On 11/13/15, Michael McConville <mmcco at mykolab.com> wrote: > Hi, everyone. > > I've been auditing the OpenBSD codebase for calls to ctype functions > with potentially signed chars. This is undefined on some platforms. I > found a number of instances in Sqlite, so I ran my Coccinelle script on > the repo.
Thank you. You've already told us this once before. All of your findings are either in test programs, programs used as part of the build process, or obsolete code that we keep around for historical reference but which is never in fact used. None of your findings are in the SQLite core. There are no security implications here. Nevertheless, I went through and fixed all of these cases (even the ones in code that is *never compiled*) a couple of weeks ago, and checked the changes into trunk: https://www.sqlite.org/src/info/34eb6911afee09e7 If you decide to run your analysis program again, I suggest running it on the latest trunk check-in (which you can download from the "Tarball" link here: https://www.sqlite.org/src/info/trunk). That check-in will include all of the changes needed to silence the warnings you have found. (Unless I missed one.) I suppose it is too much to ask of Coccinelle to recognize that the following suggestion is pointless: > static int safe_isspace(char c){ > - return (c&0x80)==0 ? isspace(c) : 0; > + return (c&0x80)==0 ? isspace((unsigned char)c) : 0; > } -- D. Richard Hipp drh at sqlite.org
