<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi, <br>
</p>
<p>I enabled -fanalyzer for GnuPG in my project. It reports quite a
few findings. Some of them (or even the majority) might be false
positives. I haven't checked that, though. However, the one I
quote below seems like a true positive (the line numbers in
current master slightly deviate, but the picture is simple anyway:
<tt>md </tt>has to be initialized to NULL when declared). <br>
</p>
<p>Just as a suggestion from me to add a flag to the configure
script to enable this gcc feature. I am still looking for a way to
inform the static analyzer in the source code about certain
semantics (i.e. restrictions on the values returned by functions
in external libraries), this would be very helpful to suppress
false positives.<br>
</p>
<p>- Falko<br>
</p>
<p><tt>sign.c:1760:3: warning: use of uninitialized value ‘md’
[CWE-457] [-Wanalyzer-use-of-uninitialized-value]<br>
1760 | gcry_md_close (md);<br>
| ^~~~~~~~~~~~~~~~~~<br>
‘sign_symencrypt_file’: events 1-7<br>
|<br>
| 1587 | gcry_md_hd_t md;<br>
| | ^~<br>
| | |<br>
| | (1) region created on stack here<br>
| | (2) capacity: 8 bytes<br>
|......<br>
| 1618 | if (rc)<br>
| | ~ <br>
| | |<br>
| | (3) following ‘true’ branch (when ‘rc !=
0’)...<br>
| 1619 | goto leave;<br>
| | ~~~~ <br>
| | |<br>
| | (4) ...to here<br>
|......<br>
| 1751 | if (rc)<br>
| | ~ <br>
| | |<br>
| | (5) following ‘true’ branch (when ‘rc !=
0’)...<br>
| 1752 | iobuf_cancel (out);<br>
| | ~~~~~~~~~~~~~~~~~~<br>
| | |<br>
| | (6) ...to here<br>
|......<br>
| 1760 | gcry_md_close (md);<br>
| | ~~~~~~~~~~~~~~~~~~<br>
| | |<br>
| | (7) use of uninitialized value ‘md’ here<br>
|<br>
</tt><br>
</p>
<div class="moz-signature">-- <br>
<!-- MTG AG HTML signature v.1.0, 2021-02-12 - Author: Andreas Cholet -->
<p style="line-height: 1.5;"><font face="Arial"><span
style="font-size: small; color: rgb(93, 93, 95);">
<strong>MTG AG</strong><br>
Dr. Falko Strenzke<br>
Executive System Architect<br>
<!--up to here--> </span></font></p>
<font face="Arial">
<p>
<span style="font-size: small; color: rgb(93, 93, 95);">
<!--personalize--><span
style="display:inline-block;width:4em">Phone: </span>+49
6151 8000 24<br>
<!--personalize--><span
style="display:inline-block;width:4em">E-Mail: </span><a class="moz-txt-link-abbreviated" href="mailto:falko.strenzke@mtg.de">falko.strenzke@mtg.de</a><br>
<span style="display:inline-block;width:4em">Web: </span><a
href="https://www.mtg.de" title="MTG AG Internet"
target="_blank">mtg.de</a>
</span></p>
<a
href="https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false"
title="Follow us on LinkedIn" target="_blank"
rel="“noreferrer" noopener"="">
<img data-filename="Li-in-Bug.png"
src="cid:part1.NKcI40AI.uFqt4B99@mtg.de"
style="width:50px; margin-left:1px" width="50"></a><br>
<span
style="font-size: small; color: rgb(93, 93, 95); margin-left: 1px">Follow
us</span>
<hr
style="width:340px; text-align:left;margin-left:0; height: 0,1">
<a
href="https://www.mtg.de/de/aktuelles/MTG-AG-erhaelt-Innovationspreis-des-Bundesverbands-IT-Sicherheit-e.V-00001.-TeleTrust/"
title="TeleTrusT Innovationspreis 2023" target="_blank"
rel="“noreferrer" noopener"="">
<img data-filename="Logo_Teletrust_innovationspreis_cut.jpg"
src="cid:part2.KgTxOpgE.K1WO1c4Y@mtg.de"
style="width:210px; margin-left: 0px" width="210"></a>
<a href="https://www.itsa365.de/de-de/companies/m/mtg-ag"
title="Info it-sa 2024" target="_blank" rel="“noreferrer"
noopener"="">
<img data-filename="itsa.png"
src="cid:part3.G8hSvh9s.983Dnlgj@mtg.de"
style="width:115px; margin-left: 15px" width="115"></a><br>
<font face="Arial"> </font>
<p style="line-height: 1.2;"><font face="Arial">
<span style="font-size: x-small; color: rgb(93, 93, 95);">
MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany<br>
Commercial register: HRB 8901<br>
Register Court: Amtsgericht Darmstadt<br>
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz<br>
Chairman of the Supervisory Board: Dr. Thomas Milde<br>
<br>
This email may contain confidential and/or privileged
information.
If you are not the correct recipient or have received this
email in error,
<br>
please inform the sender immediately and delete this
email.Unauthorised copying or distribution of this email
is not permitted.<br>
<br>
Data protection information: <a
href="https://www.mtg.de/en/privacy-policy"
title="MTG Privacy policy" target="_blank">Privacy
policy</a>
</span></font></p>
</font></div>
</body>
</html>