From 9fbf3e825561b54a332d19f48ab69908a58fada6 Mon Sep 17 00:00:00 2001
From: tsteven4 <13596209+tsteven4@users.noreply.github.com>
Date: Tue, 26 Jan 2021 10:58:32 -0700
Subject: [PATCH] fix some codeql warnings. (#663)

* fix some codeql warnings.

* use c++11 z length modifier in format strings with size_t format arguments.

* don't attempt to upload coverage if token is null or not set.

with the github action flow the CODACY_PROJECT_TOKEN is set and null
for foreign pull requests that don't have access to the secrets.

* double protect token
---
 delgpl.cc                          |  4 ++--
 gtrnctr.cc                         |  2 +-
 jeeps/gpslibusb.cc                 |  3 +--
 jeeps/gpsusbcommon.cc              |  2 +-
 mtk_logger.cc                      |  6 +++---
 skytraq.cc                         |  4 ++--
 tools/ci_tokens                    |  8 ++++----
 tools/travis_script_linux_coverage |  5 ++++-
 util.cc                            |  8 ++++----
 wbt-200.cc                         | 10 +++++-----
 10 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/delgpl.cc b/delgpl.cc
index 6e7ae6e4e..4b911793c 100644
--- a/delgpl.cc
+++ b/delgpl.cc
@@ -43,8 +43,8 @@ gpl_rd_init(const QString& fname)
 {
   gplfile_in = gbfopen_le(fname, "rb", MYNAME);
   if (sizeof(gpl_point_t) != 56) {
-    fatal(MYNAME ": gpl_point is %lu instead of 56.\n",
-          (unsigned long) sizeof(gpl_point_t));
+    fatal(MYNAME ": gpl_point is %zu instead of 56.\n",
+          sizeof(gpl_point_t));
   }
 }
 
diff --git a/gtrnctr.cc b/gtrnctr.cc
index 0d362f93c..efd134b80 100644
--- a/gtrnctr.cc
+++ b/gtrnctr.cc
@@ -348,7 +348,7 @@ gtc_fake_hdr(const computed_trkdata& tdata)
   }
 
   /* write these in either case, course or activity format */
-  gtc_write_xml(0, "<TotalTimeSeconds>%d</TotalTimeSeconds>\n", secs);
+  gtc_write_xml(0, "<TotalTimeSeconds>%ld</TotalTimeSeconds>\n", secs);
   gtc_write_xml(0, "<DistanceMeters>%.2f</DistanceMeters>\n", tdata.distance_meters);
   if (gtc_course_flag) { /* course format */
     gtc_write_xml(1, "<BeginPosition>\n");
diff --git a/jeeps/gpslibusb.cc b/jeeps/gpslibusb.cc
index bcdd8d141..48014cc35 100644
--- a/jeeps/gpslibusb.cc
+++ b/jeeps/gpslibusb.cc
@@ -133,8 +133,7 @@ gusb_libusb_send(const garmin_usb_packet* opkt, size_t sz)
           libusb_strerror(static_cast<enum libusb_error>(ret)));
   }
   if (transferred != (int) sz) {
-    warning("Bad cmdsend transferred %d sz %lud\n", transferred,
-            (unsigned long) sz);
+    warning("Bad cmdsend transferred %d sz %zu\n", transferred, sz);
   }
 
   return transferred;
diff --git a/jeeps/gpsusbcommon.cc b/jeeps/gpsusbcommon.cc
index 47a320fd3..548c54885 100644
--- a/jeeps/gpsusbcommon.cc
+++ b/jeeps/gpsusbcommon.cc
@@ -163,7 +163,7 @@ gusb_cmd_send(const garmin_usb_packet* opkt, size_t sz)
   if (gps_show_bytes) {
     const unsigned short pkttype = le_read16(&opkt->gusb_pkt.databuf[0]);
     const unsigned short pkt_id = le_read16(&opkt->gusb_pkt.pkt_id);
-    GPS_Diag("TX [%d]:", sz);
+    GPS_Diag("TX [%zu]:", sz);
 
