CodeQL之CWE-252

CWE-252: Unchecked Return Value

The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

顾名思义,Unchecked Return Value,就是在实际代码中缺少了对返回值的检查,在实际代码中,对错误返回值的检查尤为重要,因为需要进入到相应的错误处理环节中去,否则会影响程序的正常运行。比如我们常见的对malloc返回值的检查等等,和CWE-252相关的还有CWE-754CWE-273CWE-476

阅读更多

CVE-2018-1336和CVE-2018-8034

CVE-2018-1336

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

阅读更多