You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I ran bin/lint --all recently after upgrading the software on my system including cppcheck which now reports these warnings:
[src/cmd/ksh93/sh/xec.c:2675] error (negativeIndex):
Array 'argv[0]' accessed at index -1, which is out of bounds.
[src/cmd/ksh93/sh/xec.c:2676] error (negativeIndex):
Array 'argv[0]' accessed at index -1, which is out of bounds.
[src/cmd/ksh93/sh/xec.c:2685] error (negativeIndex):
Array 'argv[0]' accessed at index -1, which is out of bounds.
if (nv_isattr(np, NV_FPOSIX) && !sh_isoption(shp, SH_BASH)) {
char*save;
intloopcnt=shp->st.loopcnt;
shp->posix_fun=np;
save=argv[-1];
argv[-1] =0;
shp->st.funname=nv_name(np);
shp->last_root=nv_dict(VAR_sh);
nv_putval(VAR_sh_fun, nv_name(np), NV_NOFREE);
opt_info.index=opt_info.offset=0;
error_info.errors=0;
shp->st.loopcnt=0;
b_source(argn+1, argv-1, &shp->bltindata);
shp->st.loopcnt=loopcnt;
argv[-1] =save;
This is probably the worst bogosity I've yet encountered in this project. In case it isn't obvious the code is modifying a random word that precedes the argv[] array. That word is unrelated to the contents of argv[]. It could even be in a different page of memory and that page might not even be mapped (which would cause a SIGSEGV). The word being temporarily modified could theoretically be accessed by any of the functions called between modifying and restoring the word of memory. This is another case of someone being too clever by half. The entire point of this code is to pass a single non-option argument to b_source().
The text was updated successfully, but these errors were encountered:
I ran
bin/lint --all
recently after upgrading the software on my system includingcppcheck
which now reports these warnings:This is the block of code in question:
ast/src/cmd/ksh93/sh/xec.c
Lines 2671 to 2685 in 4503830
This is probably the worst bogosity I've yet encountered in this project. In case it isn't obvious the code is modifying a random word that precedes the
argv[]
array. That word is unrelated to the contents ofargv[]
. It could even be in a different page of memory and that page might not even be mapped (which would cause a SIGSEGV). The word being temporarily modified could theoretically be accessed by any of the functions called between modifying and restoring the word of memory. This is another case of someone being too clever by half. The entire point of this code is to pass a single non-option argument tob_source()
.The text was updated successfully, but these errors were encountered: