----- Original Message ----- > Hi Folks, > > We recently started using Sentry (static analysis tool) to analyze > apache httpd on a nightly basis. Sentry found a potential > unintialized > variable in mod_data.c added in commit 1133582.
I think our human review machine already caught that one http://mail-archives.apache.org/mod_mbox/httpd-dev/201106.mbox/%3c4df07362.3060...@apache.org%3E > I'm not sure if this case is actually possible at runtime, but > I'll describe it here. Note, you can view the file I'm talking > about here, > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/filters/mod_data.c?revision=1133582&view=markup&pathrev=1133582 > > static apr_status_t data_out_filter(... > { > ... > if (!ctx) { > ... > // EVENT 1: charset is uninitialized > char *charset; > ... > // EVENT 2: Take false path here > if (!ap_is_initial_req(f->r)) { > ap_remove_output_filter(f); > return ap_pass_brigade(f->next, bb); > } > ... > type = apr_pstrdup(r->pool, r->content_type); > // EVENT 3: take false path here > if (type) { > charset = strchr(type, ' '); > if (charset) { > *charset++ = 0; > end = strchr(charset, ' '); > if (end) { > *end++ = 0; > } > } > } > > // EVENT 4: charset is used uninitialized. > // If it's possible to reach this case, you could potentially > // pass bogus data into the second %s. > apr_brigade_printf(ctx->bb, NULL, NULL, "data:%s%s;base64,", > type ? type : "", charset ? charset : ""); > > If this case is reachable, I would suggest a patch like this: > > - char *charset; > + char *charset = 0; > > Thanks, > Chris > > -- > Chris Wilson > http://vigilantsw.com/ > Vigilant Software, LLC > -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/
