libgis/r.gwflow: fixed security vulnerabilities and weaknesses (#3549)

This fixes three vulnerabilities/weaknesses found with older scans of Coverity: - Issue 1208372 in lib/gis/error.c concerns an unbounded read of an environment variable into memory. An attacker could overwrite the environment variable that is accessed by G__home() and exploit it to overflow the buf array. - Issue 1501330 in lib/gis/mapset_msc.c concerns writing into an array that is not null terminated. If the path variable was not null terminated, the write could fill the whole array with data without a null terminator, causing trouble down the line. - Issue 1207344 in raster/r.gwflow/main.c concerns a constant variable guarding dead code. This is not exactly a security vulnerability, but is a code quality issue I was able to easily fix.
OSGeo · Apr 7, 2024 · dec4266 · dec4266
1 parent 9f49630
commit dec4266
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 7 deletions.
diff --git a/lib/gis/error.c b/lib/gis/error.c
@@ -370,7 +370,7 @@ void G_init_logging(void)
     if (!logfile) {
         char buf[GPATH_MAX];
 
-        sprintf(buf, "%s/GIS_ERROR_LOG", G__home());
+        snprintf(buf, GPATH_MAX, "%s/GIS_ERROR_LOG", G__home());
         logfile = G_store(buf);
     }
 

diff --git a/lib/gis/mapset_msc.c b/lib/gis/mapset_msc.c
@@ -183,14 +183,15 @@ int G_make_mapset_object_group_basedir(const char *type, const char *basedir)
 int make_mapset_element_impl(const char *p_path, const char *p_element,
                              bool race_ok)
 {
-    char path[GPATH_MAX], *p;
+    char path[GPATH_MAX] = {'\0'};
+    char *p;
     const char *element;
 
     element = p_element;
     if (*element == 0)
         return 0;
 
-    strncpy(path, p_path, GPATH_MAX);
+    strncpy(path, p_path, GPATH_MAX - 1);
     p = path;
     while (*p)
         p++;

diff --git a/raster/r.gwflow/main.c b/raster/r.gwflow/main.c
@@ -212,7 +212,6 @@ int main(int argc, char *argv[])
     N_gradient_field_2d *field = NULL;
     N_array_2d *xcomp = NULL;
     N_array_2d *ycomp = NULL;
-    char *buff = NULL;
     int with_river = 0, with_drain = 0;
 
     /* Initialize GRASS */
@@ -460,9 +459,6 @@ int main(int argc, char *argv[])
 
         N_write_array_2d_to_rast(xcomp, param.vector_x->answer);
         N_write_array_2d_to_rast(ycomp, param.vector_y->answer);
-        if (buff)
-            G_free(buff);
-
         if (xcomp)
             N_free_array_2d(xcomp);
         if (ycomp)