     for (i=0; i<sz; i++) {
       GPS_Diag("%02x ", obuf[i]);
diff --git a/mtk_logger.cc b/mtk_logger.cc
index cfffac61c..5e11dddbf 100644
--- a/mtk_logger.cc
+++ b/mtk_logger.cc
@@ -560,7 +560,7 @@ static void mtk_read()
   fseek(dout, 0L,SEEK_END);
   unsigned long dsize = ftell(dout);
   if (dsize > 1024) {
-    dbg(1, "Temp %s file exists. with size %d\n", qPrintable(TEMP_DATA_BIN),
+    dbg(1, "Temp %s file exists. with size %lu\n", qPrintable(TEMP_DATA_BIN),
         dsize);
     dpos = 0;
     init_scan = 1;
@@ -1302,7 +1302,7 @@ static int mtk_parse(unsigned char* data, int dataLen, unsigned int bmask)
     } else {
       dbg(1,"Missing '*' !\n");
       if (data[i] == 0xff) {  // in some case star-crc hasn't been written on power off.
-        dbg(1, "Bad data point @0x%.6x - skip %d bytes\n", (fl!=nullptr)?ftell(fl):-1, i+2);
+        dbg(1, "Bad data point @0x%.6lx - skip %d bytes\n", (fl!=nullptr)?ftell(fl):-1, i+2);
         return i+2; // include '*' and crc
       }
     }
@@ -1315,7 +1315,7 @@ static int mtk_parse(unsigned char* data, int dataLen, unsigned int bmask)
   }
 
   if (data[i] != crc) {
-    dbg(0,"%2d: Bad CRC %.2x != %.2x (pos 0x%.6x)\n", count, data[i], crc, (fl!=nullptr)?ftell(fl):-1);
+    dbg(0,"%2d: Bad CRC %.2x != %.2x (pos 0x%.6lx)\n", count, data[i], crc, (fl!=nullptr)?ftell(fl):-1);
   }
   i++; // crc
   count++;
diff --git a/skytraq.cc b/skytraq.cc
index 5fd096402..9e92ddc06 100644
--- a/skytraq.cc
+++ b/skytraq.cc
@@ -1557,7 +1557,7 @@ static void miniHomer_get_poi()
 
     // todo - how to determine not-set POIs ?
     if (ecef_x < 100.0 && ecef_y < 100.0 && ecef_z < 100.0) {
-      db(2, MYNAME" : skipped poi %d for X=%f, y=%f, Z=%f\n", ecef_x, ecef_y, ecef_z);
+      db(2, MYNAME" : skipped poi %u for X=%f, y=%f, Z=%f\n", poi, ecef_x, ecef_y, ecef_z);
     } else {
       ECEF_to_LLA(ecef_x, ecef_y, ecef_z, &lat, &lng, &alt);
 
@@ -1604,7 +1604,7 @@ static int miniHomer_set_poi(uint16_t poinum, const char* opt_poi)
        */
       int n = sscanf(opt_poi, "%lf:%lf:%lf", &lat, &lng, &alt);
       if (n >= 2) {
-        db(3, "found %d elems '%s':poi=%s@%d, lat=%f, lng=%f, alt=%f over=%s\n", n, opt_poi, poinames[poinum], poinum, lat, lng, alt);
+        db(3, "found %d elems '%s':poi=%s@%d, lat=%f, lng=%f, alt=%f\n", n, opt_poi, poinames[poinum], poinum, lat, lng, alt);
         lla2ecef(lat, lng, alt, &ecef_x, &ecef_y, &ecef_z);
         db(1, MYNAME ": set POI[%s]='%f %f %f/%f %f %f'\n", poinames[poinum], lat, lng, alt, ecef_x, ecef_y, ecef_z);
         be_write16(MSG_SET_POI+1, poinum);
diff --git a/tools/ci_tokens b/tools/ci_tokens
index c7171763d..ff42cd6d2 100755
--- a/tools/ci_tokens
+++ b/tools/ci_tokens
@@ -8,16 +8,16 @@
 # don't leak unhashed tokens!
 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 set +x
-if [ ! -z "${CODACY_PROJECT_TOKEN+x}" ] ; then
+if [ -n "${CODACY_PROJECT_TOKEN:+x}" ] ; then
   echo -n "CODACY_PROJECT_TOKEN hash: "
   echo -n "$CODACY_PROJECT_TOKEN" | openssl dgst -sha512 | cut -d " " -f 2
 else
-  echo CODACY_PROJECT_TOKEN not set.
+  echo CODACY_PROJECT_TOKEN null or not set.
 fi
-if [ ! -z "${GITHUB_TOKEN+x}" ] ; then
+if [ -n "${GITHUB_TOKEN:+x}" ] ; then
   echo -n "GITHUB_TOKEN hash: "
   echo -n "$GITHUB_TOKEN" | openssl dgst -sha512 | cut -d " " -f 2
 else
-  echo GITHUB_TOKEN not set.
+  echo GITHUB_TOKEN null or not set.
 fi
 set -x
diff --git a/tools/travis_script_linux_coverage b/tools/travis_script_linux_coverage
index 8cd6bd42f..acedd294d 100755
--- a/tools/travis_script_linux_coverage
+++ b/tools/travis_script_linux_coverage
@@ -15,7 +15,10 @@ make -j 3 coverage
 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 # don't leak unhashed tokens!
 #!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-if [ -v CODACY_PROJECT_TOKEN ] ; then
+set +x
+# this shell parameter expansion also protects the token from accidental exposure
+# by substituting x for the token if the token is set and not null.
+if [ -n "${CODACY_PROJECT_TOKEN:+x}" ] ; then
   # upload coverate report to codacy.
   bash <(curl -Ls https://coverage.codacy.com/get.sh) report -l CPP -r gpsbabel_coverage.xml
 else
diff --git a/util.cc b/util.cc
index 8c88cee2a..96390bdae 100644
--- a/util.cc
+++ b/util.cc
@@ -67,7 +67,7 @@ xmalloc(size_t size)
   void* obj = malloc(size);
 
