[All] Security : memory management, destructors and al (sofa-framework#5904)

fredroy · web-flow · commit 9ad5aad59f55 · 2026-02-20T10:33:53.000+01:00
* fix unchecked fopen() return

* Incorrect fwrite return value check

  - Issue: fwrite() returns number of items written, not bytes. Comparison was incorrect.
  - Fix: Changed comparisons from == sizeof(DDSHeader) and == getImageSize() to == 1

* fix potential command injection with sanity check

* fix thread safety by replacing volatile with std::atomic

* polymorphic base classes were missing virtual destructors - this could cause undefined behavior when deleting derived objects through base pointers

* Replace raw new/delete with smart pointers and vectors, and fix memory leak in debug file

* fix test of pointer and test ftell result

* add a new file to harden code, and move function to escape strings

* fix deletion of index which is not an C-array anymore

* fix compilation

* fix linking
diff --git a/Sofa/Component/Constraint/Lagrangian/Model/src/sofa/component/constraint/lagrangian/model/BaseContactLagrangianConstraint.h b/Sofa/Component/Constraint/Lagrangian/Model/src/sofa/component/constraint/lagrangian/model/BaseContactLagrangianConstraint.h
@@ -40,6 +40,7 @@ namespace sofa::component::constraint::lagrangian::model
 // Every ContactParams should implement hasTangentialComponent
 struct BaseContactParams
 {
+    virtual ~BaseContactParams() = default;
     virtual bool hasTangentialComponent() const = 0;
 };
 
diff --git a/Sofa/Component/Mapping/NonLinear/src/sofa/component/mapping/nonlinear/DistanceFromTargetMapping.h b/Sofa/Component/Mapping/NonLinear/src/sofa/component/mapping/nonlinear/DistanceFromTargetMapping.h
@@ -43,6 +43,7 @@ class DistanceFromTargetMappingInternalData
 
 struct BaseDistanceFromTargetMapping
 {
+    virtual ~BaseDistanceFromTargetMapping() = default;
     virtual void updateTarget( unsigned index, SReal x, SReal y, SReal z ) = 0;
 };
 
diff --git a/Sofa/GL/src/sofa/gl/VideoRecorderFFMPEG.cpp b/Sofa/GL/src/sofa/gl/VideoRecorderFFMPEG.cpp
@@ -31,6 +31,7 @@
 #include <sofa/helper/system/FileSystem.h>
 using sofa::helper::system::FileSystem;
 #include <sofa/helper/Utils.h>
+#include <sofa/type/hardening.h>
 
 namespace sofa::gl
 {
@@ -114,7 +115,7 @@ bool VideoRecorderFFMPEG::init(const std::string& ffmpeg_exec_filepath, const st
        << " -pix_fmt " << codec // yuv420p " // " yuv444p "
        << " -crf 17 "
        << " -vf vflip "
-       << "\"" << m_filename << "\""; // @TODO C++14 : replace with std::quoted
+       << "\"" << sofa::type::hardening::escapeForShell(m_filename) << "\"";
 
     const std::string& command_line = ss.str();
 
diff --git a/Sofa/GUI/Common/src/sofa/gui/common/ArgumentParser.cpp b/Sofa/GUI/Common/src/sofa/gui/common/ArgumentParser.cpp
@@ -81,15 +81,21 @@ void ArgumentParser::parse()
     // the original argv and argc
     // TODO: upgrade cxxopts to v3 and remove this copy
 
-    // copy argv into a temporary
-    char** copyArgv = new char* [m_argc + 1];
-    for (int i = 0; i < m_argc; i++) {
-        const size_t len = strlen(m_argv[i]) + 1;
-        copyArgv[i] = new char[len];
-        strncpy(copyArgv[i], m_argv[i], len);
-        copyArgv[i][len - 1] = '\0';
+    // copy argv into a vector (automatic cleanup via RAII)
+    std::vector<std::string> argStrings;
+    argStrings.reserve(m_argc);
+    for (int i = 0; i < m_argc; i++) 
+    {
+        argStrings.emplace_back(m_argv[i]);
+    }
+
+    // build char* array pointing to the strings
+    std::vector<char*> copyArgv;
+    copyArgv.reserve(m_argc + 1);
+    for (auto& s : argStrings) {
+        copyArgv.push_back(s.data());
     }
-    copyArgv[m_argc] = nullptr;
+    copyArgv.push_back(nullptr);
 
     int copyArgc = m_argc;
 
