There's a following defect in diffutils-3.10 (gnulib) found by
covscan. The memory dfa->eclosure points to is not initialized. It
looks like a true positive.
Error: UNINIT (CWE-457):
diffutils-3.10/lib/regcomp.c:1134: alloc_fn: Calling "malloc" which
returns uninitialized memory.
diffutils-3.10/lib/regcomp.c:1134: assign: Assigning: "dfa->eclosures"
= "(re_node_set *)malloc(dfa->nodes_alloc * 24UL)", which points to
uninitialized data.
diffutils-3.10/lib/regcomp.c:1177: uninit_use_in_call: Using
uninitialized value "dfa->eclosures->elems" when calling
"calc_inveclosure".
diffutils-3.10/lib/regcomp.c:1177: uninit_use_in_call: Using
uninitialized value "dfa->eclosures->nelem" when calling
"calc_inveclosure".
# 1226| if (__glibc_unlikely (dfa->inveclosures == NULL))
# 1227| return REG_ESPACE;
# 1228|-> ret = calc_inveclosure (dfa);
# 1229| }
# 1230|
maybe add a loop to iterate through all elements and call
re_node_set_init_empty to initialize each element like this?
diff -up diffutils-3.10/lib/regcomp.c.orig diffutils-3.10/lib/regcomp.c
--- diffutils-3.10/lib/regcomp.c.orig 2024-07-22 19:06:27.783986757 +0200
+++ diffutils-3.10/lib/regcomp.c 2024-07-22 19:10:41.303397164 +0200
@@ -1136,6 +1136,10 @@ analyze (regex_t *preg)
|| dfa->edests == NULL || dfa->eclosures == NULL))
return REG_ESPACE;
+ // Initialize each element (for example, set them all to an empty node set)
+ for (Idx i = 0; i < dfa->nodes_alloc; ++i) {
+ re_node_set_init_empty(dfa->eclosures + i);
+ }
dfa->subexp_map = re_malloc (Idx, preg->re_nsub);
if (dfa->subexp_map != NULL)
{
Thanks!
Wasser
