Closed
Bug 173837
Opened 22 years ago
Closed 22 years ago
flawfinder warnings in content
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: morse, Assigned: jst)
References
Details
Attachments
(1 file, 1 obsolete file)
3.83 KB,
patch
|
Details | Diff | Splinter Review |
Heikki ran flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 branch. flawfinder found 46 warnings in content code (3344-3389). Go through that list and for each warning: * If it is false positive, comment here why it is not an issue * If it is a real issue, make patch for it here and let's get them checked in In addition to checking the branch, also check the trunk. 3344) content/base/src/nsDocumentViewer.cpp:216 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3345) content/base/src/nsDocumentViewer.cpp:217 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3346) content/base/src/nsDocumentViewer.cpp:218 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3347) content/base/src/nsDocumentViewer.cpp:219 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3348) content/base/src/nsDocumentViewer.cpp:220 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3349) content/base/src/nsDocumentViewer.cpp:1892 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 3350) content/base/src/nsDocumentViewer.cpp:1896 [1] (buffer) strcat: does not check for buffer overflows. Consider using strncat or strlcat. Risk is low because the source is a constant character. 3351) content/base/src/nsDocumentViewer.cpp:1899 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 3352) content/base/src/nsDocumentViewer.cpp:1900 [2] (buffer) strcat: does not check for buffer overflows. Consider using strncat or strlcat. Risk is low because the source is a constant string. 3353) content/base/src/nsDocumentViewer.cpp:1914 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 3354) content/base/src/nsDocumentViewer.cpp:1915 [1] (buffer) strcat: does not check for buffer overflows. Consider using strncat or strlcat. Risk is low because the source is a constant character. 3355) content/base/src/nsDocumentViewer.cpp:1916 [4] (buffer) strcat: does not check for buffer overflows. Consider using strncat or strlcat. 3356) content/base/src/nsDocumentViewer.cpp:2069 [2] (buffer) sprintf: does not check for buffer overflows. Use snprintf or vsnprintf. Risk is low because the source has a constant maximum length. 3357) content/base/src/nsDocumentViewer.cpp:3644 [2] (buffer) sprintf: does not check for buffer overflows. Use snprintf or vsnprintf. Risk is low because the source has a constant maximum length. 3358) content/html/content/src/nsHTMLInputElement.cpp:2138 [2] (buffer) sprintf: does not check for buffer overflows. Use snprintf or vsnprintf. Risk is low because the source has a constant maximum length. 3359) content/html/content/src/nsHTMLInputElement.cpp:2140 [2] (buffer) sprintf: does not check for buffer overflows. Use snprintf or vsnprintf. Risk is low because the source has a constant maximum length. 3360) content/html/style/src/nsCSSParser.cpp:2509 [2] (buffer) sprintf: does not check for buffer overflows. Use snprintf or vsnprintf. Risk is low because the source has a constant maximum length. 3361) content/html/style/src/nsCSSParser.cpp:2516 [2] (buffer) sprintf: does not check for buffer overflows. Use snprintf or vsnprintf. Risk is low because the source has a constant maximum length. 3362) content/svg/content/src/nsSVGLength.cpp:286 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3363) content/svg/content/src/nsSVGPathSeg.cpp:210 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3364) content/svg/content/src/nsSVGPathSeg.cpp:319 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3365) content/svg/content/src/nsSVGPathSeg.cpp:427 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3366) content/svg/content/src/nsSVGPathSeg.cpp:536 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3367) content/svg/content/src/nsSVGPathSeg.cpp:651 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3368) content/svg/content/src/nsSVGPathSeg.cpp:823 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3369) content/svg/content/src/nsSVGPathSeg.cpp:991 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3370) content/svg/content/src/nsSVGPathSeg.cpp:1132 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3371) content/svg/content/src/nsSVGPathSeg.cpp:1279 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3372) content/svg/content/src/nsSVGPathSeg.cpp:1469 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3373) content/svg/content/src/nsSVGPathSeg.cpp:1648 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3374) content/svg/content/src/nsSVGPathSeg.cpp:1741 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3375) content/svg/content/src/nsSVGPathSeg.cpp:1834 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3376) content/svg/content/src/nsSVGPathSeg.cpp:1927 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3377) content/svg/content/src/nsSVGPathSeg.cpp:2024 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3378) content/svg/content/src/nsSVGPathSeg.cpp:2164 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3379) content/svg/content/src/nsSVGPathSeg.cpp:2301 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3380) content/svg/content/src/nsSVGPathSeg.cpp:2409 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3381) content/svg/content/src/nsSVGPointList.cpp:230 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3382) content/svg/content/src/nsSVGTransform.cpp:151 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3383) content/svg/content/src/nsSVGTransform.cpp:153 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3384) content/svg/content/src/nsSVGTransform.cpp:159 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3385) content/svg/content/src/nsSVGTransform.cpp:161 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3386) content/svg/content/src/nsSVGTransform.cpp:170 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3387) content/svg/content/src/nsSVGTransform.cpp:172 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3388) content/svg/content/src/nsSVGTransform.cpp:179 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 3389) content/svg/content/src/nsSVGTransform.cpp:186 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification.
