-
Notifications
You must be signed in to change notification settings - Fork 222
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CodeQL is reporting "Security" issues in Jamulus source #3161
Comments
Agree. Security issues must be taken seriously! It's a numeric overflow - maybe we need to use a greater immediate type? |
Currently, the CodeQL process appears to kick off only when a "build all targets" autobuild runs. I've not yet understood when the Security tab picks the results up - it appears there's a configuration somewhere that's related to the above, but I'm not sure how. @hoffie if you're around, can you remember? |
I've pushed a branch to my repo that I think should fix this easily. See softins@e12c000 It compiles without warnings and doesn't appear to flag the branch under Security. I can raise it as an alternative PR to #3162 if @pljones is happy. |
In fact, an even better solution is to completely remove the multiplication from the index, and just step an index by the multiplication factor. See softins@a3885ac I can raise this as a PR instead if @pljones is happy. |
Yep, looks good. |
Fix overflow warnings from loop index #3161
Describe the bug
CodeQL has been reporting the following "Security" issues in
src/client.cpp
:which were closed as "Won't fix". Re-opening this as an issue.
To Reproduce
View the "Security" tab, "Code scanning alerts"->"View alerts" with the "open" filter removed.
Expected behavior
We shouldn't have any type "High" security defects.
Every build should report the CodeQL security defects in Jamulus src clearly.
The text was updated successfully, but these errors were encountered: