1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
The following issue has been found by Coverity static analysis tool.
Error: STRING_OVERFLOW (CWE-120): [#def53]
gd-2.0.35/annotate.c:42: cond_false: Condition "argc != 3", taking false branch
gd-2.0.35/annotate.c:60: if_end: End of if statement
gd-2.0.35/annotate.c:64: cond_false: Condition "!in", taking false branch
gd-2.0.35/annotate.c:68: if_end: End of if statement
gd-2.0.35/annotate.c:75: cond_false: Condition "!im", taking false branch
gd-2.0.35/annotate.c:79: if_end: End of if statement
gd-2.0.35/annotate.c:80: cond_true: Condition "fgets(s, 1024 /* sizeof (s) */, stdin)", taking true branch
gd-2.0.35/annotate.c:85: cond_false: Condition "!st", taking false branch
gd-2.0.35/annotate.c:89: if_end: End of if statement
gd-2.0.35/annotate.c:90: cond_true: Condition "!__coverity_strcmp(st, "font")", taking true branch
gd-2.0.35/annotate.c:93: cond_false: Condition "!st", taking false branch
gd-2.0.35/annotate.c:96: if_end: End of if statement
gd-2.0.35/annotate.c:97: fixed_size_dest: You might overrun the 1024 byte fixed-size string "font" by copying "st" without checking the length.
diff -up gd-2.0.35/annotate.c.sa3 gd-2.0.35/annotate.c
--- gd-2.0.35/annotate.c.sa3 2012-12-05 17:26:21.157729019 +0100
+++ gd-2.0.35/annotate.c 2012-12-05 17:27:31.762762209 +0100
@@ -94,6 +94,10 @@ main (int argc, char *argv[])
{
goto badLine;
}
+ if (strlen(st) >= sizeof(font) - 1)
+ {
+ goto badLine;
+ }
strcpy (font, st);
}
else if (!strcmp (st, "align"))
|