The following issues were found
test/thirdparty/Fuzzer/FuzzerMutate.cpp
6 issues
Line: 91
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!NewSize)
return 0;
assert(NewSize <= MaxSize && "CustomCrossOver returned overisized unit");
memcpy(Data, U.data(), NewSize);
return NewSize;
}
size_t MutationDispatcher::Mutate_ShuffleBytes(uint8_t *Data, size_t Size,
size_t MaxSize) {
Reported by FlawFinder.
Line: 187
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (Size + W.size() > MaxSize) return 0;
size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size + 1);
memmove(Data + Idx + W.size(), Data + Idx, Size - Idx);
memcpy(Data + Idx, W.data(), W.size());
Size += W.size();
} else { // Overwrite some bytes with W.
if (W.size() > Size) return 0;
size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size - W.size());
memcpy(Data + Idx, W.data(), W.size());
Reported by FlawFinder.
Line: 192
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else { // Overwrite some bytes with W.
if (W.size() > Size) return 0;
size_t Idx = UsePositionHint ? DE.GetPositionHint() : Rand(Size - W.size());
memcpy(Data + Idx, W.data(), W.size());
}
return Size;
}
// Somewhere in the past we have observed a comparison instructions
Reported by FlawFinder.
Line: 308
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t TailSize = ToSize - ToInsertPos;
if (To == From) {
MutateInPlaceHere.resize(MaxToSize);
memcpy(MutateInPlaceHere.data(), From + FromBeg, CopySize);
memmove(To + ToInsertPos + CopySize, To + ToInsertPos, TailSize);
memmove(To + ToInsertPos, MutateInPlaceHere.data(), CopySize);
} else {
memmove(To + ToInsertPos + CopySize, To + ToInsertPos, TailSize);
memmove(To + ToInsertPos, From + FromBeg, CopySize);
Reported by FlawFinder.
Line: 382
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (Add == 0 || Rand.RandBool()) // Maybe negate.
Val = -Val;
}
memcpy(Data + Off, &Val, sizeof(Val));
return Size;
}
size_t MutationDispatcher::Mutate_ChangeBinaryInteger(uint8_t *Data,
size_t Size,
Reported by FlawFinder.
Line: 426
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
assert(NewSize > 0 && "CrossOver returned empty unit");
assert(NewSize <= MaxSize && "CrossOver returned overisized unit");
memcpy(Data, U.data(), NewSize);
return NewSize;
}
void MutationDispatcher::StartMutationSequence() {
CurrentMutatorSequence.clear();
Reported by FlawFinder.
include/nlohmann/detail/output/serializer.hpp
5 issues
Line: 458
Column: 43
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (codepoint <= 0xFFFF)
{
// NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg,hicpp-vararg)
(std::snprintf)(string_buffer.data() + bytes, 7, "\\u%04x",
static_cast<std::uint16_t>(codepoint));
bytes += 6;
}
else
{
Reported by FlawFinder.
Line: 465
Column: 43
CWE codes:
134
Suggestion:
Use a constant for the format specification
else
{
// NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg,hicpp-vararg)
(std::snprintf)(string_buffer.data() + bytes, 13, "\\u%04x\\u%04x",
static_cast<std::uint16_t>(0xD7C0u + (codepoint >> 10u)),
static_cast<std::uint16_t>(0xDC00u + (codepoint & 0x3FFu)));
bytes += 12;
}
}
Reported by FlawFinder.
Line: 504
Column: 35
CWE codes:
134
Suggestion:
Use a constant for the format specification
{
std::string sn(9, '\0');
// NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg,hicpp-vararg)
(std::snprintf)(&sn[0], sn.size(), "%.2X", byte);
JSON_THROW(type_error::create(316, "invalid UTF-8 byte at index " + std::to_string(i) + ": 0x" + sn, BasicJsonType()));
}
case error_handler_t::ignore:
case error_handler_t::replace:
Reported by FlawFinder.
Line: 599
Column: 27
CWE codes:
134
Suggestion:
Use a constant for the format specification
{
std::string sn(9, '\0');
// NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg,hicpp-vararg)
(std::snprintf)(&sn[0], sn.size(), "%.2X", static_cast<std::uint8_t>(s.back()));
JSON_THROW(type_error::create(316, "incomplete UTF-8 string; last byte: 0x" + sn, BasicJsonType()));
}
case error_handler_t::ignore:
{
Reported by FlawFinder.