@@ -98,7 +104,7 @@ void ArgumentParser::parse()
     {
         extra.clear();
         m_options.parse_positional("input-file");
-        const auto temp = m_options.parse(copyArgc, copyArgv);
+        const auto temp = m_options.parse(copyArgc, copyArgv.data());
         vecArg = temp.arguments();
     }
     catch (const cxxopts::exceptions::exception& e)
@@ -122,12 +128,6 @@ void ArgumentParser::parse()
             }
         }
     }
-
-    // delete argv copy
-    for (int i = 0; i < m_argc; i++) {
-        delete[] copyArgv[i];
-    }
-    delete[] copyArgv;
 }
 
 void ArgumentParser::showArgs()
diff --git a/Sofa/framework/Helper/src/sofa/helper/io/ImageDDS.cpp b/Sofa/framework/Helper/src/sofa/helper/io/ImageDDS.cpp
@@ -448,8 +448,8 @@ bool ImageDDS::save(std::string filename, int)
     }
 
     bool isWriteOk = true;
-    isWriteOk = isWriteOk && fwrite(&header, sizeof(DDSHeader), 1, file) == sizeof(DDSHeader);
-    isWriteOk = isWriteOk && fwrite(getPixels(), getImageSize(), 1, file) == getImageSize();
+    isWriteOk = isWriteOk && fwrite(&header, sizeof(DDSHeader), 1, file) == 1;
+    isWriteOk = isWriteOk && fwrite(getPixels(), getImageSize(), 1, file) == 1;
     fclose(file);
     if (!isWriteOk)
     {
diff --git a/Sofa/framework/Helper/src/sofa/helper/system/SetDirectory.cpp b/Sofa/framework/Helper/src/sofa/helper/system/SetDirectory.cpp
@@ -33,6 +33,7 @@
 #endif
 #include <cstring>
 #include <iostream>
+#include <memory>
 
 #include <sofa/helper/logging/Messaging.h>
 
@@ -192,18 +193,15 @@ std::string SetDirectory::GetProcessFullPath(const char* filename)
 #elif defined (__APPLE__)
     if (!filename || filename[0]!='/')
     {
-        char* path = new char[4096];
-        uint32_t size;
-        if ( _NSGetExecutablePath( path, &size ) != 0)
+        uint32_t size = 4096;
+        std::unique_ptr<char[]> path(new char[size]);
+        if ( _NSGetExecutablePath( path.get(), &size ) != 0)
         {
             //realloc
-            delete [] path;
-            path = new char[size];
-            _NSGetExecutablePath( path, &size );
+            path.reset(new char[size]);
+            _NSGetExecutablePath( path.get(), &size );
         }
-        std::string finalPath(path);
-        delete [] path;
-        return finalPath;
+        return std::string(path.get());
     }
 #endif
 
diff --git a/Sofa/framework/Helper/src/sofa/helper/system/thread/CircularQueue.h b/Sofa/framework/Helper/src/sofa/helper/system/thread/CircularQueue.h
@@ -151,8 +151,8 @@ class SOFA_HELPER_API OneThreadPerEnd
     template<class T, class OutputIterator>
     unsigned pop(T array[], unsigned maxSize, unsigned maxCapacity, OutputIterator out, unsigned outmaxsize, bool clear = true);
     
-    volatile unsigned head;
-    volatile unsigned tail;
+    std::atomic<unsigned> head;
+    std::atomic<unsigned> tail;
 };
 
 /**
diff --git a/Sofa/framework/Helper/src/sofa/helper/system/thread/debug.cpp b/Sofa/framework/Helper/src/sofa/helper/system/thread/debug.cpp
@@ -95,6 +95,7 @@ TraceProfile::TraceProfile(const char *name, int index, int size)
 TraceProfile::~TraceProfile()
 {
     delete[] name;
+    delete[] times;
 }
 
 void TraceProfile::addTime(int instant, int time)
diff --git a/Sofa/framework/Simulation/Core/src/sofa/simulation/task/DefaultTaskScheduler.h b/Sofa/framework/Simulation/Core/src/sofa/simulation/task/DefaultTaskScheduler.h
@@ -124,7 +124,7 @@ class SOFA_SIMULATION_CORE_API DefaultTaskScheduler : public TaskScheduler
             
     unsigned m_workerThreadCount;
             
