Skip to content

TGNumberEntry string length checks are inaccurate/dangerous. #17334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pcanal opened this issue Dec 26, 2024 · 3 comments · Fixed by #18435
Closed

TGNumberEntry string length checks are inaccurate/dangerous. #17334

pcanal opened this issue Dec 26, 2024 · 3 comments · Fixed by #18435
Assignees
@bellenot @dpiparo
Labels
bug

Comments

@pcanal
Copy link
Member

pcanal commented Dec 26, 2024
edited
Loading

As seen in #16913, there is some attempt to guarantee that there will be no write past the end of buffer in the string manipulations. However in several places, it fall short (literally or maybe missing documentation).

We should consider replacing the fixed size buffer or improving the bound checks.

Namely the routines seems to assume that the buffer has a fixed length of 256 but in several place, the buffer is offset compare to its actual beginning.

StrInt(char *text, Long_t i, Int_t digits) hard-codes the length 250 for its input buffer, we should pass the actual length left there. In particular line TGNumberEntry.cxx:310 and TGNumberEntry.cxx:316 needs to be updated.

We should also review the rest TGNumberEntry.cxx for similar problematic patterns.
@pcanal pcanal added the bug label Dec 26, 2024
@ferdymercury
Copy link
Collaborator

Additional warnings by clang-tidy:

/opt/root_src/gui/gui/src/TGNumberEntry.cxx:317:7: warning: Value stored to 'p' is never read [clang-analyzer-deadcode.DeadStores]
 1: Value stored to 'p' is never read in /opt/root_src/gui/gui/src/TGNumberEntry.cxx:317
/opt/root_src/gui/gui/src/TGNumberEntry.cxx:445:4: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
 1: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 in /opt/root_src/gui/gui/src/TGNumberEntry.cxx:445
/opt/root_src/gui/gui/src/TGNumberEntry.cxx:452:7: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
 1: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 in /opt/root_src/gui/gui/src/TGNumberEntry.cxx:452
/opt/root_src/gui/gui/src/TGNumberEntry.cxx:455:7: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
 1: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 in /opt/root_src/gui/gui/src/TGNumberEntry.cxx:455
/opt/root_src/gui/gui/src/TGNumberEntry.cxx:596:7: warning: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 [clang-analyzer-security.insecureAPI.strcpy]
 1: Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119 in /opt/root_src/gui/gui/src/TGNumberEntry.cxx:596

@silverweed
Copy link
Contributor

silverweed commented Apr 17, 2025
edited
Loading

We should also review the rest TGNumberEntry.cxx for similar problematic patterns.

I had a look at the code and I was left in awe by how abysmally it is written. Many of the conversion functions are redundant at best and plain wrong at worst, moreover they are written with no regards to efficiency (or memory safety) at all.

Here is a taste of it (comments added by me):

 for (UInt_t i = 0; i < strlen(p); i++) { // recomputing strlen every time
      if (isdigit(*p)) { // always testing the same character??
         found++;        // doesn't look like it's doing what it would like to do
      }
  }
  while (found < digits) {
      // coverity[secure_coding] // what?? 
     // again, recomputing strlen every time
     // also, unsafe function being used (with no bounds checking)
     // also, this whole loop is redudant (why do 1 chr at a time?)
      strcpy(p + strlen(p), "0"); 
      found++; 
   }

Is this code actually used? Can we deprecate and remove it? If not, we should really rewrite most of this stuff...

@silverweed silverweed mentioned this issue Apr 17, 2025
Merged
2 tasks
@ferdymercury
Copy link
Collaborator

ferdymercury commented Apr 17, 2025
edited
Loading

I use this code actively for my GUI classes, please don't deprecate the class :). (Feel free though to remove useless parts within it)
I started fixing things but got scared about the many unsafe spots so left it for later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bellenot bellenot

@dpiparo dpiparo

Labels
bug
Projects
Fixed in 6.38.00
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[gui] Some fixes to TGNumberEntry silverweed/root
5 participants
@pcanal @bellenot @silverweed @dpiparo @ferdymercury