| Message ID | b5e98d5e144f4b3a2771a421690b4b729dc1b7ae.1743079429.git.gitgitgadget@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Initialize a few uninitialized variables | expand |
On Thu, Mar 27, 2025 at 12:43:46PM +0000, Johannes Schindelin via GitGitGadget wrote: > From: Johannes Schindelin <johannes.schindelin@gmx.de> > > The large `switch` statement makes it a bit impractical to reason about > the code. > > One of the code paths can technically lead to using `size` without being > initialized: if the `t` case is taken and the type name is set to the > empty string, we would actually leave `size` unintialized right until we > use it. I don't think that's quite true. If we have an empty type name we leave the switch and hit these lines: if (!buf) die("git cat-file %s: bad file", obj_name); write_or_die(1, buf, size); Since we set buf to NULL before the switch and never touch it in the 't' case, we'll always hit that die() call. So this really is a false positive, regardless of what happens to the type name buffer. I'm a little surprised that CodeQL would get this wrong, just because it is very easy to see that buf is not touched in the 't' case at all (and thus must be NULL). But maybe I'm missing something. I do agree that the flow through the switch statement (where "break" is good for some cases and a failure mode for others) makes this code rather hard to reason about. I'm sure it could be rewritten, but I'm not sure if it's worth spending time on. > Practically, this cannot happen because the > `do_oid_object_info_extended()` function is expected to always populate > the `type_name` if asked for. However, it is quite unnecessary to leave > the code as unwieldy to reason about: Just initialize the variable to 0 > and be done with it. You can trigger the path in question like this: oid=$(echo foo | git hash-object --literally --stdin -w -t '') git cat-file --allow-unknown -t $oid which hits the "bad file" message. (Obviously the above is horrible and arguably something we should consider forbidding; I have some patches moving towards ripping out support for non-standard types entirely). > diff --git a/builtin/cat-file.c b/builtin/cat-file.c > index b13561cf73b..128c901fa8e 100644 > --- a/builtin/cat-file.c > +++ b/builtin/cat-file.c > @@ -104,7 +104,7 @@ static int cat_one_file(int opt, const char *exp_type, const char *obj_name, > struct object_id oid; > enum object_type type; > char *buf; > - unsigned long size; > + unsigned long size = 0; So even though I think your analysis above had a few wrong details, I do agree this is a false positive in CodeQL and is probably OK to fix as you do here. Though it might make more sense to do it alongside the assignment to "buf" (or to move the initialization of "buf" up here). -Peff
diff --git a/builtin/cat-file.c b/builtin/cat-file.c index b13561cf73b..128c901fa8e 100644 --- a/builtin/cat-file.c +++ b/builtin/cat-file.c @@ -104,7 +104,7 @@ static int cat_one_file(int opt, const char *exp_type, const char *obj_name, struct object_id oid; enum object_type type; char *buf; - unsigned long size; + unsigned long size = 0; struct object_context obj_context = {0}; struct object_info oi = OBJECT_INFO_INIT; struct strbuf sb = STRBUF_INIT;