The following issues were found

AK/CircularDuplexStream.h
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 42 Column: 12 CWE codes: 120 20 

                      return true;
    }

    size_t read(Bytes bytes) override
    {
        if (has_any_error())
            return 0;

        const auto nread = min(bytes.size(), m_queue.size());

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 55 Column: 12 CWE codes: 120 20 

                      return nread;
    }

    size_t read(Bytes bytes, size_t seekback)
    {
        if (seekback > Capacity || seekback > m_total_written) {
            set_recoverable_error();
            return 0;
        }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 79 Column: 9 CWE codes: 120 20 

                          return false;
        }

        read(bytes);
        return true;
    }

    bool discard_or_error(size_t count) override
    {

Reported by FlawFinder.

Userland/Libraries/LibCore/IODevice.h
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 88 Column: 18 CWE codes: 362 

              
    bool seek(i64, SeekMode = SeekMode::SetPosition, off_t* = nullptr);

    virtual bool open(OpenMode) = 0;
    virtual bool close();

    LineIterator line_begin() & { return LineIterator(*this); }
    LineIterator line_end() { return LineIterator(*this, true); }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 71 Column: 9 CWE codes: 120 20 

              
    bool has_error() const { return m_error != 0; }

    int read(u8* buffer, int length);

    ByteBuffer read(size_t max_size);
    ByteBuffer read_all();
    String read_line(size_t max_size = 16384);

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 73 Column: 16 CWE codes: 120 20 

              
    int read(u8* buffer, int length);

    ByteBuffer read(size_t max_size);
    ByteBuffer read_all();
    String read_line(size_t max_size = 16384);

    bool write(const u8*, int size);
    bool write(const StringView&);

Reported by FlawFinder.

Userland/Applications/Help/ManualSectionNode.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 41 Column: 39 CWE codes: 362 

                      m_children.append(make<ManualPageNode>(*this, move(page_name)));
}

void ManualSectionNode::set_open(bool open)
{
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 43 Column: 19 CWE codes: 362 

              
void ManualSectionNode::set_open(bool open)
{
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 45 Column: 14 CWE codes: 362 

              {
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

Userland/Applications/PDFViewer/NumericInput.h
3 issues
There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.
Error

Line: 13 

              #include <LibGUI/TextBox.h>

class NumericInput final : public GUI::TextBox {
    C_OBJECT(NumericInput)
public:
    NumericInput();
    virtual ~NumericInput() override = default;

    Function<void(i32)> on_number_changed;

Reported by Cppcheck.

There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.
Error

Line: 13 

              #include <LibGUI/TextBox.h>

class NumericInput final : public GUI::TextBox {
    C_OBJECT(NumericInput)
public:
    NumericInput();
    virtual ~NumericInput() override = default;

    Function<void(i32)> on_number_changed;

Reported by Cppcheck.

There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.
Error

Line: 13 

              #include <LibGUI/TextBox.h>

class NumericInput final : public GUI::TextBox {
    C_OBJECT(NumericInput)
public:
    NumericInput();
    virtual ~NumericInput() override = default;

    Function<void(i32)> on_number_changed;

Reported by Cppcheck.

Userland/Libraries/LibCoreDump/Reader.cpp
3 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 81 Column: 89 CWE codes: 126 

                  switch (type()) {
    case ELF::Core::NotesEntryHeader::Type::ProcessInfo: {
        const auto* current = reinterpret_cast<const ELF::Core::ProcessInfo*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current->json_data + strlen(current->json_data) + 1);
        break;
    }
    case ELF::Core::NotesEntryHeader::Type::ThreadInfo: {
        const auto* current = reinterpret_cast<const ELF::Core::ThreadInfo*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current + 1);

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 91 Column: 91 CWE codes: 126 

                  }
    case ELF::Core::NotesEntryHeader::Type::MemoryRegionInfo: {
        const auto* current = reinterpret_cast<const ELF::Core::MemoryRegionInfo*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current->region_name + strlen(current->region_name) + 1);
        break;
    }
    case ELF::Core::NotesEntryHeader::Type::Metadata: {
        const auto* current = reinterpret_cast<const ELF::Core::Metadata*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current->json_data + strlen(current->json_data) + 1);

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 96 Column: 89 CWE codes: 126 

                  }
    case ELF::Core::NotesEntryHeader::Type::Metadata: {
        const auto* current = reinterpret_cast<const ELF::Core::Metadata*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current->json_data + strlen(current->json_data) + 1);
        break;
    }
    default:
        VERIFY_NOT_REACHED();
    }

Reported by FlawFinder.