Alex, Bradley: could you check the warnings under SVG?
nsDocumentViewer.cpp: there are no longer fprintf calls on the trunk, and on the 1.0 branch they are debug code.
Comment 3•22 years ago
|
||
The line in question is: nsTextFormatter::snprintf(buf, sizeof(buf)/sizeof(PRUnichar), NS_LITERAL_STRING("%g").get(), (double)mValueInSpecifiedUnits); The format argument is constant, but I guess flawfinder can't really know that. I didn't check all of the SVG stuff, though, just a couple.
nsDocumentViewer.cpp: there are no longer strcpy, strcat or sprintf calls. nsHTMLInputElement.cpp: we print into a fixed buffer of size 20 which is enough to hold a 32-bit integer (%d).
The stuff in nsCSSParser.cpp looks suspicuous. See at least lines 2576, 2583 on the trunk (2509 and 2516 on 1.0 branch). We have a fixed buffer of size 10 and use snprintf to write 32-bit int, and float into it. But 32-bit int can be 10 chars long, so where does the null terminator go? Can't remember how the float works off the top of my head, but that is probably also unsafe. We then convert the buffer into nsAutoString. Cc John Keiser who indicated he knows a better way to do this. http://lxr.mozilla.org/mozilla/source/content/html/style/src/nsCSSParser.cpp#2576 The struct is nsCSSToken, mInteger is PRInt32 and mNumber is float: http://lxr.mozilla.org/mozilla/source/content/html/style/src/nsCSSScanner.h#96
Reporter | ||
Comment 6•22 years ago
|
||
37 more flawfinder warnings 4031) content/base/src/nsDocumentViewer.cpp:217 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4032) content/base/src/nsDocumentViewer.cpp:218 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4033) content/base/src/nsDocumentViewer.cpp:219 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4034) content/base/src/nsDocumentViewer.cpp:220 [4] (format) fprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4035) content/base/src/nsDocumentViewer.cpp:1892 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4036) content/base/src/nsDocumentViewer.cpp:1899 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4037) content/base/src/nsDocumentViewer.cpp:1914 [4] (buffer) strcpy: does not check for buffer overflows. Consider using strncpy or strlcpy. 4038) content/base/src/nsDocumentViewer.cpp:1916 [4] (buffer) strcat: does not check for buffer overflows. Consider using strncat or strlcat. 4039) content/svg/content/src/nsSVGLength.cpp:286 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4040) content/svg/content/src/nsSVGPathSeg.cpp:210 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4041) content/svg/content/src/nsSVGPathSeg.cpp:319 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4042) content/svg/content/src/nsSVGPathSeg.cpp:427 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4043) content/svg/content/src/nsSVGPathSeg.cpp:536 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4044) content/svg/content/src/nsSVGPathSeg.cpp:651 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4045) content/svg/content/src/nsSVGPathSeg.cpp:823 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4046) content/svg/content/src/nsSVGPathSeg.cpp:991 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4047) content/svg/content/src/nsSVGPathSeg.cpp:1132 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4048) content/svg/content/src/nsSVGPathSeg.cpp:1279 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4049) content/svg/content/src/nsSVGPathSeg.cpp:1469 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4050) content/svg/content/src/nsSVGPathSeg.cpp:1648 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4051) content/svg/content/src/nsSVGPathSeg.cpp:1741 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4052) content/svg/content/src/nsSVGPathSeg.cpp:1834 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4053) content/svg/content/src/nsSVGPathSeg.cpp:1927 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4054) content/svg/content/src/nsSVGPathSeg.cpp:2024 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4055) content/svg/content/src/nsSVGPathSeg.cpp:2164 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4056) content/svg/content/src/nsSVGPathSeg.cpp:2301 