Integer Overflow or Wraparound #1804

ovidiu-benea · 2017-07-11T06:27:07Z

Ran a Veracode (https://www.veracode.com) static scan of our application windows 32-bit binaries that are using poco library.
Used the following compiler/linker flags, see "Compilation Instructions for C/C++ on Windows" here:
https://help.veracode.com/reader/4EKhlLSMHm5jC8P8j3XccQ/3Lu03OATx74TyUh~WCn8wQ
It found 1 very high security issue in poco library:
Integer Overflow or Wraparound in: foundation/src/sha1engine.cpp line: 53

poco version: 1.7.8-all (2017-02-22)

Operating system: Windows 10 Pro

Expected: No very high security issues.

obiltschnig · 2017-07-11T07:23:46Z

I would categorize this as false positive. The function does what it's supposed to do, although it may be more appropriate to use Poco::ByteOrder methods.

obiltschnig self-assigned this Jul 11, 2017

obiltschnig added the enhancement label Jul 11, 2017

obiltschnig added this to the Release 1.8.0 milestone Jul 11, 2017

komainu8 mentioned this issue Jul 16, 2017

Improve convert to big-endian from little-endian (#1804) #1815

Merged

aleks-f pushed a commit that referenced this issue Jul 17, 2017

Improve convert to big-endian from little-endian (#1804) (#1815)

1e4ee01

obiltschnig added the fixed label Nov 7, 2017

obiltschnig closed this as completed Nov 8, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Integer Overflow or Wraparound #1804

Integer Overflow or Wraparound #1804

ovidiu-benea commented Jul 11, 2017

obiltschnig commented Jul 11, 2017

Integer Overflow or Wraparound #1804

Integer Overflow or Wraparound #1804

Comments

ovidiu-benea commented Jul 11, 2017

obiltschnig commented Jul 11, 2017