Userland/Libraries/LibGfx/PortableImageLoaderCommon.h
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 42 Column: 21 CWE codes: 120 20 

                  u8 byte {};
    StringBuilder sb {};

    while (streamer.read(byte)) {
        if (byte == ' ' || byte == '\t' || byte == '\n' || byte == '\r') {
            streamer.step_back();
            break;
        }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 67 Column: 21 CWE codes: 120 20 

                  bool exist = false;
    u8 byte {};

    while (streamer.read(byte)) {
        if (byte == '#') {
            exist = true;
        } else if (byte == '\t' || byte == '\n') {
            return exist;
        }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 121 Column: 21 CWE codes: 120 20 

                  bool exist = false;
    u8 byte {};

    while (streamer.read(byte)) {
        if (byte == ' ' || byte == '\t' || byte == '\n' || byte == '\r') {
            exist = true;
        } else if (byte == '#') {
            streamer.step_back();
            read_comment(context, streamer);

Reported by FlawFinder.

Userland/Libraries/LibCore/DirIterator.cpp
3 issues
access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 91 Column: 13 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              String find_executable_in_path(String filename)
{
    if (filename.starts_with('/')) {
        if (access(filename.characters(), X_OK) == 0)
            return filename;

        return {};
    }

Reported by FlawFinder.

access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 100 Column: 13 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

                  for (auto directory : String { getenv("PATH") }.split(':')) {
        auto fullpath = String::formatted("{}/{}", directory, filename);

        if (access(fullpath.characters(), X_OK) == 0)
            return fullpath;
    }

    return {};
}

Reported by FlawFinder.

getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 97 Column: 36 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

                      return {};
    }

    for (auto directory : String { getenv("PATH") }.split(':')) {
        auto fullpath = String::formatted("{}/{}", directory, filename);

        if (access(fullpath.characters(), X_OK) == 0)
            return fullpath;
    }

Reported by FlawFinder.

Userland/Libraries/LibCore/ConfigFile.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 37 Column: 39 CWE codes: 362 

                  return adopt_ref(*new ConfigFile(path));
}

NonnullRefPtr<ConfigFile> ConfigFile::open(const String& path)
{
    return adopt_ref(*new ConfigFile(path));
}

ConfigFile::ConfigFile(const String& filename)

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 58 Column: 16 CWE codes: 362 

                  m_groups.clear();

    auto file = File::construct(m_filename);
    if (!file->open(OpenMode::ReadOnly))
        return;

    HashMap<String, String>* current_group = nullptr;

    while (file->can_read_line()) {

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 152 Column: 16 CWE codes: 362 

                  if (!m_dirty)
        return true;

    FILE* fp = fopen(m_filename.characters(), "wb");
    if (!fp)
        return false;

    for (auto& it : m_groups) {
        outln(fp, "[{}]", it.key);

Reported by FlawFinder.

Kernel/UserOrKernelBuffer.cpp
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 60 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  if (Memory::is_user_address(VirtualAddress(m_buffer)))
        return copy_to_user(m_buffer + offset, src, len);

    memcpy(m_buffer + offset, src, len);
    return true;
}

bool UserOrKernelBuffer::read(void* dest, size_t offset, size_t len) const
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 72 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  if (Memory::is_user_address(VirtualAddress(m_buffer)))
        return copy_from_user(dest, m_buffer + offset, len);

    memcpy(dest, m_buffer + offset, len);
    return true;
}

bool UserOrKernelBuffer::memset(int value, size_t offset, size_t len)
{

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 64 Column: 26 CWE codes: 120 20 

                  return true;
}

bool UserOrKernelBuffer::read(void* dest, size_t offset, size_t len) const
{
    if (!m_buffer)
        return false;

    if (Memory::is_user_address(VirtualAddress(m_buffer)))

Reported by FlawFinder.

Kernel/FileSystem/InodeFile.h
3 issues
chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 42 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  virtual String absolute_path(const FileDescription&) const override;

    virtual KResult truncate(u64) override;
    virtual KResult chown(FileDescription&, uid_t, gid_t) override;
    virtual KResult chmod(FileDescription&, mode_t) override;

    virtual StringView class_name() const override { return "InodeFile"; }

    virtual bool is_seekable() const override { return true; }

Reported by FlawFinder.

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 43 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead 

              
    virtual KResult truncate(u64) override;
    virtual KResult chown(FileDescription&, uid_t, gid_t) override;
    virtual KResult chmod(FileDescription&, mode_t) override;

    virtual StringView class_name() const override { return "InodeFile"; }

    virtual bool is_seekable() const override { return true; }
    virtual bool is_inode() const override { return true; }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 33 Column: 31 CWE codes: 120 20 

                  virtual bool can_read(const FileDescription&, size_t) const override { return true; }
    virtual bool can_write(const FileDescription&, size_t) const override { return true; }

    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override;
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override;
    virtual KResult ioctl(FileDescription&, unsigned request, Userspace<void*> arg) override;
    virtual KResultOr<Memory::Region*> mmap(Process&, FileDescription&, Memory::VirtualRange const&, u64 offset, int prot, bool shared) override;
    virtual KResult stat(::stat& buffer) const override { return inode().metadata().stat(buffer); }

Reported by FlawFinder.