Stephen Frost <sfr...@snowman.net> writes:
> * Joe Conway (m...@joeconway.com) wrote:
>> FWIW, strcpy() was being used in src/bin/pg_config/pg_config.c that I
>> started with -- does that mean we are not getting Coverity coverage of
>> src/bin?
> Coverity does run against src/bin also. It's possible this was
> identified as an issue in pg_config.c, but, as Tom notes, it may not be
> an actual bug and might have been marked as a non-bug in Coverity.
It looks to me like the previous coding was
static char mypath[MAXPGPATH];
...
char path[MAXPGPATH];
...
strcpy(path, mypath);
so Coverity probably didn't complain because it could see that the source
was also a buffer of size MAXPGPATH. With the new arrangement it was
probably using an assumption that get_configdata() could be called with
any length of string.
I am not sure how much cross-file analysis Coverity does --- it seems to
do some, but in other cases it acts like it doesn't know anything about
the call sites. It's possible that it did know that the existing callers
all use MAXPGPATH-sized buffers, but whined anyway on the not-unreasonable
grounds that global functions should be prepared for new callers.
regards, tom lane
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
