Compiz

Merge lp:~mc-return/compiz/compiz.fix1030473-part4 into lp:compiz/0.9.8

  1. compiz.fix1030473-part4
  2. Merge into 0.9.8
Proposed by MC Return on 2012-08-06
Status: Rejected
Rejected by: Daniel van Vugt on 2012-08-07
Proposed branch: lp:~mc-return/compiz/compiz.fix1030473-part4
Merge into: lp:compiz/0.9.8
Diff against target: 118 lines (+12/-12)
6 files modified
compizconfig/gconf/src/gconf.c (+1/-1)
compizconfig/libcompizconfig/src/bindings.c (+2/-2)
compizconfig/libcompizconfig/src/compiz.cpp (+1/-1)
plugins/animation/src/options.cpp (+4/-4)
plugins/screenshot/src/screenshot.cpp (+2/-2)
src/action.cpp (+2/-2)
To merge this branch: bzr merge lp:~mc-return/compiz/compiz.fix1030473-part4
Reviewer Review Type Date Requested Status
Daniel van Vugt 2012-08-06 Disapprove on 2012-08-07
Review via email: mp+118409@code.launchpad.net

Commit Message

Added several field width specifiers to prevent overflows with massive input data.

Description of the Change

Adds several field width specifiers to prevent overflows with massive input data.

To post a comment you must log in.
Daniel van Vugt (vanvugt) wrote :

Out of curiosity, how many parts will there be? It's very hard to mark a bug as fixed when I'm not sure where the end of the fix will be.

Daniel van Vugt (vanvugt) wrote :

The integer changes (%d and %u) are low value. An integer overflow is different to a string overrun. Adding a field size to %d does not really improve the robustness of the code unless you have very good error checking:
    if (sscanf(...) == N) {} else { ... }

Also, field size limits are pointless and dangerous if we never check the return value of sscanf. Adding the field sizes means sscanf might fail if the input is too big. However if the surrounding code does not check sscanf for errors then you will get uninitialized variables, which is worse.

review: Needs Fixing
MC Return (mc-return) wrote :

> Out of curiosity, how many parts will there be? It's very hard to mark a bug
> as fixed when I'm not sure where the end of the fix will be.

Hmm, we have already reduced the remaining issues from a 108KiB text file to under 30KiB and I have been updating and documenting remaining problems in the bug report.
We could ofc. make this the last part if you like and fix the rest of the problems here.

MC Return (mc-return) wrote :

> The integer changes (%d and %u) are low value. An integer overflow is
> different to a string overrun. Adding a field size to %d does not really
> improve the robustness of the code unless you have very good error checking:
> if (sscanf(...) == N) {} else { ... }
>
> Also, field size limits are pointless and dangerous if we never check the
> return value of sscanf. Adding the field sizes means sscanf might fail if the
> input is too big. However if the surrounding code does not check sscanf for
> errors then you will get uninitialized variables, which is worse.

Should I simply remove the field width specifiers from the integers or add additional error checking ?

MC Return (mc-return) wrote :

Sam told me on Sunday he will take care about those 2 confirmed problems:

compizconfig/gsettings/src/gsettings.c:296: (warning) Casting between double* and float* which have an incompatible binary data representation

compizconfig/libcompizconfig/src/main.c:4305: (error) Read and write operations without a call to a positioning function (fseek, fsetpos or rewind) or fflush inbetween result in undefined behaviour.

Daniel van Vugt (vanvugt) wrote :

Please just remove the field width for integers. But you still also need error checking around the other sscanf() calls for strings with a max field width.

MC Return (mc-return) wrote :

Then we have possible null pointer dereferences:

compizconfig/libcompizconfig/src/main.c:656]: (error) Possible null pointer dereference: subGroup - otherwise it is redundant to check if subGroup is null at line 657
compizconfig/libcompizconfig/src/main.c:3213]: (error) Possible null pointer dereference: conflict - otherwise it is redundant to check if conflict is null at line 3214

gtk/window-decorator/frames.c:266]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
gtk/window-decorator/frames.c:269]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
gtk/window-decorator/frames.c:272]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
gtk/window-decorator/frames.c:275]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296

gtk/window-decorator/frames.c:278]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
gtk/window-decorator/frames.c:281]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
gtk/window-decorator/frames.c:284]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
gtk/window-decorator/frames.c:287]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
gtk/window-decorator/frames.c:290]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296
gtk/window-decorator/frames.c:293]: (error) Possible null pointer dereference: frame - otherwise it is redundant to check if frame is null at line 296

Should I remove the redundant null checks ?

