From 8c754b183447e3141cd62d70a5ad465a1ab15d7b Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Thu, 28 Apr 2016 21:23:37 -0500 Subject: [PATCH] [libpng16] Quieted two Coverity issues in contrib/libtests/timepng.c. --- ANNOUNCE | 5 +++-- CHANGES | 3 ++- contrib/libtests/timepng.c | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 3 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index c8c85efac..9bebd61f5 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.22beta06 - April 28, 2016 +Libpng 1.6.22beta06 - April 29, 2016 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -91,8 +91,9 @@ Version 1.6.22beta05 [April 27, 2016] Fixed typo (missing underscore) in #define PNG_READ_16_TO_8_SUPPORTED (Bug report by Y.Ohashik). -Version 1.6.22beta06 [April 28, 2016] +Version 1.6.22beta06 [April 29, 2016] Rebased contrib/intel_sse.patch. + Quieted two Coverity issues in contrib/libtests/timepng.c. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 11ec882e8..5b6590a7a 100644 --- a/CHANGES +++ b/CHANGES @@ -5551,8 +5551,9 @@ Version 1.6.22beta05 [April 27, 2016] Fixed typo (missing underscore) in #define PNG_READ_16_TO_8_SUPPORTED (Bug report by Y.Ohashik). -Version 1.6.22beta06 [April 28, 2016] +Version 1.6.22beta06 [April 29, 2016] Rebased contrib/intel_sse.patch. + Quieted two Coverity issues in contrib/libtests/timepng.c. Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/contrib/libtests/timepng.c b/contrib/libtests/timepng.c index 6b7253d78..d648ff630 100644 --- a/contrib/libtests/timepng.c +++ b/contrib/libtests/timepng.c @@ -394,6 +394,12 @@ int main(int argc, char **argv) argv[3]); exit(99); } +#ifdef __COVERITY__ + else + { + nfiles &= 0x7fffffff; + } +#endif argv += 3; argc -= 3; @@ -401,7 +407,39 @@ int main(int argc, char **argv) else /* Else use a temporary file */ { +#ifndef __COVERITY__ fp = tmpfile(); +#else + /* Experimental. Coverity says tmpfile() is insecure because it + * generates predictable names. + * + * It is possible to satisfy Coverity by using mkstemp(); however, + * any platform supporting mkstemp() undoubtedly has a secure tmpfile() + * implementation as well, and doesn't need the fix. Note that + * the fix won't work on platforms that don't support mkstemp(). + * + * https://www.securecoding.cert.org/confluence/display/c/ + * FIO21-C.+Do+not+create+temporary+files+in+shared+directories + * says that most historic implementations of tmpfile() provide + * only a limited number of possible temporary file names + * (usually 26) before file names are recycled. That article also + * provides a secure solution that unfortunately depends upon mkstemp(). + */ + char tmpfile[] = "timepng-XXXXXX"; + int filedes; + umask(0177); + filedes = mkstemp(tmpfile); + if (filedes < 0) + fp = NULL; + else + { + fp = fdopen(filedes,"w+"); + /* Hide the filename immediately and ensure that the file does + * not exist after the program ends + */ + (void) unlink(tmpfile); + } +#endif if (fp == NULL) {