Potential vulnerabilities eliminated by the PVS-Studio team this week: release N1

We decided to do our best to regularly search for and fix vulnerabilities and bugs in various projects. You can call this using open-source projects. You can - a kind of advertising or testing analyzer. Another option is another way to draw attention to the issues of code quality and reliability. Actually, the name doesn't matter, we just like to do it. Let's call it an unusual hobby. Let's see what interesting things were found in the code of various projects this week. We took the time to make corrections and invite you to read them.

For those who are not familiar with the PVS-Studio tool yet

PVS-Studio is a tool that reveals many types of errors and vulnerabilities in the code. PVS-Studio performs static code analysis and recommends the programmer to pay attention to areas of the program that are likely to contain errors. The best effect is achieved when static analysis is performed regularly. Ideologically, analyzer warnings are similar to compiler warnings. But unlike compilers, PVS-Studio performs a deeper and more versatile code analysis. This allows him to find errors, including in compilers: GCC ; LLVM 1 , 2 , 3 ; Roslyn .

Code analysis in C, C ++ and C # languages ​​is supported. The analyzer runs on Windows and Linux. In Windows, the analyzer can be integrated as a plugin in Visual Studio.
')
For further acquaintance with the analyzer, we suggest studying the following materials:

• Detailed presentation on SlideShare website. In video format, it is available on YouTube (47 minutes).
• Articles about proven open source projects.

Potential vulnerabilities (weaknesses)

This section lists the defects that fall under the CWE classification and, in fact, are vulnerabilities. Of course, not in every project vulnerabilities create some kind of practical threat, but I would like to demonstrate that we can find such situations.

1. CoreFX. CWE-476 (NULL Pointer Dereference)

V3080 Possible null dereference. Consider inspecting '_swtFirst'. MemberLookup.cs 109

if (_swtFirst == null) { _swtFirst.Set(sym, type); // <= .... } 

→ Pull Request

2. CoreFX. CWE-476 (NULL Pointer Dereference)

V3080 Possible null dereference. Consider inspecting 'tabClasses'. PropertyTabAttribute.cs 225

 if (tabClasses != null) // <= { if (tabScopes != null && tabClasses.Length != tabScopes.Length) { .... } _tabClasses = (Type[])tabClasses.Clone(); } else if (tabClassNames != null) { if (tabScopes != null && tabClasses.Length != tabScopes.Length) // <= { .... } _tabClassNames = (string[])tabClassNames.Clone(); _tabClasses = null; } 

→ Pull Request

3. CoreFX. CWE-476 (NULL Pointer Dereference)

V3080 Possible null dereference. Consider inspecting 'BaseSimpleType'. SimpleType.cs 368

 if ((BaseSimpleType == null && otherSimpleType.BaseSimpleType != null) && (BaseSimpleType.HasConflictingDefinition(...)).Length != 0) // <= return ("BaseSimpleType"); 

→ Pull Request

4. CoreFX. CWE-476 (NULL Pointer Dereference)

V3019 Possibly incorrectly variable conversion compared to null after type conversion using 'as' keyword. Check variables 'o', 'other'. CompilerInfo.cs 106

 CompilerInfo other = o as CompilerInfo; if (o == null) { return false; } return CodeDomProviderType == other.CodeDomProviderType && ... // <= 

→ Pull Request

5. CoreFX. CWE-476 (NULL Pointer Dereference)

V3019 Possibly incorrectly variable conversion compared to null after type conversion using 'as' keyword. Check variables 'myObject', 'myString'. CaseInsensitiveAscii.cs 46

 string myString = myObject as string; if (myObject == null) { return 0; } int myHashCode = myString.Length; // <= 

PVS-Studio: fixed vulnerability CWE-476 (NULL Pointer Dereference)