MC Return (mc-return) wrote :

Common realloc mistakes:

libcompizconfig/backend/src/ini.c:187]: (error) Common realloc mistake: 'privData' nulled but not freed upon failure
libcompizconfig/backend/src/ini.c:221]: (error) Common realloc mistake: 'privData' nulled but not freed upon failure

libcompizconfig/src/filewatch.c:113]: (error) Common realloc mistake: 'fwData' nulled but not freed upon failure
libcompizconfig/src/filewatch.c:173]: (error) Common realloc mistake: 'fwData' nulled but not freed upon failure

libcompizconfig/src/ini.c:791]: (error) Common realloc mistake: 'stringBuffer' nulled but not freed upon failure

plugins/shift/src/shift.cpp:826]: (error) Common realloc mistake: 'mWindows' nulled but not freed upon failure
plugins/shift/src/shift.cpp:836]: (error) Common realloc mistake: 'mDrawSlots' nulled but not freed upon failure

plugins/stackswitch/src/stackswitch.cpp:619]: (error) Common realloc mistake: 'mWindows' nulled but not freed upon failure
plugins/stackswitch/src/stackswitch.cpp:624]: (error) Common realloc mistake: 'mDrawSlots' nulled but not freed upon failure

Daniel van Vugt (vanvugt) wrote :

Please stop pasting new error details here. Each type of error should be dealt with as a new proposal (and optionally new bug for each).

Daniel van Vugt (vanvugt) wrote :

No, the "redundant" checks probably are not redundant, but need to be moved to an earlier line of code.

MC Return (mc-return) wrote :

Suspicious stuff that can be clarified with parentheses:

animationaddon/src/polygon.cpp:459]: (style) Suspicious calculation. Please use parentheses to clarify the code. The code 'a%b?c:d' should be written as either '(a%b)?c:d' or 'a%(b?c:d)'.

plugins/colorfilter/src/parser.cpp:177]: (style) Suspicious condition (assignment+comparison), it can be clarified with parentheses

plugins/colorfilter/src/parser.cpp:178]: (style) Suspicious condition (assignment+comparison), it can be clarified with parentheses

plugins/place/src/place.cpp:439]: (style) Suspicious expression. Boolean result is used in bitwise operation. The ! operator and the comparison operators have higher precedence than bitwise operators. It is recommended that the expression is clarified with parentheses.

MC Return (mc-return) wrote :
Download full text (6.7 KiB)

Member variables that are not initialized in the constructors:

plugins/animation/src/glide.cpp:41]: (warning) Member variable 'GlideAnim::glideModRotAngle' is not initialized in the constructor.

plugins/animation/src/magiclamp.cpp:55]: (warning) Member variable 'MagicLampAnim::mTopLeftCornerObject' is not initialized in the constructor.
plugins/animation/src/magiclamp.cpp:55]: (warning) Member variable 'MagicLampAnim::mBottomLeftCornerObject' is not initialized in the constructor.

plugins/animationaddon/src/private.h:41]: (warning) Member variable 'ExtensionPluginAnimAddon::mOutput' is not initialized in the constructor.

plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::compositeEvent' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::compositeError' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::compositeOpcode' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::damageEvent' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::damageError' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::fixesEvent' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::fixesError' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::fixesVersion' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::shapeExtension' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::shapeEvent' is not initialized in the constructor.
/plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::shapeError' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::randrExtension' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::randrEvent' is not initialized in the constructor.
plugins/composite/src/screen.cpp:276]: (warning) Member variable 'PrivateCompositeScreen::randrError' is not initialized in the constructor.

plugins/ezoom/src/ezoom.cpp:1794]: (warning) Member variable 'CursorTexture::screen' is not initialized in the constructor.
plugins/ezoom/src/ezoom.cpp:1794]: (warning) Member variable 'CursorTexture::width' is not initialized in the constructor.
plugins/ezoom/src/ezoom.cpp:1794]: (warning) Member variable 'CursorTexture::height' is not initialized in the constructor.
plugins/ezoom/src/ezoom.cpp:1794]: (warning) Member variable 'CursorTexture::hotX' is not initialized in the constructor.
plugins/ezoom/src/ezoom.cpp:1794]: (warning) Member variable 'CursorTextu...

Read more...

MC Return (mc-return) wrote :
Download full text (9.8 KiB)

C-style pointer castings, that might be intentional:

compizconfig/libcompizconfig/tests/mock-context.h:94]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:100]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:106]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:112]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:118]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:124]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:130]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:136]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:142]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:148]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:154]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:160]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:166]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:172]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:178]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:187]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:196]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:205]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:211]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:217]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:223]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:232]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:241]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:250]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:259]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:265]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:271]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:280]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:289]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:295]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:304]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:313]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:322]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-context.h:331]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/context-mock.cpp:68]: (style) C-style pointer casting
compizconfig/libcompizconfig/tests/mock-plugin.h:64]: (style) C-st...

