Re: [pcre-dev] PCRE2 on Coverity Scan

Page principale
Supprimer ce message
Auteur: Giuseppe D'Angelo
Date:  
À: pcre-dev
Sujet: Re: [pcre-dev] PCRE2 on Coverity Scan
Hello,

On Sun, Dec 18, 2016 at 1:14 PM, <ph10@???> wrote:
> On Sun, 18 Dec 2016, Giuseppe D'Angelo wrote:
>
>> It occured to me that PCRE2 is not on Coverity Scan. As I uploaded a
>> build of PCRE2 as part of Qt, Coverity raised a bunch of issues in its
>> code. I can't judge if they're false positives.
>
> Did you upload the current head or the previous release? The current
> head has had a number of issues fixed as a result of ongoing fuzzing
> testing by at least two groups.


It was indeed the 10.22 tarball, which ships as part of Qt.

>
>> Do you think
>>
>> * it's worth to have a pcre2 project on Coverity?
>
> I don't know enough (anything :-) about Coverity to answer that
> question. What issues did it raise?


Unfortunately I don't get access to those results because the 3rd
party code does not get added into the detailed reports for Qt.

I can only get a summary and from it I can't quite judge what Coverity
is thinking about the issue. For instance:

*** CID 11125:  Null pointer dereferences  (FORWARD_NULL)
/qtbase/src/3rdparty/pcre2/src/pcre2_jit_compile.c: 10408 in
compile_braminzero_backtrackingpath()
10402     current->top = NULL;
10403     current->topbacktracks = NULL;
10404     current->nextbacktracks = NULL;
10405     if (current->cc[1] > OP_ASSERTBACK_NOT)
10406       {
10407       /* Manual call of compile_bracket_matchingpath and
compile_bracket_backtrackingpath. */

>>>     CID 11125:  Null pointer dereferences  (FORWARD_NULL)
>>>     Although "compile_bracket_matchingpath" does overwrite "current->top" on some paths, it also contains at least one feasible path which does not overwrite it.

10408       compile_bracket_matchingpath(common, current->cc, current);
10409       compile_bracket_backtrackingpath(common, current->top);
10410       }
10411     else
10412       {
10413       memset(&backtrack, 0, sizeof(backtrack));



>> * it's worth to set up regular scans of it? I can do it weekly.
>
> If the issues raised are real, then it probably is worth it.


Ok, then, can I just go ahead and ask for a PCRE2 project?


>> Note that there's already a pcre project [1], which seems to be
>> unused. We might just reuse that, but I need permissions to upload
>> builds there.
>>
>> [1] https://scan.coverity.com/projects/pcre?tab=overview
>
> As I don't have a Coverity account, I can't see that (and I don't think
> it's work creating an account myself).


Right, it looks like only Zoltan can add more people to it.

Cheers,
--
Giuseppe D'Angelo