[Python-Dev] remaining issues from Klocwork static analysis

"Martin v. Löwis" martin at v.loewis.de
Tue Jul 25 09:40:44 CEST 2006 

Neal Norwitz wrote:
> # 74 Object/funcobject.c:143    Suspicious deref of ptr before NULL check

Not quite sure what it is complaining about, but

        else if (PyTuple_Check(closure)) {
                Py_XINCREF(closure);
        }

looks indeed suspicious: Why do we check for NULL (XINCREF) when
we know closure can't be NULL (Tuple_Check). Drop the X, and see
if the warning goes away

> #169 Modules/threadmodule.c:497 Memory Leak

Does it say what memory is leaking? Perhaps it complains about
boot not being released if ident is not -1, however, in that case,
t_bootstrap will release the memory.

> # 28 Modules/_sre.c:987   Array Index Out of Bounds
> 
>     Buffer overflow, array index of 'mark' may be outside the
>     bounds. Array 'mark' of size 200 declared at sre.h:77 may use
>     index values 0..536870911. Also there are 3 similar errors on
>     lines 1006, 1225, 1237.  (Try limiting mark on line 589?)

ISTM that SRE has a limit of 100 MARK opcodes, meaning a maximum
of 100 groups per expression (so you need 200 mark pointers).
This can't overrun as sre_compile refuses to compile expressions
with more groups.

Of course, a malicious application could craft the opcodes itself
(bypassing sre_compile), in which case you could get a buffer
overrun.

The right solution is to have a dynamic marks array.

> #174 Modules/unicodedata.c:432   Array Index Out of Bounds
> 
>     Buffer overflow, array index of 'decomp_prefix' may be outside the
>     bounds. Array 'decomp_prefix' of size 18 declared at
>     unicodedata_db.h:529 may use index values 18..255. Also there is one
>     similar error on line 433.

This limit is enforced by Tools/unicode/makeunicodedata.py. There are
only 18 decomposition prefixes at the moment, yet we use 8 bits for
the decomposition prefix (makeunicodedata checks that prefix < 256)

Looking at the code, I now wonder why decomp_data can't be
"unsigned short", instead of "unsigned int" (the upper byte is the
decomposition length, and it can't be larger than 256, either).

> # 36 Modules/cPickle.c:3404   Memory Leak
> 
>     Memory leak. Dynamic memory stored in 's' allocated through
>     function 'pystrndup' at line 3384 is lost at line 3404.
> 
>     s should not be freed on line 3407, but earlier.
>     PDATA_PUSH can return on error and s will not be freed.

Correct. We should not use macros with embedded return statements.

> # 61 Modules/_sqlite/cursor.c:599  Null pointer may be dereferenced
> 
>     Null pointer 'self->statement' that comes from line 674 may be
>     dereferenced by passing argument 1 to function
>     'statement_mark_dirty' at line 599.

Looks like a problem. Maybe a break is missing after line 674?

Regards,
Martin

More information about the Python-Dev mailing list