Daniel van Vugt (vanvugt) wrote :

Please STOP PASTING

Daniel van Vugt (vanvugt) wrote :

Each type of error should be dealt with as a new proposal (and optionally new bug for each).

MC Return (mc-return) wrote :

These might be false positives:

compizconfig/libcompizconfig/backend/src/ini.c:686]: (error) Memory pointed to by 'filePath' is freed twice.

compizconfig/gconf/src/gconf.c:1930]: (error) Memory pointed to by 'pathName' is freed twice.

compizconfig/libcompizconfig/src/main.c:259]: (error) Memory pointed to by 'val' is freed twice.
compizconfig/libcompizconfig/src/main.c:267]: (error) Memory pointed to by 'val' is freed twice.
compizconfig/libcompizconfig/src/main.c:275]: (error) Memory pointed to by 'val' is freed twice.
compizconfig/libcompizconfig/src/main.c:1037]: (error) Memory pointed to by 'dlname' is freed twice.
compizconfig/libcompizconfig/src/main.c:3485]: (error) Memory pointed to by 'backenddir' is freed twice.
compizconfig/libcompizconfig/src/main.c:3495]: (error) Memory pointed to by 'backenddir' is freed twice.

MC Return (mc-return) wrote :

Memory leaks:

compizconfig/libcompizconfig/src/main.c:3626]: (error) Memory leak: sectionName
compizconfig/libcompizconfig/src/main.c:3784]: (error) Memory leak: sectionName
compizconfig/libcompizconfig/src/main.c:4262]: (error) Memory leak: completedUpgrades
compizconfig/libcompizconfig/src/main.c:4266]: (error) Memory leak: completedUpgrades

gtk/window-decorator/decorator.c:1016]: (error) Memory leak: opts

compizconfig/libcompizconfig/src/compiz.cpp:2705]: (error) Memory leak: pbFile
compizconfig/libcompizconfig/src/compiz.cpp:2771]: (error) Memory leak: pbFile

Resource leak:

compizconfig/libcompizconfig/src/main.c:4262]: (error) Resource leak: completedUpgrades

Daniel van Vugt (vanvugt) wrote :

Rejected. Please discuss all of the above errors in NEW and SEPARATE proposals. And resubmit this one as discussed already.

review: Disapprove
MC Return (mc-return) wrote :

The rest of remaining potential problems that need to be verified:

gtk/window-decorator/metacity.c:599]: (style) Variable 'frame_style' is assigned a value that is never used

plugins/colorfilter/src/parser.h:34]: (style) The class 'FragmentParser 'does not have a constructor but it has attributes. The attributes are not initialized which may cause bugs or undefined behavior.

plugins/group/src/init.cpp:140]: (error) Uninitialized variable: group
plugins/group/src/init.cpp:141]: (error) Uninitialized variable: group

src/screen.cpp:1091]: (error) BOOST_FOREACH caches the end() iterator. It's undefined behavior if you modify the container.

src/window.cpp:2005]: (error) Analysis failed. If the code is valid then please report this failure.

Unmerged revisions

3312. By MC Return on 2012-08-06

Changed the int buttonNum to unsigned int buttonNum and changed "%d" to "%2u", because we do not have negative buttonNums and never more than 99 buttons

3311. By MC Return on 2012-08-06

Added field width specifiers (%5d x2) to "screenshot%d"

3310. By MC Return on 2012-08-06

Added field width specifier " %256s " to sscanf (for variable nameTrimmed)

3309. By MC Return on 2012-08-06

Added field width specifiers to " %d " changing them to " %5d " for the int variables vb and vi

3308. By MC Return on 2012-08-06

Added a field width specifier to " %s " changing it to " %256s " to allow a maximum of 256 characters for optNamesValues (is it too much ?)

3307. By MC Return on 2012-08-06

Changed 'int buttonNum;' to 'unsigned int buttonNum;', because buttonNum should always be positive
Changed 'if (sscanf (binding + strlen ("Button"), "%d", &buttonNum) == 1)' to 'if (sscanf (binding + strlen ("Button"), "%2u", &buttonNum) == 1)', because buttonNum should never be higher than 20

3306. By MC Return on 2012-08-06

Changed 'sscanf (token, "screen%d", &screenNum);' to 'sscanf (token, "screen%5u", &screenNum);', adding a field width specifier and changing the type from decimal integer to an unsigned integer (min 0, max 65536)

