[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

On Fri, 20 Sep 2013, Yaroslav Halchenko wrote:
> On "your" code you could look for some (no multiline or more complex
> expressions, no snprintf) hits in sprintf with following grep

> grep -re 'sprintf(\s*\(\w\+\)\s*,[^,]\+,\s*\1\>' *

> unfortunately codesearch.d.n seems to not have support for referencing a
> group in regexp yet, thus couldn't search for obvious hits within archive.
> If anyone comes up with proper parser/analyzer to catch those -- I would
> be very grateful (I am surprised that gcc doesn't issue any warning).

somehow I didn't know yet about debile.d.n and this package is not yet
in Debian thus I am paying by running cppcheck on it myself now,
as Julian Taylor suggested -- cppcheck seems to catch this pattern

Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate,     Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik        

Reply to: