Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential undefined value in specpack and simpack functions #487

Open
LightningRS opened this issue Mar 10, 2024 · 1 comment · May be fixed by #529
Open

Potential undefined value in specpack and simpack functions #487

LightningRS opened this issue Mar 10, 2024 · 1 comment · May be fixed by #529
Assignees
Labels
question Further information is requested

Comments

@LightningRS
Copy link

During a recent analysis of our project using our internally developed static analysis tool, canalyze, we discovered a potential issue with undefined values in the specpack and simpack functions.

Execution path:

  1. In specpack.c at line 33, the input parameter MM for the specpack function is of type g2int, which is a signed integer type.
  2. In specpack.c at line 57, memory space for the tfld array is dynamically allocated.
  3. In specpack.c within lines 63-84, the tfld array is assigned values at lines 80-81.
  4. If the input parameter MM has a negative value, the for-loop starting in specpack.c at line 63 will not execute, leaving the elements of the tfld array uninitialized.
  5. In specpack.c at line 103, the simpack function is called, passing in the pointer to the uninitialized tfld array.
  6. In simpack.c at lines 56-57 the simpack function directly accesses the first element of the fld array using fld[0], at which point this value is an undefined value.

When the specpack function is called with an inadvertently negative MM value, it may lead to the aforementioned issue with undefined values.

Suggested fix: Change the type of input parameter MM for the specpack function to g2intu, which is an unsigned integer type.

@edwardhartnett
Copy link
Contributor

Thanks for this, I will take a look and fix this for the next release...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants