Skip to content

ICU-23251 Fix static analyzer bugs #3758

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ICU-23251 Fix static analyzer bugs #3758

wants to merge 1 commit into from

Conversation

@poliudian-iv
Copy link
Contributor

@poliudian-iv poliudian-iv commented Oct 31, 2025
edited by markusicu
Loading

Bugs identified by the static analyzers when analyzing the chromium source code (part 3)

icu4c/source/i18n/rbt_pars.cpp - "Out of bound access to memory preceding the field 'preContext'"
icu4c/source/common/cstring.cpp - "Out of bound access to memory" if n == INT_MAX
icu4c/source/i18n/rematch.cpp - "Out of bound access to memory preceding the field 'd'" at Regex8BitSet::contains() when c == -1;
icu4c/source/i18n/number_longnames.cpp - "Out of bound access to memory" at getMixedUnitModifier
icu4c/source/common/messagepattern.cpp - "Out of bound access to memory preceding the field 'postContext'" when index < msg.length()
icu4c/source/common/ubidiln.cpp - "Out of bound access to memory" when limit==0
icu4c/source/i18n/simpletz.cpp - "The left operand of '<' is a garbage value"

TODO: Fill out the checklist below.

Checklist

  • Required: Issue filed: ICU-23251
  • Required: The PR title must be prefixed with a JIRA Issue number. Example: "ICU-23251 Fix xyz"
  • Required: Each commit message must be prefixed with a JIRA Issue number. Example: "ICU-23251 Fix xyz"
  • Issue accepted (done by Technical Committee after discussion)
  • Tests included, if applicable
  • API docs and/or User Guide docs changed or added, if applicable
  • Approver: Feel free to merge on my behalf

@poliudian-iv poliudian-iv changed the title Fix static analyzer bugs ICU-23251 Fix static analyzer bugs Nov 1, 2025
@jira-pull-request-webhook
Copy link

jira-pull-request-webhook bot commented Nov 1, 2025

Hooray! The files in the branch are the same across the force-push. 😃

~ Your Friendly Jira-GitHub PR Checker Bot

roubert
roubert requested changes Nov 8, 2025
View reviewed changes
icu4c/source/common/messagepattern.cpp

// Set postContext to some of msg starting at index.
length=msg.length()-index;
length=msg.length()>index ? msg.length()-index : 0;
Copy link
Member

@roubert roubert Nov 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this something that could reasonably happen? If not, I suggest instead adding the length condition to the first if-statement in this function and just do nothing at all if index is out of range. You might even add an U_ASSERT() statement to assert that this function never gets called with an invalid index value.

icu4c/source/i18n/rbt_pars.cpp
int32_t pos,
UErrorCode& status)
{
if (pos < 0) {
Copy link
Member

@roubert roubert Nov 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, this is not something that should ever happen, assert (to get a nice human readable error message in debug builds if some bug causes it to happen even if it shouldn't) and then return immediately without doing anything.

icu4c/source/i18n/rematch.cpp
const UnicodeSet &s = RegexStaticSets::gStaticSets->fPropSets[opValue];
if (s.contains(c)) {
success = !success;
if (c >= 0) {
Copy link
Member

@roubert roubert Nov 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't look right, UChar32 should be an unsigned data type, it shouldn't be possible for this value to be negative.

Copy link
Contributor Author

@poliudian-iv poliudian-iv Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UChar32 is int32_t
And U16_NEXT can return U_SENTINEL == -1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roubert roubert roubert requested changes

@eggrobin eggrobin Awaiting requested review from eggrobin

@markusicu markusicu Awaiting requested review from markusicu

@richgillam richgillam Awaiting requested review from richgillam

Requested changes must be addressed to merge this pull request.

Assignees

@roubert roubert

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@poliudian-iv @roubert