Line: 804
Column: 36
CWE codes:
134
Suggestion:
Use a constant for the format specification
// the actual conversion
// NOLINTNEXTLINE(cppcoreguidelines-pro-type-vararg,hicpp-vararg)
std::ptrdiff_t len = (std::snprintf)(number_buffer.data(), number_buffer.size(), "%.*g", d, x);
// negative value indicates an error
JSON_ASSERT(len > 0);
// check if buffer was large enough
JSON_ASSERT(static_cast<std::size_t>(len) < number_buffer.size());
Reported by FlawFinder.
test/src/unit-testsuites.cpp
5 issues
Line: 387
Column: 67
CWE codes:
362
}
SECTION("FILE 1.json")
{
std::unique_ptr<std::FILE, decltype(&std::fclose)> f(std::fopen(TEST_DATA_DIRECTORY "/json.org/1.json", "r"), &std::fclose);
json _;
CHECK_NOTHROW(_ = json::parse(f.get()));
}
SECTION("FILE 2.json")
Reported by FlawFinder.
Line: 394
Column: 67
CWE codes:
362
SECTION("FILE 2.json")
{
std::unique_ptr<std::FILE, decltype(&std::fclose)> f(std::fopen(TEST_DATA_DIRECTORY "/json.org/2.json", "r"), &std::fclose);
json _;
CHECK_NOTHROW(_ = json::parse(f.get()));
}
SECTION("FILE 3.json")
Reported by FlawFinder.
Line: 401
Column: 67
CWE codes:
362
SECTION("FILE 3.json")
{
std::unique_ptr<std::FILE, decltype(&std::fclose)> f(std::fopen(TEST_DATA_DIRECTORY "/json.org/3.json", "r"), &std::fclose);
json _;
CHECK_NOTHROW(_ = json::parse(f.get()));
}
SECTION("FILE 4.json")
Reported by FlawFinder.
Line: 408
Column: 67
CWE codes:
362
SECTION("FILE 4.json")
{
std::unique_ptr<std::FILE, decltype(&std::fclose)> f(std::fopen(TEST_DATA_DIRECTORY "/json.org/4.json", "r"), &std::fclose);
json _;
CHECK_NOTHROW(_ = json::parse(f.get()));
}
SECTION("FILE 5.json")
Reported by FlawFinder.
Line: 415
Column: 67
CWE codes:
362
SECTION("FILE 5.json")
{
std::unique_ptr<std::FILE, decltype(&std::fclose)> f(std::fopen(TEST_DATA_DIRECTORY "/json.org/5.json", "r"), &std::fclose);
json _;
CHECK_NOTHROW(_ = json::parse(f.get()));
}
}
Reported by FlawFinder.
test/thirdparty/Fuzzer/test/CustomCrossOverTest.cpp
4 issues
Line: 58
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (Size > MaxOutSize)
return 0;
memcpy(Out, Data1 + Offset1, Len1);
memcpy(Out + Len1, Separator, SeparatorLen);
memcpy(Out + Len1 + SeparatorLen, Data2 + Offset2, Len2);
return Len1 + Len2 + SeparatorLen;
}
Reported by FlawFinder.
Line: 59
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
memcpy(Out, Data1 + Offset1, Len1);
memcpy(Out + Len1, Separator, SeparatorLen);
memcpy(Out + Len1 + SeparatorLen, Data2 + Offset2, Len2);
return Len1 + Len2 + SeparatorLen;
}
Reported by FlawFinder.
Line: 60
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(Out, Data1 + Offset1, Len1);
memcpy(Out + Len1, Separator, SeparatorLen);
memcpy(Out + Len1 + SeparatorLen, Data2 + Offset2, Len2);
return Len1 + Len2 + SeparatorLen;
}
Reported by FlawFinder.
Line: 40
Column: 32
CWE codes:
126
uint8_t *Out, size_t MaxOutSize,
unsigned int Seed) {
static bool Printed;
static size_t SeparatorLen = strlen(Separator);
if (!Printed) {
std::cerr << "In LLVMFuzzerCustomCrossover\n";
Printed = true;
}
Reported by FlawFinder.
test/src/unit-user_defined_input.cpp
4 issues
Line: 66
return c.data + strlen(c.data); // NOLINT(cppcoreguidelines-pro-bounds-pointer-arithmetic)
}
TEST_CASE("Custom container non-member begin/end")
{
MyContainer data{"[1,2,3,4]"};
json as_json = json::parse(data);
CHECK(as_json.at(0) == 1);
Reported by Cppcheck.
