From bf05c1670a126c7434aa21a3bfeac8da076471e0 Mon Sep 17 00:00:00 2001 From: Maxim Laschinksy Date: Tue, 16 Sep 2025 17:40:29 +0200 Subject: [PATCH 1/2] fix for static code analysis issue CERT_C-MSC37-a-2 in lceasy.c line 133: Function 'lcurl_easy_cleanup_storage' should have return at the end of each execution path rule-id: CERT_C-MSC37-a-2 --- src/lceasy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lceasy.c b/src/lceasy.c index ad48022..4fc4c78 100644 --- a/src/lceasy.c +++ b/src/lceasy.c @@ -130,7 +130,7 @@ static int lcurl_easy_to_s(lua_State *L){ return 1; } -static int lcurl_easy_cleanup_storage(lua_State *L, lcurl_easy_t *p){ +static void lcurl_easy_cleanup_storage(lua_State *L, lcurl_easy_t *p){ int i; if(p->storage != LUA_NOREF){ From 571b0b30f90c5b89c7325f8f7396f4760f8f8e2f Mon Sep 17 00:00:00 2001 From: Maxim Laschinksy Date: Wed, 17 Sep 2025 17:29:06 +0200 Subject: [PATCH 2/2] fix problem with 0-length string message: Non-initialized "ptr" is passed to "lua_pushlstring" as const When input length is zero the transformation loop does not run, leaving buffer contents uninitialized. Although lua_pushlstring with length 0 would not read from ptr, some static analyzers flag this as use of uninitialized data. Provide explicit fast-path for n==0 to make intent clear and silence warnings (CERT_C-EXP33-a-1). --- src/lcurl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/lcurl.c b/src/lcurl.c index e70680d..95df0ff 100644 --- a/src/lcurl.c +++ b/src/lcurl.c @@ -230,6 +230,11 @@ static int push_upper(lua_State *L, const char *str){ size_t i, n = strlen(str); char *ptr = (n < sizeof(buffer))?&buffer[0]:malloc(n + 1); if (!ptr) return 1; + if (n == 0) { + lua_pushlstring(L, "", 0); + if(ptr != &buffer[0]) free(ptr); + return 0; + } for(i = 0; i < n; ++i){ if( (str[i] > 96 ) && (str[i] < 123) ) ptr[i] = str[i] - 'a' + 'A'; else ptr[i] = str[i];