Overview
Examples
Screenshots
Comparisons
Applications
Download
Documentation
Tutorials
Bazaar
Status & Roadmap
FAQ
Authors & License
Forums
Funding Ultimate++
Search on this site
Search in forums












SourceForge.net Logo
Home » U++ Library support » U++ Core » Patch to fix few possible issues
Patch to fix few possible issues [message #56106] Mon, 25 January 2021 15:34 Go to next message
Mindtraveller is currently offline  Mindtraveller
Messages: 917
Registered: August 2007
Location: Russia, Moscow rgn.
Experienced Contributor

hi! I've been working on possible security issues with U++ project and came across PVS-Studio as a nice static analysis tool. Since only U++ Core was used, it was processed by PVS-Studio and a number of potential security-related issues was found (collected in xlsx file). So here is a patch for U++ Core to fix possible issues found (looks like very few of those important).

[Updated on: Mon, 25 January 2021 15:35]

Report message to a moderator

Re: Patch to fix few possible issues [message #56114 is a reply to message #56106] Thu, 28 January 2021 09:37 Go to previous messageGo to next message
mirek is currently offline  mirek
Messages: 13975
Registered: November 2005
Ultimate Member
Only one worth fixing is

Core/Vcont.h 312

Other than that, I am unwilling to change the code just to support a tool with such poor understanding of C++:

Core/Mem.h	316	?	V792 The 'Cmp128' function located to the right of the operator '&' will be called regardless of the value of the left operand. Perhaps, it is better to use '&&'.
Core/Mem.h	330	?	V792 The 'Cmp128' function located to the right of the operator '&' will be called regardless of the value of the left operand. Perhaps, it is better to use '&&'.
Core/Value.h	138	fixed	V557 Array overrun is possible. The '2' index is pointing beyond array bound.
Core/Value.h	139	fixed	V557 Array overrun is possible. The '2' index is pointing beyond array bound.
Core/z.cpp	243	not a bug	V614 Uninitialized buffer 'h' used. Consider checking the first actual argument of the 'Poke32le' function.


On the positive note, I have fixed theide so that goto position now works with Copy of file/line part from the xlsx Smile
Re: Patch to fix few possible issues [message #56121 is a reply to message #56106] Fri, 29 January 2021 08:41 Go to previous messageGo to next message
koldo is currently offline  koldo
Messages: 3355
Registered: August 2008
Senior Veteran
Hi Mindtraveller

Thank you very much for this. Even detecting some or many false positives, if this tool could catch just one problem I would be happy.
I would be grateful if you could test the packages I manage in main U++ and in Bazaar. I promise to review all detected issues. Thank you.


Best regards
Iñaki
Re: Patch to fix few possible issues [message #56123 is a reply to message #56121] Fri, 29 January 2021 11:30 Go to previous messageGo to next message
Klugier is currently offline  Klugier
Messages: 1075
Registered: September 2012
Location: Poland, Kraków
Senior Contributor
Hello Koldo,

You could try to use flawfinder tool for scanning security issues in the C/C++ code. Sometimes, it produces false positives (Here is the ticket I raised to this tool), but the output are generally acceptable.

Here is the output for Function4U:
Toggle Spoiler


On my distro (Manjaro) you can download flawfinder as a package.

Klugier


U++ - one framework to rule them all.
Re: Patch to fix few possible issues [message #56124 is a reply to message #56121] Fri, 29 January 2021 12:07 Go to previous messageGo to next message
Oblivion is currently offline  Oblivion
Messages: 1091
Registered: August 2007
Senior Contributor
Hello Koldo,

You can also use cppcheck.

I have attached the csv file of Functions4U.

Best regards,
Oblivion


[Updated on: Fri, 29 January 2021 12:14]

Report message to a moderator

Re: Patch to fix few possible issues [message #56134 is a reply to message #56124] Sun, 31 January 2021 09:45 Go to previous messageGo to next message
koldo is currently offline  koldo
Messages: 3355
Registered: August 2008
Senior Veteran
Thank you all.

Best regards
Iñaki
Re: Patch to fix few possible issues [message #56171 is a reply to message #56134] Wed, 03 February 2021 09:22 Go to previous message
koldo is currently offline  koldo
Messages: 3355
Registered: August 2008
Senior Veteran
After reviewing both:

- flawfinder gives generic advices, e.g., if it finds a system() call, it advices to replace it with the specific OS function. Not bad, but generic
- cppcheck seems to really check the sources in detail, giving very specific advices

So cppcheck, although it sometimes fails, seems more useful.


Best regards
Iñaki
Previous Topic: WebSocket Clear method don't clear error
Next Topic: Help to setup U++ on vs code.
Goto Forum:
  


Current Time: Thu Mar 28 16:29:04 CET 2024

Total time taken to generate the page: 0.01176 seconds