Skip to content

Fix CodeQL security issues #7985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
joaosaffran merged 9 commits into from
Dec 10, 2025
Merged

Fix CodeQL security issues #7985

joaosaffran merged 9 commits into from
Dec 10, 2025
+14 −112

Conversation

@joaosaffran
Copy link
Collaborator

@joaosaffran joaosaffran commented Dec 5, 2025
edited
Loading

This path fixes 7 issues raised by codeql:

  • dxcapi.use.h - [SM01925] Uncontrolled process operation: Add comment, so the scan can ignore this issue.
  • ProgramTest.cpp - [SM01932] User-controlled data may not be null terminated: Add comment, so the scan can ignore this issue.
  • DxbcConverter.cpp - [SM01928] Comparison of narrow type with wide type in loop condition: Change affected variable to be unsigned instead of BYTE.
  • ExecutionTest.cpp - [SM01733] Too few arguments to formatting function: Remove an argument that didn't seem to be used.
  • DxbcUtil.cpp - [SM01928] Comparison of narrow type with wide type in loop condition: Cast the result of + operator back to BYTE, since it was implicit being cast to an int.
  • DSAclean.py - [SM03905] Inefficient regular expression: Script doesn't seem to be used anymore, so it is being removed.
  • CaptureCmd - [SM02167] Weak hashes : Script doesn't seem to be used anymore, so it is being removed.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 5, 2025
edited
Loading

✅ With the latest revision this PR passed the C/C++ code formatter.

inbelic
inbelic reviewed Dec 6, 2025
View reviewed changes
damyanp
damyanp requested changes Dec 8, 2025
View reviewed changes
Copy link
Member

@damyanp damyanp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments below, but also I think that the description should explain what the CodeQL issues are and how they've been addressed - particularly for the two files that have been deleted.

projects/dxilconv/lib/DxbcConverter/DxbcConverter.cpp Outdated
Comment on lines 6396 to 6397
for (unsigned int c = 0; c < SE.GetCols(); c++) {
unsigned int Comp = SE.GetStartCol() + c;
Copy link
Member

@damyanp damyanp Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: for better or worse, I think LLVM code tends to prefer unsigned to unsigned int. I'm not sure if that's an explicit coding standards thing or not though.

@github-project-automation github-project-automation bot moved this from New to In progress in HLSL Roadmap Dec 8, 2025
tex3d
tex3d reviewed Dec 8, 2025
View reviewed changes
projects/dxilconv/lib/DxbcConverter/DxbcUtil.cpp

CMask::CMask(BYTE StartComp, BYTE NumComp) {
DXASSERT(StartComp < DXBC::kAllCompMask && NumComp <= DXBC::kAllCompMask &&
(StartComp + NumComp - 1) < DXBC::kAllCompMask,
Copy link
Contributor

@tex3d tex3d Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this assert expression isn't correct:

  DXASSERT(StartComp < DXBC::kAllCompMask && NumComp <= DXBC::kAllCompMask &&
               (StartComp + NumComp - 1) < DXBC::kAllCompMask,

I think it should be this instead: (StartComp + NumComp) <= DXBC::kWidth

  DXASSERT(StartComp < DXBC::kWidth && NumComp <= DXBC::kWidth &&
               (StartComp + NumComp) <= DXBC::kWidth,

DXBC::kAllCompMask is 0x0F, which isn't the number of components available, but the mask with all components enabled.

With this corrected, I think @damyanp's comment below for having an assert like (StartComp + NumComp) < 256 is unnecessary.

@joaosaffran joaosaffran changed the title Fixing security issues flagged by CodeQL Fix CodeQL security issues Dec 8, 2025
@joaosaffran joaosaffran merged commit c5c9921 into microsoft:main Dec 10, 2025
12 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in HLSL Roadmap Dec 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tex3d tex3d tex3d left review comments

@damyanp damyanp damyanp approved these changes

@bob80905 bob80905 bob80905 approved these changes

+1 more reviewer

@inbelic inbelic inbelic approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

HLSL Roadmap
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@joaosaffran @tex3d @damyanp @bob80905 @inbelic @joaosaffran-zz