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4057) content/svg/content/src/nsSVGPathSeg.cpp:2409 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4058) content/svg/content/src/nsSVGPointList.cpp:230 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4059) content/svg/content/src/nsSVGTransform.cpp:151 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4060) content/svg/content/src/nsSVGTransform.cpp:153 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4061) content/svg/content/src/nsSVGTransform.cpp:159 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4062) content/svg/content/src/nsSVGTransform.cpp:161 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4063) content/svg/content/src/nsSVGTransform.cpp:170 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4064) content/svg/content/src/nsSVGTransform.cpp:172 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4065) content/svg/content/src/nsSVGTransform.cpp:179 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. 4066) content/svg/content/src/nsSVGTransform.cpp:186 [4] (format) snprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification.
This increases the size of the buffer from 10 to 20 (why not? It's just a little stack space) and changes it from sprintf to snprintf. I also untabified the 40-line section of code that it was in (which was the only tabbed section in the area and rewrapped an overly long comment in the tabbed section, since I'd be taking blame for it anyway.
Same as above, but diff -uw instead of diff -w.
Attachment #102697 -
Attachment description: patch to nsCSSParser (diff -uw) → patch to nsCSSParser (diff -u)
Comment 9•22 years ago
|
||
Comment on attachment 102698 [details] [diff] [review] patch to nsCSSParser (diff -uw) r/sr=bzbarsky
Attachment #102698 -
Flags: superreview+
Comment on attachment 102698 [details] [diff] [review] patch to nsCSSParser (diff -uw) r=heikki But isn't there are way to make this more efficient as jkeiser implied (or maybe I misunderstood), meaning better than copy-to-C-buffer-then-nsString?
Attachment #102698 -
Flags: review+
Comment 11•22 years ago
|
||
Comment on attachment 102698 [details] [diff] [review] patch to nsCSSParser (diff -uw) a=rjesup@wgate.com
Attachment #102698 -
Flags: approval+
Comment on attachment 102698 [details] [diff] [review] patch to nsCSSParser (diff -uw) It's worth noting that snprintf is not portable across all our platforms. (Some of them ifdef it in stdio.h. Look on myotonic for an example.) So this is checked in, but using PR_snprintf. And the testcases on bug 170614 (which I used to test this earlier as well) still seem the same.
Attachment #102698 -
Attachment is obsolete: true
Comment 13•22 years ago
|
||
you know, there is also nsTextFormatter::ssprintf that has nsAString& output - you could print directly into "str" and avoid the extra conversion.
All of the SVG stuff is safe from security perspective, but it could be improved. As Alec suggest, if you have code that sprintfs to a buffer and then puts the buffer into a string object you could achieve that with a single call. SVG had lots of these. Also there is stuff like (nsSVGLength::SetValueAsString()): 301 // XXX how am I supposed to do this ??? 302 // char* str = aValue.ToNewCString(); 303 char* str; 304 { 305 nsAutoString temp(aValueAsString); 306 str = ToNewCString(temp); 307 } I believe you could do char* str = ToNewCString(aValue); In any case, you will need to check if the allocation succeeded. In nsSVGPathSeg.cpp we have a bunch of the format warnings. They are safe, but... I am not sure how many characters a |float| can take when printed with |%g| format; my naive experiments seem to indicate 10, at least on my system. If it can take more, we may end up truncating, especially in nsSVGPathSegCurvetoQuadraticSmoothRel::GetValueString() where we have a buffer of 24 and do "t%g,%g". Closing as fixed.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Component: DOM: Core → DOM: Core & HTML
QA Contact: stummala → general
You need to log in
before you can comment on or make changes to this bug.
Description
•