search

liquidaty / zsv

zsv+lib: tabular data swiss-army knife CLI + world's fastest (simd) CSV parser
MIT License
202 stars 12 forks source link

minor cleanup for code scan #194

Closed liquidaty closed 1 week ago

liquidaty commented 2 weeks ago
iamazeem commented 2 weeks ago

@liquidaty: Please review. The formatting and tests issues have been fixed. Thanks!

iamazeem commented 1 week ago

CodeQL Code Scanning Report for this branch: https://github.com/liquidaty/zsv/security/code-scanning?query=is%3Aopen+branch%3Acleanup-20240919

Apparently, the first two are fixable. The last two may also be fixed by writing our own function to encode SQL query. :thinking: The rest third-party ones, coming from SQLite3 source, may be marked as "won't fix".

iamazeem commented 1 week ago

Just verified with clang-format 18.1.3 on https://clang-format-configurator.site with our config that this line:

if(err)

is formatting correctly i.e.:

-if(err)
+if (err)
iamazeem commented 1 week ago

Looked into these CodeQL issues:

Both seem to be false positives.

Tried setting the respective pointer to NULL. No effect. Tried alternate if-else flows for both cases but they had no effect:

zsv.c

  parser->fixed.offsets = calloc(count, sizeof(*parser->fixed.offsets));
  if (parser->fixed.offsets) {
    parser->fixed.count = count;
    for (unsigned i = 0; i < count; i++)
      parser->fixed.offsets[i] = offsets[i];
  } else {
    fprintf(stderr, "Out of memory!\n");
    return zsv_status_memory;
  }

select.c

        free(data.fixed.offsets);
        data.fixed.offsets = malloc(data.fixed.count * sizeof(*data.fixed.offsets));
        if (data.fixed.offsets) {
          size_t count = 0;
          const char *start = argv[arg_i];
          for (const char *end = argv[arg_i];; end++) {
            if (*end == ',' || *end == '\0') {
              if (sscanf(start, "%zu,", &data.fixed.offsets[count++]) != 1) {
                stat = zsv_printerr(1, "Invalid offset: %.*s\n", end - start, start);
                break;
              } else if (*end == '\0')
                break;
              else {
                start = end + 1;
                if (*start == '\0')
                  break;
              }
            }
          }
        } else {
          fprintf(stderr, "Out of memory!\n");
          return zsv_status_memory;
        }

Tested with "out of memory" check first too. No effect at all.

Also, on these checks, there's this warning:

WARNING: This check is an approximation, so some results may not be actual defects in the program. It is not possible in general to compute the values of pointers without running the program with all input data.

Given above, looks like these can safely be marked/dismissed as false positives from their respective links.