Line: 63
Column: 21
CWE codes:
126
const char* end(const MyContainer& c)
{
return c.data + strlen(c.data); // NOLINT(cppcoreguidelines-pro-bounds-pointer-arithmetic)
}
TEST_CASE("Custom container non-member begin/end")
{
Reported by FlawFinder.
Line: 91
Column: 27
CWE codes:
126
const char* end() const
{
return data + strlen(data); // NOLINT(cppcoreguidelines-pro-bounds-pointer-arithmetic)
}
};
MyContainer2 data{"[1,2,3,4]"};
json as_json = json::parse(data);
Reported by FlawFinder.
Line: 142
Column: 31
CWE codes:
126
CHECK(std::is_same<MyIterator::iterator_category, std::input_iterator_tag>::value);
MyIterator begin{raw_data};
MyIterator end{raw_data + strlen(raw_data)}; // NOLINT(cppcoreguidelines-pro-bounds-pointer-arithmetic)
json as_json = json::parse(begin, end);
CHECK(as_json.at(0) == 1);
CHECK(as_json.at(1) == 2);
CHECK(as_json.at(2) == 3);
Reported by FlawFinder.
test/thirdparty/Fuzzer/FuzzerTraceState.cpp
4 issues
Line: 294
Column: 17
CWE codes:
126
fuzzer::TPC.AddValueForStrcmp(caller_pc, s1, s2, 64);
if (!RecordingMemcmp) return;
if (result == 0) return; // No reason to mutate.
size_t Len1 = strlen(s1);
size_t Len2 = strlen(s2);
size_t N = std::min(Len1, Len2);
if (N <= 1) return; // Not interesting.
TS->TraceMemcmpCallback(N, reinterpret_cast<const uint8_t *>(s1),
reinterpret_cast<const uint8_t *>(s2));
Reported by FlawFinder.
Line: 295
Column: 17
CWE codes:
126
if (!RecordingMemcmp) return;
if (result == 0) return; // No reason to mutate.
size_t Len1 = strlen(s1);
size_t Len2 = strlen(s2);
size_t N = std::min(Len1, Len2);
if (N <= 1) return; // Not interesting.
TS->TraceMemcmpCallback(N, reinterpret_cast<const uint8_t *>(s1),
reinterpret_cast<const uint8_t *>(s2));
}
Reported by FlawFinder.
Line: 312
Column: 65
CWE codes:
126
}
void __sanitizer_weak_hook_strstr(void *called_pc, const char *s1,
const char *s2, char *result) {
TS->AddInterestingWord(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
}
void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
const char *s2, char *result) {
TS->AddInterestingWord(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
}
Reported by FlawFinder.
Line: 316
Column: 65
CWE codes:
126
}
void __sanitizer_weak_hook_strcasestr(void *called_pc, const char *s1,
const char *s2, char *result) {
TS->AddInterestingWord(reinterpret_cast<const uint8_t *>(s2), strlen(s2));
}
void __sanitizer_weak_hook_memmem(void *called_pc, const void *s1, size_t len1,
const void *s2, size_t len2, void *result) {
if (fuzzer::DoingMyOwnMemmem) return;
TS->AddInterestingWord(reinterpret_cast<const uint8_t *>(s2), len2);
Reported by FlawFinder.
test/thirdparty/Fuzzer/test/DSOTestMain.cpp
3 issues
Line: 21
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (Size < sizeof(int) * 3) {
x = y = z = 0;
} else {
memcpy(&x, Data + 0 * sizeof(int), sizeof(int));
memcpy(&y, Data + 1 * sizeof(int), sizeof(int));
memcpy(&z, Data + 2 * sizeof(int), sizeof(int));
}
int sum = DSO1(x) + DSO2(y) + (z ? DSOTestExtra(z) : 0);
if (sum == 3) {
Reported by FlawFinder.
Line: 22
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
x = y = z = 0;
} else {
memcpy(&x, Data + 0 * sizeof(int), sizeof(int));
memcpy(&y, Data + 1 * sizeof(int), sizeof(int));
memcpy(&z, Data + 2 * sizeof(int), sizeof(int));
}
int sum = DSO1(x) + DSO2(y) + (z ? DSOTestExtra(z) : 0);
if (sum == 3) {
fprintf(stderr, "BINGO %d %d %d\n", x, y, z);
Reported by FlawFinder.
