
memcpy((char*)where - sizeof(void*), &value, sizeof(void*));
}
inline int32_t
GetInt32(const void* where)
{
Reported by FlawFinder.
Line: 33
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
GetInt32(const void* where)
{
int32_t res;
memcpy(&res, (const char*)where - sizeof(int32_t), sizeof(int32_t));
return res;
}
inline void
SetInt32(void* where, int32_t value)
Reported by FlawFinder.
Line: 40
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
inline void
SetInt32(void* where, int32_t value)
{
memcpy((char*)where - sizeof(int32_t), &value, sizeof(int32_t));
}
inline void
SetRel32(void* from, void* to)
{
Reported by FlawFinder.
src/third_party/wiredtiger/test/format/snap.c
4 issues
Line: 167
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
snap->ksize = ip->size;
if (ip->size > 0)
memcpy(snap->kdata, ip->data, ip->size);
}
if (op != REMOVE && op != TRUNCATE) {
ip = tinfo->value;
if (snap->vmemsize < ip->size) {
Reported by FlawFinder.
Line: 178
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
snap->vsize = ip->size;
if (ip->size > 0)
memcpy(snap->vdata, ip->data, ip->size);
}
/* Move to the next slot, wrap at the end of the circular buffer. */
if (++tinfo->snap_current >= tinfo->snap_end)
tinfo->snap_current = tinfo->snap_list;
Reported by FlawFinder.
Line: 541
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
WT_SESSION *session;
#define MAX_RETRY_ON_ROLLBACK 1000
u_int max_retry;
char buf[64];
session = cursor->session;
trace_op(tinfo, "repeat %" PRIu64 " ts=%" PRIu64 " {%s}", snap->keyno, snap->ts,
trace_bytes(tinfo, snap->vdata, snap->vsize));
Reported by FlawFinder.
Line: 620
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
TINFO *tinfo, **tinfop;
uint32_t count;
size_t i, statenum;
char buf[100];
count = 0;
track("rollback_to_stable: checking", 0ULL, NULL);
for (i = 0, tinfop = tinfo_array; i < tinfo_count; ++i, ++tinfop) {
Reported by FlawFinder.
src/mongo/db/repl/isself.cpp
4 issues
Line: 136
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (addrinfo* addr = addrs; addr != nullptr; addr = addr->ai_next) {
int family = addr->ai_family;
char host[NI_MAXHOST];
if (family == AF_INET || family == AF_INET6) {
err = getnameinfo(
addr->ai_addr, addr->ai_addrlen, host, NI_MAXHOST, nullptr, 0, NI_NUMERICHOST);
if (err) {
Reported by FlawFinder.
Line: 299
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (addr->ifa_addr == nullptr)
continue;
int family = addr->ifa_addr->sa_family;
char host[NI_MAXHOST];
if (family == AF_INET || (ipv6enabled && (family == AF_INET6))) {
err = getnameinfo(
addr->ifa_addr,
(family == AF_INET ? sizeof(struct sockaddr_in) : sizeof(struct sockaddr_in6)),
Reported by FlawFinder.
Line: 366
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (family == AF_INET) {
// IPv4
SOCKADDR_IN* sock = reinterpret_cast<SOCKADDR_IN*>(addr->Address.lpSockaddr);
char addrstr[INET_ADDRSTRLEN] = {0};
boost::system::error_code ec;
// Not all windows versions have inet_ntop
boost::asio::detail::socket_ops::inet_ntop(
AF_INET, &(sock->sin_addr), addrstr, INET_ADDRSTRLEN, 0, ec);
if (ec) {
Reported by FlawFinder.
Line: 382
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} else if (family == AF_INET6) {
// IPv6
SOCKADDR_IN6* sock = reinterpret_cast<SOCKADDR_IN6*>(addr->Address.lpSockaddr);
char addrstr[INET6_ADDRSTRLEN] = {0};
boost::system::error_code ec;
boost::asio::detail::socket_ops::inet_ntop(
AF_INET6, &(sock->sin6_addr), addrstr, INET6_ADDRSTRLEN, 0, ec);
if (ec) {
LOGV2_WARNING(21214,
Reported by FlawFinder.
src/third_party/wiredtiger/test/cursor_order/cursor_order_ops.c
4 issues
Line: 175
Column: 34
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (cfg->ftype == ROW) {
testutil_check(cursor->get_key(cursor, &strkey));
this_key = (uint64_t)atol(strkey);
} else
testutil_check(cursor->get_key(cursor, (uint64_t *)&this_key));
if (i == 0 && this_key < initial_key_range)
testutil_die(ret,
Reported by FlawFinder.
Line: 203
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
WT_SESSION *session;
uintmax_t id;
uint64_t i;
char tid[128];
id = (uintmax_t)arg;
s = &run_info[id];
cfg = s->cfg;
testutil_check(__wt_thread_str(tid, sizeof(tid)));
Reported by FlawFinder.
Line: 239
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
WT_ITEM *value, _value;
size_t len;
uint64_t keyno;
char keybuf[64], valuebuf[64];
WT_UNUSED(session);
value = &_value;
Reported by FlawFinder.
Line: 278
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
WT_SESSION *session;
uintmax_t id;
uint64_t i;
char tid[128];
id = (uintmax_t)arg;
s = &run_info[id];
cfg = s->cfg;
testutil_check(__wt_thread_str(tid, sizeof(tid)));
Reported by FlawFinder.