-    volatile bool m_workerThreadsIdle;
+    std::atomic<bool> m_workerThreadsIdle;
             
     bool m_isClosing;
             
diff --git a/Sofa/framework/Simulation/Core/src/sofa/simulation/task/Task.h b/Sofa/framework/Simulation/Core/src/sofa/simulation/task/Task.h
@@ -45,8 +45,9 @@ class SOFA_SIMULATION_CORE_API Task
     class SOFA_SIMULATION_CORE_API Allocator
     {
     public:
+        virtual ~Allocator() = default;
         virtual void* allocate(std::size_t sz) = 0;
-                
+
         virtual void free(void* ptr, std::size_t sz) = 0;
     };
    
diff --git a/Sofa/framework/Type/src/sofa/type/hardening.h b/Sofa/framework/Type/src/sofa/type/hardening.h
@@ -72,4 +72,25 @@ bool safeStrToScalar(const std::string& s, ScalarType& result)
     return true;
 }
 
+/// Escape a string for safe use in a shell double-quoted context.
+/// Escapes: backslash, backtick, dollar, double-quote, and newline.
+inline std::string escapeForShell(const std::string& input)
+{
+    std::string result;
+    result.reserve(input.size() + 16);
+    for (const char c : input)
+    {
+        switch (c)
+        {
+        case '\\': result += "\\\\"; break;
+        case '"':  result += "\\\""; break;
+        case '$':  result += "\\$";  break;
+        case '`':  result += "\\`";  break;
+        case '\n': result += " ";    break;  // Replace newline with space
+        default:   result += c;      break;
+        }
+    }
+    return result;
+}
+
 } //namespace sofa::type::hardening
diff --git a/applications/plugins/ArticulatedSystemPlugin/src/ArticulatedSystemPlugin/bvh/BVHJoint.cpp b/applications/plugins/ArticulatedSystemPlugin/src/ArticulatedSystemPlugin/bvh/BVHJoint.cpp
@@ -198,6 +198,11 @@ int BVHJoint::getNumSegments(char *s)
 void BVHJoint::dump(char *fName, char *rootJointName)
 {
     FILE *f = fopen(fName,"w+");
+    if (f == nullptr)
+    {
+        msg_error("BVHJoint") << "Failed to open file for writing: " << fName;
+        return;
+    }
 
     fprintf(f,"Catheter_Name Walk\n\n");
     fprintf(f,"Number_of_Nodes %d\n", getNumJoints(rootJointName));
diff --git a/applications/plugins/SofaCUDA/src/sofa/gpu/cuda/CudaHexahedronTLEDForceField.cpp b/applications/plugins/SofaCUDA/src/sofa/gpu/cuda/CudaHexahedronTLEDForceField.cpp
@@ -250,14 +250,13 @@ void CudaHexahedronTLEDForceField::reinit()
     sofa::type::vector<float4> DhC2(2 * nbElems);
 
     // Element volume (useful to compute shape function global derivatives and Hourglass control coefficients)
-    float * Volume = new float[nbElems];
+    sofa::type::vector<float> Volume(nbElems);
     // Allocates the texture data for Jacobian determinants
     sofa::type::vector<float> DetJ(nbElems);
 
     // Retrieves force coordinates (slice number and index) for each node
     sofa::type::vector<int2> FCrds(nbVertex * nbElementPerVertex, {-1, -1});
-    int * index = new int[nbVertex];
-    memset(index, 0, nbVertex*sizeof(int));
+    sofa::type::vector<int> index(nbVertex, 0);
 
 
     // Stores list of nodes for each element
@@ -372,7 +371,6 @@ void CudaHexahedronTLEDForceField::reinit()
      * Initialises GPU textures with the precomputed arrays for the TLED algorithm
      */
     InitGPU_TLED(nbElementPerVertex, nbVertex, nbElems);
-    delete [] index;
 
 
     /**
diff --git a/applications/plugins/SofaCUDA/src/sofa/gpu/cuda/CudaTetrahedronTLEDForceField.cpp b/applications/plugins/SofaCUDA/src/sofa/gpu/cuda/CudaTetrahedronTLEDForceField.cpp
@@ -295,8 +295,7 @@ void CudaTetrahedronTLEDForceField::reinit()
 
