[Bug 37129] New: Clang Static Analyzer: Buffer overflow

[wine-bugs at winehq.org]

https://bugs.winehq.org/show_bug.cgi?id=37129

            Bug ID: 37129
           Summary: Clang Static Analyzer: Buffer overflow
           Product: Wine
           Version: 1.7.22
          Hardware: x86-64
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: lukebenes at hotmail.com

Clang Static Analyzer identifies a possible buffer overflow

File: tools/widl/typegen.c

Location: line 1158, column 28

Description: String copy function overflows destination buffer

static unsigned int write_new_procformatstring_type(...)
{
  char buffer[64];
  ...
  strcpy( buffer, "/* flags:" );
  if (flags & MustSize) strcat( buffer, " must size," );
  if (flags & MustFree) strcat( buffer, " must free," );
  if (flags & IsPipe) strcat( buffer, " pipe," );
  if (flags & IsIn) strcat( buffer, " in," );
  if (flags & IsOut) strcat( buffer, " out," );
  if (flags & IsReturn) strcat( buffer, " return," );
  if (flags & IsBasetype) strcat( buffer, " base type," );
  if (flags & IsByValue) strcat( buffer, " by value," );
  if (flags & IsSimpleRef) strcat( buffer, " simple ref," );
  ...
}

Even if not all the conditions are true, you still risk getting a too lengthy
string that won't suit the buffer.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.