The following issues were found
src/third_party/wiredtiger/src/reconcile/rec_col.c
2 issues
Line: 96
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
page_entries = WT_MIN(entries, cbulk->nrecs - cbulk->entry);
page_size = __bitstr_size(page_entries * btree->bitcnt);
offset = __bitstr_size(cbulk->entry * btree->bitcnt);
memcpy(r->first_free + offset, data, page_size);
cbulk->entry += page_entries;
r->recno += page_entries;
}
return (0);
}
Reported by FlawFinder.
Line: 331
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the original, disk-image bytes into place. */
if (page->entries != 0)
memcpy(
r->first_free, page->pg_fix_bitf, __bitstr_size((size_t)page->entries * btree->bitcnt));
/* Update any changes to the original on-page data items. */
WT_SKIP_FOREACH (ins, WT_COL_UPDATE_SINGLE(page)) {
WT_RET(__wt_rec_upd_select(session, r, ins, NULL, NULL, &upd_select));
Reported by FlawFinder.
src/third_party/wiredtiger/src/reconcile/rec_track.c
2 issues
Line: 473
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = (uint8_t *)reuse + sizeof(WT_OVFL_REUSE) + skipdepth * sizeof(WT_OVFL_REUSE *);
reuse->addr_offset = (uint8_t)WT_PTRDIFF(p, reuse);
reuse->addr_size = (uint8_t)addr_size;
memcpy(p, addr, addr_size);
p += addr_size;
reuse->value_offset = WT_PTRDIFF32(p, reuse);
reuse->value_size = WT_STORE_SIZE(value_size);
memcpy(p, value, value_size);
F_SET(reuse, WT_OVFL_REUSE_INUSE | WT_OVFL_REUSE_JUST_ADDED);
Reported by FlawFinder.
Line: 477
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p += addr_size;
reuse->value_offset = WT_PTRDIFF32(p, reuse);
reuse->value_size = WT_STORE_SIZE(value_size);
memcpy(p, value, value_size);
F_SET(reuse, WT_OVFL_REUSE_INUSE | WT_OVFL_REUSE_JUST_ADDED);
__wt_cache_page_inmem_incr(session, page, WT_OVFL_SIZE(reuse, WT_OVFL_REUSE));
/* Insert the new entry into the skiplist. */
Reported by FlawFinder.
src/third_party/wiredtiger/src/schema/schema_open.c
2 issues
Line: 474
Column: 28
CWE codes:
126
return (__wt_bad_object_type(session, uri));
if ((tend = strchr(tablename, ':')) == NULL)
tend = tablename + strlen(tablename);
WT_RET(
__wt_schema_get_table(session, tablename, WT_PTRDIFF(tend, tablename), false, 0, &table));
for (i = 0; i < WT_COLGROUPS(table); i++) {
Reported by FlawFinder.
Line: 530
Column: 61
CWE codes:
126
}
/* Otherwise, open it. */
WT_ERR(__wt_schema_open_index(session, table, tend + 1, strlen(tend + 1), indexp));
done:
if (invalidate)
table->idx_complete = false;
Reported by FlawFinder.
src/third_party/wiredtiger/src/schema/schema_rename.c
2 issues
Line: 21
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
WT_DECL_ITEM(buf);
WT_DECL_RET;
char *newvalue, *oldvalue;
const char *filecfg[3] = {NULL, NULL, NULL};
const char *filename, *newfile;
bool exist;
newvalue = oldvalue = NULL;
Reported by FlawFinder.
Line: 225
Column: 52
CWE codes:
126
* issue is that the WT_WITHOUT_LOCKS macro can drop and reacquire the global table lock,
* avoiding deadlocks while waiting for LSM operation to quiesce.
*/
WT_RET(__wt_schema_get_table(session, oldname, strlen(oldname), false, 0, &table));
/* Rename the column groups. */
for (i = 0; i < WT_COLGROUPS(table); i++)
WT_ERR(__rename_tree(session, table, newuri, table->cgroups[i]->name, cfg));
Reported by FlawFinder.
src/third_party/wiredtiger/src/schema/schema_truncate.c
2 issues
Line: 76
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
WT_CURSOR *cursor;
WT_DECL_RET;
const char *cfg[2];
/* Open a cursor and traverse the object, removing every entry. */
cfg[0] = WT_CONFIG_BASE(session, WT_SESSION_open_cursor);
cfg[1] = NULL;
WT_RET(__wt_open_cursor(session, uri, NULL, cfg, &cursor));
Reported by FlawFinder.
