173551 - flawfinder warnings in zlib

Status: VERIFIED INVALID

(SeaMonkey :: General, defect, P4)

Description

[Stephen P. Morse]

I run flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 branch.

flawfinder found 25 warnings in zlib code (1462-1486). Go through
that list and for each warning:

* If it is false positive, comment here why it is not an issue
* If it is a real issue, make patch for it here and let's get them checked in

In addition to checking the branch, also check the trunk.

1462) modules/zlib/src/example.c:71 [2] (buffer) strcpy: does not check for 
buffer overflows. Consider using strncpy or strlcpy. Risk is low because the 
source is a constant string.

1463) modules/zlib/src/example.c:119 [2] (buffer) strcpy: does not check for 
buffer overflows. Consider using strncpy or strlcpy. Risk is low because the 
source is a constant string.

1464) modules/zlib/src/example.c:209 [2] (buffer) strcpy: does not check for 
buffer overflows. Consider using strncpy or strlcpy. Risk is low because the 
source is a constant string.

1465) modules/zlib/src/example.c:305 [2] (buffer) strcpy: does not check for 
buffer overflows. Consider using strncpy or strlcpy. Risk is low because the 
source is a constant string.

1466) modules/zlib/src/example.c:384 [2] (buffer) strcpy: does not check for 
buffer overflows. Consider using strncpy or strlcpy. Risk is low because the 
source is a constant string.

1467) modules/zlib/src/example.c:465 [2] (buffer) strcpy: does not check for 
buffer overflows. Consider using strncpy or strlcpy. Risk is low because the 
source is a constant string.

1468) modules/zlib/src/gzio.c:108 [4] (buffer) strcpy: does not check for buffer 
overflows. Consider using strncpy or strlcpy.

1469) modules/zlib/src/gzio.c:201 [2] (buffer) sprintf: does not check for 
buffer overflows. Use snprintf or vsnprintf. Risk is low because the source has 
a constant maximum length.

1470) modules/zlib/src/gzio.c:533 [4] (format) vsnprintf: if format strings can 
be influenced by an attacker, they can be exploited. Use a constant for the 
format specification.

1471) modules/zlib/src/gzio.c:535 [4] (format) vsprintf: Potential format string 
problem. Make format string constant.

1472) modules/zlib/src/gzio.c:556 [4] (format) snprintf: if format strings can 
be influenced by an attacker, they can be exploited. Use a constant for the 
format specification.

1473) modules/zlib/src/gzio.c:559 [4] (format) sprintf: Potential format string 
problem. Make format string constant.

1474) modules/zlib/src/gzio.c:871 [4] (buffer) strcpy: does not check for buffer 
overflows. Consider using strncpy or strlcpy.

1475) modules/zlib/src/gzio.c:872 [2] (buffer) strcat: does not check for buffer 
overflows. Consider using strncat or strlcat. Risk is low because the source is 
a constant string.

1476) modules/zlib/src/gzio.c:873 [4] (buffer) strcat: does not check for buffer 
overflows. Consider using strncat or strlcat.

1477) modules/zlib/src/minigzip.c:203 [4] (buffer) strcpy: does not check for 
buffer overflows. Consider using strncpy or strlcpy.

1478) modules/zlib/src/minigzip.c:204 [4] (buffer) strcat: does not check for 
buffer overflows. Consider using strncat or strlcat.

1479) modules/zlib/src/minigzip.c:234 [4] (buffer) strcpy: does not check for 
buffer overflows. Consider using strncpy or strlcpy.

1480) modules/zlib/src/minigzip.c:243 [4] (buffer) strcat: does not check for 
buffer overflows. Consider using strncat or strlcat.

1481) modules/zlib/src/minigzip.c:278 [2] (buffer) strcpy: does not check for 
buffer overflows. Consider using strncpy or strlcpy. Risk is low because the 
source is a constant string.

1482) modules/zlib/src/zutil.h:197 [4] (format) fprintf: if format strings can 
be influenced by an attacker, they can be exploited. Use a constant for the 
format specification.

1483) modules/zlib/src/zutil.h:198 [4] (format) fprintf: if format strings can 
be influenced by an attacker, they can be exploited. Use a constant for the 
format specification.

1484) modules/zlib/src/zutil.h:199 [4] (format) fprintf: if format strings can 
be influenced by an attacker, they can be exploited. Use a constant for the 
format specification.

1485) modules/zlib/src/zutil.h:200 [4] (format) fprintf: if format strings can 
be influenced by an attacker, they can be exploited. Use a constant for the 
format specification.

1486) modules/zlib/src/zutil.h:201 [4] (format) fprintf: if format strings can 
be influenced by an attacker, they can be exploited. Use a constant for the 
format specification.

Comment 1

[Jon Granrose]

the only thing the build team can do is install a new version of zlib if one is
available.  If you want someone to go in a fix these warnings, you'll need to
assign this to a developer.

Comment 2

[Heikki Toivonen (remove -bugzilla when emailing directly)]

I emailed the authors of zlib to have a look at these warnings.

Comment 3

[Heikki Toivonen (remove -bugzilla when emailing directly)]

1462-1467 are in sample code, not used

1468 safe, enough space allocated dynamically

1469 is safe, enough static buffer to write an int and fixed string

1470-1473 can't really help that format string, looks like it has to be like
that. Also there is use of fixed sized buffer that might be a problem in some
cases, although I did not check that well. There does not appear to be any
callers of this function in our code so we are safe.

1474-1476 safe, dynamically allocated anough space

1477-1481 minizgip application, we don't use. However, this application is
vulnerable to buffer overflows because it has a static buffer size of 1024 for
file name/path, and it takes that argument from command line and uses strcpy and
strcat to write the user supplied name that can be of any length to this fixed
static buffer. If you know of anyone using this application you should let them
know about it so they can make sure their usage of it is safe.

1482-1486 are debug-only code

Since none of this affects Mozilla, marking INVALID.

Comment 4

[Jon Granrose]

v invalid.