Hello,
On Sun, Dec 18, 2016 at 1:14 PM, <ph10@???> wrote:
> On Sun, 18 Dec 2016, Giuseppe D'Angelo wrote:
>
>> It occured to me that PCRE2 is not on Coverity Scan. As I uploaded a
>> build of PCRE2 as part of Qt, Coverity raised a bunch of issues in its
>> code. I can't judge if they're false positives.
>
> Did you upload the current head or the previous release? The current
> head has had a number of issues fixed as a result of ongoing fuzzing
> testing by at least two groups.
It was indeed the 10.22 tarball, which ships as part of Qt.
>
>> Do you think
>>
>> * it's worth to have a pcre2 project on Coverity?
>
> I don't know enough (anything :-) about Coverity to answer that
> question. What issues did it raise?
Unfortunately I don't get access to those results because the 3rd
party code does not get added into the detailed reports for Qt.
I can only get a summary and from it I can't quite judge what Coverity
is thinking about the issue. For instance:
*** CID 11125: Null pointer dereferences (FORWARD_NULL)
/qtbase/src/3rdparty/pcre2/src/pcre2_jit_compile.c: 10408 in
compile_braminzero_backtrackingpath()
10402 current->top = NULL;
10403 current->topbacktracks = NULL;
10404 current->nextbacktracks = NULL;
10405 if (current->cc[1] > OP_ASSERTBACK_NOT)
10406 {
10407 /* Manual call of compile_bracket_matchingpath and
compile_bracket_backtrackingpath. */
>>> CID 11125: Null pointer dereferences (FORWARD_NULL)
>>> Although "compile_bracket_matchingpath" does overwrite "current->top" on some paths, it also contains at least one feasible path which does not overwrite it.
10408 compile_bracket_matchingpath(common, current->cc, current);
10409 compile_bracket_backtrackingpath(common, current->top);
10410 }
10411 else
10412 {
10413 memset(&backtrack, 0, sizeof(backtrack));
>> * it's worth to set up regular scans of it? I can do it weekly.
>
> If the issues raised are real, then it probably is worth it.
Ok, then, can I just go ahead and ask for a PCRE2 project?
>> Note that there's already a pcre project [1], which seems to be
>> unused. We might just reuse that, but I need permissions to upload
>> builds there.
>>
>> [1] https://scan.coverity.com/projects/pcre?tab=overview
>
> As I don't have a Coverity account, I can't see that (and I don't think
> it's work creating an account myself).
Right, it looks like only Zoltan can add more people to it.
Cheers,
--
Giuseppe D'Angelo