Compiz Core

Coverity SECURE_CODING - CID 10020

Series 0.9.5
Bug #957587

Bug #957587 reported by Product Strategy Coverity Bug Uploader on 2012-03-17

This bug affects 1 person

	Status	Importance	Assigned to
Compiz	Fix Released	Medium	MC Return
Compiz Core	Won't Fix	Medium	Unassigned
0.9.5	Won't Fix	Undecided	Unassigned
compiz (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

This bug is exported from the Coverity Integration Manager on Canonical's servers. For information on how this is done please see this website: https://wiki.ubuntu.com/CanonicalProductStrategy/Coverity
CID: 10020
Checker: SECURE_CODING
Category: No category available
CWE definition: http://cwe.mitre.org/data/definitions/676.html
File: /tmp/buildd/compiz-0.9.7.0~bzr3025/libdecoration/decoration.c
Function: decor_handle_selection_clear()
Code snippet:
3168 {
3169 Atom dm_sn_atom;
3170 char buf[128];
3171
CID 10020 - SECURE_CODING
[VERY RISKY]. Using "sprintf" can cause a buffer overflow when done incorrectly. Because sprintf() assumes an arbitrarily long string, callers must be careful not to overflow the actual space of the destination. Use snprintf() instead, or correct precision specifiers.
3172 sprintf (buf, "_COMPIZ_DM_S%d", screen);
3173 dm_sn_atom = XInternAtom (xdisplay, buf, 0);
3174
3175 if (xevent->xselectionclear.selection == dm_sn_atom)
3176 return DECOR_SELECTION_GIVE_UP;
3177

Tags:

Related branches

lp://staging/~mc-return/compiz/compiz.merge-fix1101641-use-snprintf-instead-of-sprintf

Merged into lp://staging/compiz/0.9.9 at revision 3588

Sam Spilsbury: Approve on 2013-01-29

PS Jenkins bot: Pending (continuous-integration) requested 2013-01-30

lp://staging/ubuntu/raring/compiz

Revision history for this message

Product Strategy Coverity Bug Uploader (coverity-uploader) wrote on 2012-03-17: compiz-core-0.9.5: /tmp/buildd/compiz-0.9.7.0~bzr3025/libdecoration/decoration.c

compiz-core-0.9.5: /tmp/buildd/compiz-0.9.7.0~bzr3025/libdecoration/decoration.c Edit (502.2 KiB, text/html)

Source file with Coverity annotations.

Changed in compiz-core:
importance:	Undecided → Medium

Sam Spilsbury (smspillaz) on 2012-05-18

Changed in compiz:
importance:	Undecided → Medium

Revision history for this message

Test-tools (roland-verifysoft) wrote on 2012-07-30:

This is a false positive.
The buffer has 128 and the format string is "_COMPIZ_DM_S%d", 12 characters plus at max thear len of MAX_INT ->10 + one char for terminating 0 => 23 characters overall..

Revision history for this message

MC Return (mc-return) wrote on 2013-01-28:

roland-verifysoft, you are right, but lets get it off the table...

Changed in compiz:
status:	New → In Progress
assignee:	nobody → MC Return (mc-return)

PS Jenkins bot (ps-jenkins) on 2013-01-30

Changed in compiz:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-02-04:

This bug was fixed in the package compiz - 1:0.9.9~daily13.02.04-0ubuntu1

---------------
compiz (1:0.9.9~daily13.02.04-0ubuntu1) raring; urgency=low

  [ Marco Trevisan (Treviño) ]
  * Spread - Window glow is incorrectly painted in the screen when
    switching spreaded application (LP: #1109805)

  [ MC Return ]
  * Coverity MISSING_BREAK - CID 12463 (LP: #1101561)
  * Thumbnail plugin: Window title text is rendered into transparency
    and glow/background are too large (LP: #1099100)
  * Showmouse plugin code: Needs cleanup (LP: #1105969)
  * Coverity SECURE_CODING - CID 10019 (LP: #957582)
  * Coverity SECURE_CODING - CID 12511 (LP: #1101605)
  * Coverity SECURE_CODING - CID 12512 (LP: #1101571)
  * Keyboard shortcut overlay says Ctrl+Super+Down "minimises" the
    current window, but it doesn't (LP: #966099)
  * Coverity SECURE_CODING - CID 10020 (LP: #957587)
  * Coverity SECURE_CODING - CID 12529 (LP: #1101641)
  * Coverity MISSING_BREAK - CID 12464 (LP: #1101549)
  * Coverity SECURE_CODING - CID 12519 (LP: #1101565)
  * Coverity SECURE_CODING - CID 12516 (LP: #1101499)
  * [GLES] Showmouse plugin needs port to OpenGL|ES (LP: #1106270)