     // Retrieves force coordinates (slice number and index) for each node
     sofa::type::vector<int2> FCrds(nbVertex * nbElementPerVertex, {-1, -1});
-    int * index = new int[nbVertex];
-    memset(index, 0, nbVertex*sizeof(int));
+    sofa::type::vector<int> index(nbVertex, 0);
 
     // Stores list of nodes for each element
     sofa::type::vector<int4> nodesPerElement(nbElems);
@@ -369,7 +368,6 @@ void CudaTetrahedronTLEDForceField::reinit()
     /** Initialises GPU textures with the precomputed arrays for the TLED algorithm
      */
     InitGPU_TetrahedronTLED(nbElementPerVertex, nbVertex, nbElems);
-    delete [] index;
 
 
     /**
diff --git a/applications/plugins/SofaOpenCL/OpenCLProgram.cpp b/applications/plugins/SofaOpenCL/OpenCLProgram.cpp
@@ -206,7 +206,14 @@ bool OpenCLProgram::loadSource(const std::string& file_source, std::string* dest
 
     //chercher la taille du fichier
     fseek(file, 0, SEEK_END);
-    size = ftell(file);
+    long ftell_result = ftell(file);
+    if (ftell_result < 0)
+    {
+        std::cerr << "OPENCL Error: ftell failed for " << file_name << std::endl;
+        fclose(file);
+        return false;
+    }
+    size = static_cast<size_t>(ftell_result);
     fseek(file,0, SEEK_SET);
 
     //allouer la taille nécessaire pour que le tableau puisse accueillir le contenu du fichier
@@ -229,6 +236,7 @@ std::string OpenCLProgram::buildLog(int device)
     if (size == 0) return "";
 
     string = (char*)malloc(sizeof(char)*(size+1));
+    if (string == nullptr) return "";
     clGetProgramBuildInfo((cl_program)_program,   (cl_device_id)sofa::gpu::opencl::myopencldevice(device), CL_PROGRAM_BUILD_LOG, size, string, NULL);
     while (size > 0 && (string[size-1] == 0 || string[size-1] == ' ' || string[size-1] == '\n' || string[size-1] == '\r' || string[size-1] == '\t')) --size;
     if (size == 0) { free(string); return ""; }

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@ namespace sofa::component::constraint::lagrangian::model`
`40`	`40`	`// Every ContactParams should implement hasTangentialComponent`
`41`	`41`	`struct BaseContactParams`
`42`	`42`	`{`
	`43`	`+ virtual ~BaseContactParams() = default;`
`43`	`44`	`virtual bool hasTangentialComponent() const = 0;`
`44`	`45`	`};`
`45`	`46`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@ class DistanceFromTargetMappingInternalData`
`43`	`43`
`44`	`44`	`struct BaseDistanceFromTargetMapping`
`45`	`45`	`{`
	`46`	`+ virtual ~BaseDistanceFromTargetMapping() = default;`
`46`	`47`	`virtual void updateTarget( unsigned index, SReal x, SReal y, SReal z ) = 0;`
`47`	`48`	`};`
`48`	`49`
Original file line number	Diff line number	Diff line change
`@@ -448,8 +448,8 @@ bool ImageDDS::save(std::string filename, int)`
`448`	`448`	`}`
`449`	`449`
`450`	`450`	`bool isWriteOk = true;`
`451`		`- isWriteOk = isWriteOk && fwrite(&header, sizeof(DDSHeader), 1, file) == sizeof(DDSHeader);`
`452`		`- isWriteOk = isWriteOk && fwrite(getPixels(), getImageSize(), 1, file) == getImageSize();`
	`451`	`+ isWriteOk = isWriteOk && fwrite(&header, sizeof(DDSHeader), 1, file) == 1;`
	`452`	`+ isWriteOk = isWriteOk && fwrite(getPixels(), getImageSize(), 1, file) == 1;`
`453`	`453`	`fclose(file);`
`454`	`454`	`if (!isWriteOk)`
`455`	`455`	`{`
Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,7 @@ TraceProfile::TraceProfile(const char *name, int index, int size)`
`95`	`95`	`TraceProfile::~TraceProfile()`
`96`	`96`	`{`
`97`	`97`	`delete[] name;`
	`98`	`+ delete[] times;`
`98`	`99`	`}`
`99`	`100`
`100`	`101`	`void TraceProfile::addTime(int instant, int time)`