On Thu, 14 Mar 2019 at 11:23, Paolo Bonzini <pbonz...@redhat.com> wrote: > > On 14/03/19 11:51, Peter Maydell wrote: > > Our coverity model of g_strdup() includes: > > __coverity_string_size_sink__(s); > > > > This seems to be causing Coverity to report false positives like > > CID1399705 and 1399699 where we take a string from getenv() and > > pass it to g_strdup() The getenv() string is untrusted data of unknown > > length, and g_strdup() being marked as a size-sink makes Coverity > > think the function wants "a string of a particular size". > > > > Markus, you wrote this model initially -- can you remember why it's > > marked as a size-sink? Unfortunately I can't find any documentation > > online about what the coverity model annotation here means :-( > > I think it means that we don't want a g_strdup that can potentially do > an unbounded allocation.
Mmm, that makes sense. So in this particular case, do we want to try to avoid doing an unbounded allocation based on whatever rubbish the user passed us in the environment, or do we say "this particular case is OK" and mark it as a false-positive ? Cc'ing Gerd since the Coverity issues in question are in the audio code (in get_str() and in audio_handle_legacy_opts()). thanks -- PMM