3305. By MC Return on 2012-08-06

Prevent overflow of name[1024] by adding a field width specifier (%1023s)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'compizconfig/gconf/src/gconf.c'
2--- compizconfig/gconf/src/gconf.c 2012-07-03 06:22:53 +0000
3+++ compizconfig/gconf/src/gconf.c 2012-08-06 18:15:23 +0000
4@@ -476,7 +476,7 @@
5 if (!token)
6 return;
7
8- sscanf (token, "screen%d", &screenNum);
9+ sscanf (token, "screen%5u", &screenNum);
10
11 token = strsep (&keyName, "/"); /* 'options' */
12 if (!token)
13
14=== modified file 'compizconfig/libcompizconfig/src/bindings.c'
15--- compizconfig/libcompizconfig/src/bindings.c 2012-07-29 10:11:30 +0000
16+++ compizconfig/libcompizconfig/src/bindings.c 2012-08-06 18:15:23 +0000
17@@ -375,9 +375,9 @@
18
19 if (strncmp (binding, "Button", strlen ("Button")) == 0)
20 {
21- int buttonNum;
22+ unsigned int buttonNum;
23
24- if (sscanf (binding + strlen ("Button"), "%d", &buttonNum) == 1)
25+ if (sscanf (binding + strlen ("Button"), "%2u", &buttonNum) == 1)
26 {
27 value->button = buttonNum;
28 value->buttonModMask = mods;
29
30=== modified file 'compizconfig/libcompizconfig/src/compiz.cpp'
31--- compizconfig/libcompizconfig/src/compiz.cpp 2012-07-30 11:16:25 +0000
32+++ compizconfig/libcompizconfig/src/compiz.cpp 2012-08-06 18:15:23 +0000
33@@ -3036,7 +3036,7 @@
34 for (i = 0; i < nFile; i++)
35 {
36 char name[1024];
37- sscanf (nameList[i]->d_name, "lib%s", name);
38+ sscanf (nameList[i]->d_name, "lib%1023s", name);
39 if (strlen (name) > 3)
40 name[strlen (name) - 3] = 0;
41 free (nameList[i]);
42
43=== modified file 'plugins/animation/src/options.cpp'
44--- plugins/animation/src/options.cpp 2010-10-23 15:41:33 +0000
45+++ plugins/animation/src/options.cpp 2012-08-06 18:15:23 +0000
46@@ -124,7 +124,7 @@
47 char *optNamesValues = (char *)calloc (len + 1, 1);
48
49 // Find the first substring with no spaces in it
50- sscanf (optNamesValuesOrig, " %s ", optNamesValues);
51+ sscanf (optNamesValuesOrig, " %256s ", optNamesValues);
52 if (!strlen (optNamesValues))
53 {
54 free (optNamesValues);
55@@ -166,7 +166,7 @@
56 break;
57 }
58
59- sscanf (name, " %s ", nameTrimmed);
60+ sscanf (name, " %256s ", nameTrimmed);
61 if (!strlen (nameTrimmed))
62 {
63 errorNo = 2;
64@@ -221,14 +221,14 @@
65 {
66 case CompOption::TypeBool:
67 int vb;
68- valueRead = sscanf (valueStr, " %d ", &vb);
69+ valueRead = sscanf (valueStr, " %5d ", &vb);
70 if (valueRead)
71 pair->value.set ((bool)vb);
72 break;
73 case CompOption::TypeInt:
74 {
75 int vi;
76- valueRead = sscanf (valueStr, " %d ", &vi);
77+ valueRead = sscanf (valueStr, " %5d ", &vi);
78 if (valueRead > 0)
79 {
80 if (o->rest ().inRange (vi))
81
82=== modified file 'plugins/screenshot/src/screenshot.cpp'
83--- plugins/screenshot/src/screenshot.cpp 2012-01-18 16:26:45 +0000
84+++ plugins/screenshot/src/screenshot.cpp 2012-08-06 18:15:23 +0000
85@@ -122,7 +122,7 @@
86 {
87 int number;
88
89- if (sscanf (d->d_name, "screenshot%d.png", &number))
90+ if (sscanf (d->d_name, "screenshot%5d.png", &number))
91 {
92 int nDigits = 0;
93
94@@ -201,7 +201,7 @@
95
96 if (n > 0)
97 sscanf (namelist[n - 1]->d_name,
98- "screenshot%d.png",
99+ "screenshot%5d.png",
100 &number);
101
102 number++;
103
104=== modified file 'src/action.cpp'
105--- src/action.cpp 2012-05-10 12:58:01 +0000
106+++ src/action.cpp 2012-08-06 18:15:23 +0000
107@@ -287,9 +287,9 @@
108
109 if (start != str.size () && str.compare (start, 6, "Button") == 0)
110 {
111- int buttonNum;
112+ unsigned int buttonNum;
113
114- if (sscanf (str.substr (start + 6).c_str (), "%d", &buttonNum) == 1)
115+ if (sscanf (str.substr (start + 6).c_str (), "%2u", &buttonNum) == 1)
116 {
117 mButton = buttonNum;
118 mModifiers = mods;

Subscribers

People subscribed via source and target branches