Two CodeQL alerts opened against the codeql-manual-build workflow's first scan. Both real, both small fixes. #1 Medium / Workflow does not contain permissions build.yml runs read-only against the repo (no push, no release creation, no API mutations) but never declared a permissions block, so the default GITHUB_TOKEN scope applied. Pin to contents: read at workflow level. Release and CodeQL workflows already have their explicit minimal scopes. #2 Critical / Unvalidated local pointer arithmetic ImGuiUtil.WrappedTextWithPos splits its input on newlines and passes each part through Encoding.UTF8.GetBytes inside a fixed block. Empty splits (consecutive newlines, blank lines) produced a zero-length byte array, fixed gave us a valid pointer, and textEnd = text + bytes.Length collapsed onto text. The downstream ImGuiNative.CalcWordWrapPositionA calls received identical start and end pointers, which is undefined behaviour at the native boundary even if it happens to no-op on the current ImGui build. Bail before entering the fixed block when bytes.Length == 0 and render an empty line for the gap, which is what the original text == null guard was trying to do but could never reach inside a fixed block over a non-null array.
This commit is contained in:
@@ -11,6 +11,13 @@ on:
|
||||
branches: [main]
|
||||
workflow_dispatch:
|
||||
|
||||
# Minimum permissions for a build-only workflow: read the repo, nothing
|
||||
# else. Closes the CodeQL "Workflow does not contain permissions" alert
|
||||
# and matches the principle-of-least-privilege the security guide
|
||||
# recommends for workflows that don't push or create releases.
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build (Release)
|
||||
|
||||
Reference in New Issue
Block a user