ReadObjectHook: suppress false positive #1874
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, CodeQL mis-identifies a couple instances of the
usually-legitimate "User-controlled data may not be null terminated"
problem.
In these instances, CodeQL thinks that `packet_txt_read()` fails to
NUL-terminate (not actually "null"... tsk, tsk) the string. But it
totally does! Here is the current definition of that function:
size_t packet_txt_read(char *buf, size_t count, FILE *stream)
{
size_t len;
len = packet_bin_read(buf, count, stream);
if (len && buf[len - 1] == '\n')
{
len--;
}
buf[len] = 0;
return len;
}
The `buf[len] = 0` statement guarantees that the string is
NUL-terminated.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
mjcheetham
approved these changes
Sep 24, 2025
Member
mjcheetham
left a comment
mjcheetham
left a comment
There was a problem hiding this comment.
buf[len] = 0;
I wonder if CodeQL is being stupid and expects to see buf[len] = NUL; instead... 🤦♂️
Either way, this suppression seems reasonable.
Member
Author
I guess so, but I'd expect it to expect |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, CodeQL mis-identifies a couple instances of the usually-legitimate "User-controlled data may not be null terminated" problem.
In these instances, CodeQL thinks that
packet_txt_read()fails to NUL-terminate (not actually "null"... tsk, tsk) the string. But it totally does! Here is the current definition of that function:The
buf[len] = 0statement guarantees that the string is NUL-terminated.