Line: 23
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
memcpy(&x, Data + 0 * sizeof(int), sizeof(int));
memcpy(&y, Data + 1 * sizeof(int), sizeof(int));
memcpy(&z, Data + 2 * sizeof(int), sizeof(int));
}
int sum = DSO1(x) + DSO2(y) + (z ? DSOTestExtra(z) : 0);
if (sum == 3) {
fprintf(stderr, "BINGO %d %d %d\n", x, y, z);
*nil = 0;
Reported by FlawFinder.
test/src/unit-conversions.cpp
3 issues
Line: 1647
enum class cards {kreuz, pik, herz, karo};
// NOLINTNEXTLINE(cppcoreguidelines-avoid-c-arrays,hicpp-avoid-c-arrays,modernize-avoid-c-arrays) - false positive
NLOHMANN_JSON_SERIALIZE_ENUM(cards,
{
{cards::kreuz, "kreuz"},
{cards::pik, "pik"},
{cards::pik, "puk"}, // second entry for cards::puk; will not be used
{cards::herz, "herz"},
Reported by Cppcheck.
Line: 297
Column: 24
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
auto v = j2.get<std::vector<int>>();
auto s = j3.get<std::string>();
CHECK(std::equal(v.begin(), v.end(), std::begin(nbs)));
CHECK(s == str);
}
SECTION("std::deque<json>")
{
Reported by FlawFinder.
Line: 399
Column: 24
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
json j2 = nbs;
j2.get_to(nbs2);
CHECK(std::equal(std::begin(nbs), std::end(nbs), std::begin(nbs2)));
}
SECTION("std::deque<json>")
{
std::deque<json> a{"previous", "value"};
Reported by FlawFinder.
test/thirdparty/Fuzzer/test/StrcmpTest.cpp
3 issues
Line: 12
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <cassert>
bool Eq(const uint8_t *Data, size_t Size, const char *Str) {
char Buff[1024];
size_t Len = strlen(Str);
if (Size < Len) return false;
if (Len >= sizeof(Buff)) return false;
memcpy(Buff, (char*)Data, Len);
Buff[Len] = 0;
Reported by FlawFinder.
Line: 16
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t Len = strlen(Str);
if (Size < Len) return false;
if (Len >= sizeof(Buff)) return false;
memcpy(Buff, (char*)Data, Len);
Buff[Len] = 0;
int res = strcmp(Buff, Str);
return res == 0;
}
Reported by FlawFinder.
Line: 13
Column: 16
CWE codes:
126
bool Eq(const uint8_t *Data, size_t Size, const char *Str) {
char Buff[1024];
size_t Len = strlen(Str);
if (Size < Len) return false;
if (Len >= sizeof(Buff)) return false;
memcpy(Buff, (char*)Data, Len);
Buff[Len] = 0;
int res = strcmp(Buff, Str);
Reported by FlawFinder.
include/nlohmann/detail/input/binary_reader.hpp
3 issues
Line: 321
Column: 23
CWE codes:
134
Suggestion:
Use a constant for the format specification
default: // anything else not supported (yet)
{
std::array<char, 3> cr{{}};
(std::snprintf)(cr.data(), cr.size(), "%.2hhX", static_cast<unsigned char>(element_type)); // NOLINT(cppcoreguidelines-pro-type-vararg,hicpp-vararg)
return sax->parse_error(element_type_parse_position, std::string(cr.data()), parse_error::create(114, element_type_parse_position, "Unsupported BSON record type 0x" + std::string(cr.data()), BasicJsonType()));
}
}
}
Reported by FlawFinder.
Line: 2465
Column: 15
CWE codes:
134
Suggestion:
Use a constant for the format specification
std::string get_token_string() const
{
std::array<char, 3> cr{{}};
(std::snprintf)(cr.data(), cr.size(), "%.2hhX", static_cast<unsigned char>(current)); // NOLINT(cppcoreguidelines-pro-type-vararg,hicpp-vararg)
return std::string{cr.data()};
}
/*!
@param[in] format the current format
Reported by FlawFinder.
Line: 2373
Column: 14
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
// step 2: convert array into number of type T and return
std::memcpy(&result, vec.data(), sizeof(NumberType));
return true;
}
/*!
@brief create a string by reading characters from the input
Reported by FlawFinder.