Skip to content

[Autofix][high] Alert #62: Incorrect allocation-error handling#118

Draft
xengine-qyt wants to merge 1 commit intodevelopfrom
autofix/high/alert-62
Draft

[Autofix][high] Alert #62: Incorrect allocation-error handling#118
xengine-qyt wants to merge 1 commit intodevelopfrom
autofix/high/alert-62

Conversation

@xengine-qyt
Copy link
Copy Markdown
Contributor

@xengine-qyt xengine-qyt commented May 1, 2026

🤖 Copilot Autofix 自动修复报告

📋 基本信息

字段 内容
Alert ID #62
安全级别 high
规则名称 Incorrect allocation-error handling
问题文件 XEngine_Source/AuthorizeModule_Configure/ModuleConfigure_Json/ModuleConfigure_Json.cpp 第 287 行
CWE 分类 external/cwe/cwe-252, external/cwe/cwe-570, external/cwe/cwe-755
规则标签 correctness, external/cwe/cwe-252, external/cwe/cwe-570, external/cwe/cwe-755, security

🔍 问题说明

Incorrect allocation-error handling

Different overloads of the new operator handle allocation failures in different ways. If new T fails for some type T, it throws a std::bad_alloc exception, but new(std::nothrow) T returns a null pointer. If the programmer does not use the corresponding method of error handling, allocation failure may go unhandled and could cause the program to behave in unexpected ways.

Recommendation

Make sure that exceptions are handled appropriately if new T is used. On the other hand, make sure to handle the possibility of null pointers if new(std::nothrow) T is used.

Example

// BAD: the allocation will throw an unhandled exception
// instead of returning a null pointer.
void bad1(std::size_t length) noexcept {
 int* dest = new int[l

---

### 🤖 AI 修复思路

To fix this correctly, make allocation semantics match the existing null-pointer error path.

Best approach (without changing existing functionality):  
- In `XEngine_Source/AuthorizeModule_Configure/ModuleConfigure_Json/ModuleConfigure_Json.cpp`, replace `new list<string>` with `new (std::nothrow) list<string>`.
- Keep the existing `NULL` check and error-code handling unchanged.
- Add `#include <new>` in this file so `std::nothrow` is available.

This preserves current control flow (return `false` + set module error code on allocation failure) and removes the mismatch flagged by CodeQL.

---

### ✅ Review 检查清单

- [ ] 理解了漏洞的成因和影响范围
- [ ] 确认 AI 修复逻辑正确,没有遗漏边界情况
- [ ] 确认修复没有改变原有业务逻辑
- [ ] 确认没有引入新的安全问题
- [ ] CI / 单元测试全部通过
- [ ] 如有必要,已补充对应的测试用例

---

> 此 PR 由 GitHub Copilot Autofix 自动生成,请仔细审核后再 merge。

@xengine-qyt @github-advanced-security
Potential fix for code scanning alert no. 62
d922ecc 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xengine-qyt