search

intel / QATzip

Compression Library accelerated by Intel® QuickAssist Technology
https://developer.intel.com/quickassist
Other
140 stars 52 forks source link

printing uninitialized value blk->size in function parseFormatOption #110

Closed ColinIanKing closed 3 months ago

ColinIanKing commented 9 months ago

Static analysis shows that blk->size is not initialized in malloc call in line 252 and so garbage can be printed in line 272. The analysis below starts at step #7 and following each strep one can see blk->size is allocated from the heap (and not zero'd) and being printed later on. Suggest either assigning blk->size to zero after the malloc on line 252 or replacing malloc with calloc call.

204 QzBlock_T *parseFormatOption(char *buf)
205 {
206     char *str = buf, *sub_str = NULL;
207     char *delim = "/", *sub_delim = ":";
208     char *token, *sub_token;
209     char *saveptr, *sub_saveptr;
210  
211     int i, j, fmt_idx;
212     unsigned int fmt_found = 0;
213     QzBlock_T *blk = NULL;
214     QzBlock_T *head, *prev, *r;
215     unsigned int list_len = sizeof(g_format_list) / sizeof(QzFormat_T);
216  
217     head = malloc(sizeof(QzBlock_T));
218     assert(NULL != head);

step #7
    Assuming 'head' is not equal to null    
step #8 
    Taking true branch  

219     head->next = NULL;
220     prev = head;
221  
222     for (i = 1; ; i++, str = NULL) {

step #9 
    Loop condition is true.  Entering loop body 

step #28
    Loop condition is true.  Entering loop body 

223         token = strtok_r(str, delim, &saveptr);
224         if (NULL == token) {

step #10
    Assuming 'token' is not equal to NULL   
step #11
    Taking false branch 

step #29
    Assuming 'token' is equal to NULL   
step #30
    Taking true branch  
step #31
     Execution continues on line 269    

226         }
227         QZ_DEBUG("String[%d]: %s\n", i, token);
228  
229         fmt_found = 0;
230         blk = NULL;
231  
232         for (j = 1, sub_str = token; ; j++, sub_str = NULL) {

step #12
    Loop condition is true.  Entering loop body 

step #23
    Loop condition is true.  Entering loop body 

233             sub_token = strtok_r(sub_str, sub_delim, &sub_saveptr);
234             if (NULL == sub_token) {

step #13
    Assuming 'sub_token' is not equal to NULL   
step #14
    Taking false branch 

step #24
    Assuming 'sub_token' is equal to NULL   
step #25
    Taking true branch  

235                 break;

step #26
     Execution continues on line 264    

236             }
237             QZ_DEBUG(" -[%d]-> %s\n", j, sub_token);
238  
239             if (fmt_found) {

step #15
    Taking false branch 

240                 blk->size = atoi(sub_token);
241                 break;
242             }
243  
244             char *tmp = sub_token;
245             while (*tmp) {

step #16    
    Loop condition is false. Execution continues on line 250    

246                 *tmp = GET_LOWER_8BITS(toupper(*tmp));
247                 tmp++;
248             }
249  
250             for (fmt_idx = 0; fmt_idx < list_len; fmt_idx++) {

step #17
    Loop condition is true.  Entering loop body 

251                 if (0 == strcmp(sub_token, g_format_list[fmt_idx].fmt_name)) {

step #18
    Taking true branch  

252                     blk = malloc(sizeof(QzBlock_T));

step #19
    Uninitialized value stored to field 'size'  

253                     assert(NULL != blk);

step #20
    Assuming 'blk' is not equal to null 
step #21
    Taking true branch  

254  
255                     blk->fmt = g_format_list[fmt_idx].fmt;
256                     blk->next = NULL;
257                     prev->next = blk;
258                     fmt_found = 1;
259                     break;

step #22
     Execution continues on line 232    

260                 }
261             }
262         }
263  
264         if (NULL != blk) {

step #27
    Taking true branch  

265             prev = blk;
266         }
267     }
268  
269     blk = head->next;
270     i = 1;
271     while (blk) {

step #32
    Loop condition is true.  Entering loop body 
272         QZ_PRINT("[INFO] Block%d:  format -%8s, \tsize - %d\n",

step #33    
    4th function call argument is an uninitialized value

273                  i++, g_format_list[blk->fmt - 1].fmt_name, blk->size);
274         blk = blk->next;
275     }
276  
277     if (NULL == head->next) {
278         r = head->next;
279         free(head);
280     } else {
281         r = head;
282     }
283     return r;
284 }
285
GarenJian-Intel commented 8 months ago

Thanks for the suggestion. Created jira ticket to track it: https://jira.devtools.intel.com/browse/QATAPP-31729