Line: 22
Column: 48
CWE codes:
126
WT_TABLE *table;
u_int i;
WT_RET(__wt_schema_get_table(session, uri, strlen(uri), false, 0, &table));
WT_STAT_DATA_INCR(session, cursor_truncate);
/* Truncate the column groups. */
for (i = 0; i < WT_COLGROUPS(table); i++)
WT_ERR(__wt_schema_truncate(session, table->cgroups[i]->source, cfg));
Reported by FlawFinder.
src/third_party/wiredtiger/src/session/session_dhandle.c
2 issues
Line: 408
{
WT_DECL_RET;
WT_WITH_HANDLE_LIST_READ_LOCK(session,
if ((ret = __wt_conn_dhandle_find(session, uri, checkpoint)) == 0)
WT_DHANDLE_ACQUIRE(session->dhandle));
if (ret != WT_NOTFOUND)
return (ret);
Reported by Cppcheck.
Line: 64
Column: 36
CWE codes:
126
dhandle = NULL;
bucket = __wt_hash_city64(uri, strlen(uri)) & (S2C(session)->dh_hash_size - 1);
retry:
TAILQ_FOREACH (dhandle_cache, &session->dhhash[bucket], hashq) {
dhandle = dhandle_cache->dhandle;
if (WT_DHANDLE_INACTIVE(dhandle) && !WT_IS_METADATA(dhandle)) {
__session_discard_dhandle(session, dhandle_cache);
Reported by FlawFinder.
src/third_party/wiredtiger/src/support/crypto.c
2 issues
Line: 52
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* Copy in the skipped header bytes.
*/
memcpy(out->mem, in->data, skip);
/*
* Set the real result length in the output buffer including the skipped header size. The
* encryptor may have done its own padding so the returned result length is the real data length
* after decryption removes any of its padding.
Reported by FlawFinder.
Line: 110
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* Copy in the skipped header bytes, set the final data size.
*/
memcpy(out->mem, in->mem, skip);
out->size = result_len;
return (0);
}
/*
Reported by FlawFinder.
src/third_party/wiredtiger/src/support/hazard.c
2 issues
Line: 284
CWE codes:
908
* Use a barrier instead of marking the fields volatile because we don't want to slow down the
* rest of the hazard pointer functions that don't need special treatment.
*/
WT_ORDERED_READ(*hazard_inusep, session->hazard_inuse);
WT_ORDERED_READ(*hazardp, session->hazard);
}
/*
* __wt_hazard_check --
Reported by Cppcheck.
Line: 32
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
size = session->hazard_size;
WT_RET(__wt_calloc_def(session, size * 2, &nhazard));
memcpy(nhazard, session->hazard, size * sizeof(WT_HAZARD));
/*
* Swap the new hazard pointer array into place after initialization is complete (initialization
* must complete before eviction can see the new hazard pointer array), then schedule the
* original to be freed.
Reported by FlawFinder.
src/third_party/wiredtiger/src/support/hex.c
2 issues
Line: 262
Column: 45
CWE codes:
126
int
__wt_hex_to_raw(WT_SESSION_IMPL *session, const char *from, WT_ITEM *to)
{
return (__wt_nhex_to_raw(session, from, strlen(from), to));
}
/*
* __wt_nhex_to_raw --
* Convert a printable hex string to a chunk of data.
Reported by FlawFinder.
Line: 298
Column: 39
CWE codes:
126
u_char *t;
const u_char *p;
WT_RET(__wt_buf_init(session, to, strlen(from)));
for (p = (u_char *)from, t = to->mem; *p != '\0'; ++p, ++t) {
if ((*t = *p) != '\\')
continue;
++p;
Reported by FlawFinder.
src/third_party/wiredtiger/src/support/huffman.c
2 issues
Line: 635
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy result of exact known size into caller's buffer. */
outlen = (uint32_t)((bitpos + 7) / 8);
WT_ERR(__wt_buf_initsize(session, to_buf, outlen));
memcpy(to_buf->mem, tmp->mem, outlen);
#if __HUFFMAN_DETAIL
printf("encode: worst case %" PRIu32 " bytes -> actual %" PRIu32 "\n", max_len, outlen);
#endif
Reported by FlawFinder.
Line: 752
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Return the number of bytes used. */
WT_ERR(__wt_buf_initsize(session, to_buf, outlen));
memcpy(to_buf->mem, tmp->mem, outlen);
#if __HUFFMAN_DETAIL
printf("decode: worst case %" PRIu32 " bytes -> actual %" PRIu32 "\n", max_len, outlen);
#endif
Reported by FlawFinder.