Coverity doing scans of Wine codebase!
Tom Spear (Dustin Booker, Dustin Navea)
speeddymon at gmail.com
Fri Apr 7 06:25:45 CDT 2006
James Hawkins wrote:
> On 4/6/06, Mike Hearn <mike at plan99.net> wrote:
>
>> OK, that was a bit over-enthusiastic. A few of these are more tricky. EG:
>>
>>
>
> Of the possible bugs I've seen so far, most of them are valid and
> worth fixing, but the checker stumbles over WideCharToMultiByte. The
> checker reports two errors for (most) calls to WideCharToMultibyte:
>
> * Passing a negative value for the length of the source string.
>
> The checker doesn't pick up on this line:
>
> if (srclen < 0) srclen = strlenW(src) + 1;
>
> so we never access the string with a negative index.
>
Umm, all that does is increment it by 1... What if _somehow_ (dont ask
me how, just venturing a guess) a bogus number is passed by strlenW(src)
like -3789246? Then you end up with srclen == -3789245...
> * Negative value can be returned and we don't check for it.
>
> The return type of WideCharToMultiByte is int, but the function is
> only supposed to return string lengths or 0 on error, and AFAIK no
> negative value is ever returned. You would think the checker would
> pick up on that fact.
>
> The problem is that we call WideCharToMultiByte quite a few times
> throughout the wine codebase, so we have a lot of false positives with
> that one.
>
>
I could be wrong, but wouldnt it be (theoretically speaking) possible
for a program to force a negative number out of it (even though it isnt
supposed to be able to), since it IS an int, regardless of the return
value type?
Tom
More information about the wine-devel
mailing list