From 3b6103eec3fadbbf65183a3e240779bde957dbe6 Mon Sep 17 00:00:00 2001 From: Stella Huang Date: Thu, 28 May 2026 14:10:31 -0700 Subject: [PATCH 1/2] Fix TSA #2816216: suppress Flawfinder false positive on Cython DIGIT_PAIRS_8 memcpy Flawfinder's buffer/memcpy rule (CWE-120) fires on any memcpy() call by default. The flagged call sits inside the Cython 3.x integer formatter __Pyx____Pyx_PyUnicode_From_int (case 'o'): memcpy(dpos, DIGIT_PAIRS_8 + digit_pos * 2, 2); It is provably safe: * dpos points into the stack buffer `digits[sizeof(int)*3+2]` (14 bytes for a 32-bit int); `dpos -= 2` immediately precedes the copy and the enclosing do/while loop iterates at most ceil(log_64(max_int)) times, so dpos always stays >= digits. * DIGIT_PAIRS_8 is a 128-byte compile-time constant table containing the 64 two-character octal digit pairs "00".."77". `digit_pos = abs(remaining % 64)`, so `digit_pos * 2` ranges over [0, 126] and reads 2 bytes from offset [0, 127] -- within the table. * The size argument is the compile-time constant 2. Add an inline /* Flawfinder: ignore */ annotation on the flagged line in the Cython-generated pydevd_cython.c and extend the existing post-processing block in setup_pydevd_cython.py so the annotation is re-applied automatically whenever Cython regenerates the .c files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .../_vendored/pydevd/_pydevd_bundle/pydevd_cython.c | 2 +- src/debugpy/_vendored/pydevd/setup_pydevd_cython.py | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/debugpy/_vendored/pydevd/_pydevd_bundle/pydevd_cython.c b/src/debugpy/_vendored/pydevd/_pydevd_bundle/pydevd_cython.c index 86190bee1..3ab46f473 100644 --- a/src/debugpy/_vendored/pydevd/_pydevd_bundle/pydevd_cython.c +++ b/src/debugpy/_vendored/pydevd/_pydevd_bundle/pydevd_cython.c @@ -45633,7 +45633,7 @@ static CYTHON_INLINE PyObject* __Pyx____Pyx_PyUnicode_From_int(int value, Py_ssi digit_pos = abs((int)(remaining % (8*8))); remaining = (int) (remaining / (8*8)); dpos -= 2; - memcpy(dpos, DIGIT_PAIRS_8 + digit_pos * 2, 2); + memcpy(dpos, DIGIT_PAIRS_8 + digit_pos * 2, 2); /* Flawfinder: ignore */ last_one_off = (digit_pos < 8); break; case 'd': diff --git a/src/debugpy/_vendored/pydevd/setup_pydevd_cython.py b/src/debugpy/_vendored/pydevd/setup_pydevd_cython.py index 14f73f4f8..df7e18fdf 100644 --- a/src/debugpy/_vendored/pydevd/setup_pydevd_cython.py +++ b/src/debugpy/_vendored/pydevd/setup_pydevd_cython.py @@ -177,6 +177,16 @@ def build_extension(dir_name, extension_name, target_pydevd_name, force_cython, c_file_contents = c_file_contents.replace(r"_pydevd_bundle\\pydevd_cython.pxd", "_pydevd_bundle/pydevd_cython.pxd") c_file_contents = c_file_contents.replace(r"_pydevd_bundle\\pydevd_cython.pyx", "_pydevd_bundle/pydevd_cython.pyx") + # Suppress Flawfinder false positive (CWE-120) in the Cython 3.x + # CIntToPyUnicode boilerplate (`__Pyx____Pyx_PyUnicode_From_int`): the destination + # `dpos` is a stack buffer of size `sizeof(int)*3+2`, and `dpos -= 2` immediately + # precedes a 2-byte memcpy from the 128-byte constant table `DIGIT_PAIRS_8` + # indexed by `digit_pos * 2` where `digit_pos = abs(remaining % 64)`. + c_file_contents = c_file_contents.replace( + " memcpy(dpos, DIGIT_PAIRS_8 + digit_pos * 2, 2);\n", + " memcpy(dpos, DIGIT_PAIRS_8 + digit_pos * 2, 2); /* Flawfinder: ignore */\n", + ) + with open(c_file, "w") as stream: stream.write(c_file_contents) From 272f6e5282832350c29de990b92f0dcf09d82d0e Mon Sep 17 00:00:00 2001 From: Stella Huang Date: Thu, 28 May 2026 16:51:59 -0700 Subject: [PATCH 2/2] Fix SyntaxError: add missing closing paren on DIGIT_PAIRS_8 .replace() call Same merge-from-main artifact as #2029: the closing ')' of the new DIGIT_PAIRS_8 '.replace(...)' call was dropped when the 'read