→ Pull Request

6. CoreFX. CWE-476 (NULL Pointer Dereference)

V3019 Possibly incorrectly variable conversion compared to null after type conversion using 'as' keyword. Check variables 'a', 'nodeA'. AttributeSortOrder.cs 22

V3019 Possibly incorrectly variable conversion compared to null after type conversion using 'as' keyword. Check variables 'b', 'nodeB'. AttributeSortOrder.cs 22

 XmlNode nodeA = a as XmlNode; XmlNode nodeB = b as XmlNode; if ((a == null) || (b == null)) throw new ArgumentException(); int namespaceCompare = string.CompareOrdinal(nodeA.NamespaceURI, nodeB.NamespaceURI); // <= 

→ Pull Request

7. CoreFX. CWE-476 (NULL Pointer Dereference)

V3019 Possibly incorrectly variable conversion compared to null after type conversion using 'as' keyword. Check variables 'a', 'nodeA'. NamespaceSortOrder.cs 21

V3019 Possibly incorrectly variable conversion compared to null after type conversion using 'as' keyword. Check variables 'b', 'nodeB'. NamespaceSortOrder.cs 21

 XmlNode nodeA = a as XmlNode; XmlNode nodeB = b as XmlNode; if ((a == null) || (b == null)) throw new ArgumentException(); bool nodeAdefault = Utils.IsDefaultNamespaceNode(nodeA); bool nodeBdefault = Utils.IsDefaultNamespaceNode(nodeB); 

→ Pull Request

8. MSBuild. CWE-476 (NULL Pointer Dereference)

V3095 The 'name' object was verified against null. Check lines: 229, 235. Microsoft.Build.Tasks GenerateBindingRedirects.cs 229

V3095 The 'publicKeyToken' object was used before it was verified against null. Check lines: 231, 235. Microsoft.Build.Tasks GenerateBindingRedirects.cs 231

 private void UpdateExistingBindingRedirects(....) { .... var name = assemblyIdentity.Attribute("name"); var nameValue = name.Value; // <= var publicKeyToken = assemblyIdentity. Attribute("publicKeyToken"); var publicKeyTokenValue = publicKeyToken.Value; // <= var culture = assemblyIdentity.Attribute("culture"); var cultureValue = culture == null ? String.Empty : culture.Value; if (name == null || publicKeyToken == null) { continue; } .... } 

→ Pull Request

Other errors

1. MSBuild

V3041 The expression was an implicitly cast from 'long' type to 'float' type. Consider using a fractional part. An example: double A = (double) (X) / Y ;. Microsoft.Build CommunicationsUtilities.cs 615

 private static long s_lastLoggedTicks = DateTime.UtcNow.Ticks; internal static void Trace(....) { .... long now = DateTime.UtcNow.Ticks; float millisecondsSinceLastLog = (float)((now - s_lastLoggedTicks) / 10000L); .... } 

→ Pull Request

2. MSBuild

V3118 Milliseconds component of TimeSpan is used, which does not constitute the full time interval. Possibly 'TotalMilliseconds' value was intended instead. MSBuild XMake.cs 629

 public static ExitType Execute(string commandLine) { .... if (!String.IsNullOrEmpty(timerOutputFilename)) { AppendOutputFile(timerOutputFilename, elapsedTime.Milliseconds); } .... } 

→ Pull Request

Conclusion

We offer to download the PVS-Studio analyzer and try to check your project:

• Download PVS-Studio for Windows
• Download PVS-Studio for Linux

To remove the demo version limitation , you can email us and we will send you a temporary key.

For a quick acquaintance with the analyzer, you can use utilities that track compiler launches and collect all the necessary information for verification. See the CLMonitoring and pvs-studio-analyzer utility descriptions. If you are working with a classic project type in Visual Studio, it is still easier: just select the “Check Solution” command in the PVS-Studio menu.



If you want to share this article with an English-speaking audience, then please use the link to the translation: Andrey Karpov. Vulnerabilities detected by PVS-Studio this week: episode N1 .