Merge lp:~mc-return/compiz/compiz.fix1030473-part4 into lp:compiz/0.9.8
| Status: | Rejected |
|---|---|
| Rejected by: | Daniel van Vugt on 2012-08-07 |
| Proposed branch: | lp:~mc-return/compiz/compiz.fix1030473-part4 |
| Merge into: | lp:compiz/0.9.8 |
| Diff against target: |
118 lines (+12/-12) 6 files modified
compizconfig/gconf/src/gconf.c (+1/-1) compizconfig/libcompizconfig/src/bindings.c (+2/-2) compizconfig/libcompizconfig/src/compiz.cpp (+1/-1) plugins/animation/src/options.cpp (+4/-4) plugins/screenshot/src/screenshot.cpp (+2/-2) src/action.cpp (+2/-2) |
| To merge this branch: | bzr merge lp:~mc-return/compiz/compiz.fix1030473-part4 |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Daniel van Vugt | 2012-08-06 | Disapprove on 2012-08-07 | |
|
Review via email:
|
|||
Commit Message
Added several field width specifiers to prevent overflows with massive input data.
Description of the Change
Adds several field width specifiers to prevent overflows with massive input data.
| Daniel van Vugt (vanvugt) wrote : | # |
| Daniel van Vugt (vanvugt) wrote : | # |
The integer changes (%d and %u) are low value. An integer overflow is different to a string overrun. Adding a field size to %d does not really improve the robustness of the code unless you have very good error checking:
if (sscanf(...) == N) {} else { ... }
Also, field size limits are pointless and dangerous if we never check the return value of sscanf. Adding the field sizes means sscanf might fail if the input is too big. However if the surrounding code does not check sscanf for errors then you will get uninitialized variables, which is worse.
| MC Return (mc-return) wrote : | # |
> Out of curiosity, how many parts will there be? It's very hard to mark a bug
> as fixed when I'm not sure where the end of the fix will be.
Hmm, we have already reduced the remaining issues from a 108KiB text file to under 30KiB and I have been updating and documenting remaining problems in the bug report.
We could ofc. make this the last part if you like and fix the rest of the problems here.
| MC Return (mc-return) wrote : | # |
> The integer changes (%d and %u) are low value. An integer overflow is
> different to a string overrun. Adding a field size to %d does not really
> improve the robustness of the code unless you have very good error checking:
> if (sscanf(...) == N) {} else { ... }
>
> Also, field size limits are pointless and dangerous if we never check the
> return value of sscanf. Adding the field sizes means sscanf might fail if the
> input is too big. However if the surrounding code does not check sscanf for
> errors then you will get uninitialized variables, which is worse.
Should I simply remove the field width specifiers from the integers or add additional error checking ?
| MC Return (mc-return) wrote : | # |
Sam told me on Sunday he will take care about those 2 confirmed problems:
compizconfig/
compizconfig/
| Daniel van Vugt (vanvugt) wrote : | # |
Please just remove the field width for integers. But you still also need error checking around the other sscanf() calls for strings with a max field width.
| MC Return (mc-return) wrote : | # |
Then we have possible null pointer dereferences:
compizconfig/
compizconfig/
gtk/window-
gtk/window-
gtk/window-
gtk/window-
gtk/window-
gtk/window-
gtk/window-
gtk/window-
gtk/window-
gtk/window-
Should I remove the redundant null checks ?
| MC Return (mc-return) wrote : | # |
Common realloc mistakes:
libcompizconfig
libcompizconfig
libcompizconfig
libcompizconfig
libcompizconfig
plugins/
plugins/
plugins/
plugins/
| Daniel van Vugt (vanvugt) wrote : | # |
Please stop pasting new error details here. Each type of error should be dealt with as a new proposal (and optionally new bug for each).
| Daniel van Vugt (vanvugt) wrote : | # |
No, the "redundant" checks probably are not redundant, but need to be moved to an earlier line of code.
| MC Return (mc-return) wrote : | # |
Suspicious stuff that can be clarified with parentheses:
animationaddon/
plugins/
plugins/
plugins/
| MC Return (mc-return) wrote : | # |
Member variables that are not initialized in the constructors:
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
/plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
plugins/
| MC Return (mc-return) wrote : | # |
C-style pointer castings, that might be intentional:
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
| Daniel van Vugt (vanvugt) wrote : | # |
Please STOP PASTING
| Daniel van Vugt (vanvugt) wrote : | # |
Each type of error should be dealt with as a new proposal (and optionally new bug for each).
| MC Return (mc-return) wrote : | # |
These might be false positives:
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
compizconfig/
| MC Return (mc-return) wrote : | # |
Memory leaks:
compizconfig/
compizconfig/
compizconfig/
compizconfig/
gtk/window-
compizconfig/
compizconfig/
Resource leak:
compizconfig/
| Daniel van Vugt (vanvugt) wrote : | # |
Rejected. Please discuss all of the above errors in NEW and SEPARATE proposals. And resubmit this one as discussed already.
| MC Return (mc-return) wrote : | # |
The rest of remaining potential problems that need to be verified:
gtk/window-
plugins/
plugins/
plugins/
src/screen.
src/window.
Unmerged revisions
- 3312. By MC Return on 2012-08-06
-
Changed the int buttonNum to unsigned int buttonNum and changed "%d" to "%2u", because we do not have negative buttonNums and never more than 99 buttons
- 3311. By MC Return on 2012-08-06
-
Added field width specifiers (%5d x2) to "screenshot%d"
- 3310. By MC Return on 2012-08-06
-
Added field width specifier " %256s " to sscanf (for variable nameTrimmed)
- 3309. By MC Return on 2012-08-06
-
Added field width specifiers to " %d " changing them to " %5d " for the int variables vb and vi
- 3308. By MC Return on 2012-08-06
-
Added a field width specifier to " %s " changing it to " %256s " to allow a maximum of 256 characters for optNamesValues (is it too much ?)
- 3307. By MC Return on 2012-08-06
-
Changed 'int buttonNum;' to 'unsigned int buttonNum;', because buttonNum should always be positive
Changed 'if (sscanf (binding + strlen ("Button"), "%d", &buttonNum) == 1)' to 'if (sscanf (binding + strlen ("Button"), "%2u", &buttonNum) == 1)', because buttonNum should never be higher than 20 - 3306. By MC Return on 2012-08-06
-
Changed 'sscanf (token, "screen%d", &screenNum);' to 'sscanf (token, "screen%5u", &screenNum);', adding a field width specifier and changing the type from decimal integer to an unsigned integer (min 0, max 65536)
- 3305. By MC Return on 2012-08-06
-
Prevent overflow of name[1024] by adding a field width specifier (%1023s)


Out of curiosity, how many parts will there be? It's very hard to mark a bug as fixed when I'm not sure where the end of the fix will be.