plusvic
commented
8 months ago As a general advice it makes sense, but in this specific case atoi and atof are used only after making sure the input are actually valid integers or floats respectively. Unfortunately code analysis tools are not smart enough, and some of their suggestions must be taken with a grain of salt because they sometime don't make sense for your program. Please don't copy and paste the output of code analysis tools without fully understanding what they mean or how they apply to the actual code base.
DESCRIPTION The process of parsing numbers from strings can result in several errors that need to be detected and addressed when using a C Standard Library function. These errors include cases where the string does not contain a number, or contains a number that is out of range.
To handle these error conditions, it is recommended to use one of the C Standard Library strto() (like strtol(), strtoll(), strtoimax() and others) functions to parse integer or floating-point numbers from strings. These functions provide more robust error handling compared to ato() (like atoi(), atol(), and others) or sscanf.
It is also essential to use the strtol() function to convert to smaller signed integer types, such as signed int, signed short, and signed char, and test the result against the range limits for that type. Similarly, use the strtoul() function to convert to smaller unsigned integer types, such as unsigned int, unsigned short, and unsigned char, and test the result against the range limits for that type.
'atof' reports no conversion errors. Use strtod instead here : /yara/blob/master/cli/common.c#L168-L168 and L172 L182 L178
Read more here : https://wiki.sei.cmu.edu/confluence/display/c/ERR34-C.+Detect+errors+when+converting+a+string+to+a+number