VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.33k stars 1.45k forks source link

Missing error handling while converting a string to a number, using C stdlib functions #1972

Closed philipjonsen closed 11 months ago

philipjonsen commented 1 year ago

DESCRIPTION The process of parsing numbers from strings can result in several errors that need to be detected and addressed when using a C Standard Library function. These errors include cases where the string does not contain a number, or contains a number that is out of range.

To handle these error conditions, it is recommended to use one of the C Standard Library strto() (like strtol(), strtoll(), strtoimax() and others) functions to parse integer or floating-point numbers from strings. These functions provide more robust error handling compared to ato() (like atoi(), atol(), and others) or sscanf.

It is also essential to use the strtol() function to convert to smaller signed integer types, such as signed int, signed short, and signed char, and test the result against the range limits for that type. Similarly, use the strtoul() function to convert to smaller unsigned integer types, such as unsigned int, unsigned short, and unsigned char, and test the result against the range limits for that type.

'atof' reports no conversion errors. Use strtod instead here : /yara/blob/master/cli/common.c#L168-L168 and L172 L182 L178

Read more here : https://wiki.sei.cmu.edu/confluence/display/c/ERR34-C.+Detect+errors+when+converting+a+string+to+a+number

plusvic commented 11 months ago

As a general advice it makes sense, but in this specific case atoi and atof are used only after making sure the input are actually valid integers or floats respectively. Unfortunately code analysis tools are not smart enough, and some of their suggestions must be taken with a grain of salt because they sometime don't make sense for your program. Please don't copy and paste the output of code analysis tools without fully understanding what they mean or how they apply to the actual code base.