Projects
openEuler:22.03:LTS:LoongArch
gnutls
_service:tar_scm_kernel_repo:backport-lib-suppr...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-lib-suppress-false-positive-Wanalyzer-out-of-bounds.patch of Package gnutls
From 7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581 Mon Sep 17 00:00:00 2001 From: Daiki Ueno <ueno@gnu.org> Date: Wed, 7 Jun 2023 16:44:00 +0200 Subject: [PATCH] lib: suppress false-positive -Wanalyzer-out-of-bounds GCC analyzer from GCC 13 reports this: verify-high.c:1471:21: error: stack-based buffer over-read [CWE-126] [-Werror=analyzer-out-of-bounds] 1471 | if (gnutls_x509_trust_list_get_issuer( | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1472 | list, cert_list[i - 1], &issuer, This is false-positive, as i is always in a range 0 < i < cert_list_size. Signed-off-by: Daiki Ueno <ueno@gnu.org> Reference: https://gitlab.com/gnutls/gnutls/-/commit/7e7b8ed89c93b5f95367eeab1b4f06fc2ac83581 Conflict: NA --- lib/x509/verify-high.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 2c070b0..02d2f0f 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -1421,7 +1421,7 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, for (i = 0; i < cert_list_size && cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH; ) { unsigned int sorted_size = 1; - unsigned int j; + unsigned int j, k; gnutls_x509_crt_t issuer; if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN)) { @@ -1429,6 +1429,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, cert_list_size - i); } + assert(sorted_size > 0); + /* Remove duplicates. Start with index 1, as the first element * may be re-checked after issuer retrieval. */ for (j = 0; j < sorted_size; j++) { @@ -1448,13 +1450,20 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, } /* Record the certificates seen. */ - for (j = 0; j < sorted_size; j++, i++) { + for (k = 0; k < sorted_size; k++, i++) { if (!gl_list_nx_add_last(records, cert_list[i])) { ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); goto cleanup; } } + /* Pacify GCC analyzer: the condition always holds + * true as sorted_size > 0 is checked above, and the + * following loop should iterate at least once so i++ + * is called. + */ + assert(i > 0); + /* If the issuer of the certificate is known, no need * for further processing. */ if (gnutls_x509_trust_list_get_issuer(list, -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.