   if (!obj) {
-    fatal("gpsbabel: Unable to allocate %ld bytes of memory.\n", (unsigned long) size);
+    fatal("gpsbabel: Unable to allocate %zu bytes of memory.\n", size);
   }
 
   return obj;
@@ -79,7 +79,7 @@ xcalloc(size_t nmemb, size_t size)
   void* obj = calloc(nmemb, size);
 
   if (!obj) {
-    fatal("gpsbabel: Unable to allocate %ld units of %ld bytes of memory.\n", (unsigned long) nmemb, (unsigned long) size);
+    fatal("gpsbabel: Unable to allocate %zu units of %zu bytes of memory.\n", nmemb, size);
   }
 
   return obj;
@@ -97,7 +97,7 @@ xstrdup(const char* s)
   char* o = s ? strdup(s) : strdup("");
 
   if (!o) {
-    fatal("gpsbabel: Unable to allocate %ld bytes of memory.\n", (unsigned long) strlen(s));
+    fatal("gpsbabel: Unable to allocate %zu bytes of memory.\n", strlen(s));
   }
 
   return o;
@@ -135,7 +135,7 @@ xrealloc(void* p, size_t s)
   char* o = (char*) realloc(p, s);
 
   if (!o) {
-    fatal("gpsbabel: Unable to realloc %ld bytes of memory.\n", (unsigned long) s);
+    fatal("gpsbabel: Unable to realloc %zu bytes of memory.\n", s);
   }
 
   return o;
diff --git a/wbt-200.cc b/wbt-200.cc
index 0df98eb75..3121eceb7 100644
--- a/wbt-200.cc
+++ b/wbt-200.cc
@@ -226,8 +226,8 @@ static void buf_update_checksum(struct buf_head* h, const void* data, size_t len
 {
   auto* cp = (unsigned char*) data;
 
-  db(4, "Updating checksum with %p, %lu, before: %02x ",
-     data, (unsigned long) len, h->checksum);
+  db(4, "Updating checksum with %p, %zu, before: %02x ",
+     data, len, h->checksum);
   for (unsigned i = 0; i < len; i++) {
     h->checksum ^= cp[i];
   }
@@ -678,7 +678,7 @@ static int want_bytes(struct buf_head* h, size_t len)
 {
   char buf[512];
 
-  db(3, "Reading %lu bytes from device\n", (unsigned long) len);
+  db(3, "Reading %zu bytes from device\n", len);
 
   while (len > 0) {
     size_t want = sizeof(buf);
@@ -739,7 +739,7 @@ static void wbt200_data_read()
       fatal(MYNAME ": Internal error: formats not ordered in ascending size order\n");
     }
 
-    db(3, "Want %lu bytes of data\n", (unsigned long) want);
+    db(3, "Want %zu bytes of data\n", want);
 
     /* Top up the buffer */
     want_bytes(&st.data, want - st.data.used);
@@ -891,7 +891,7 @@ static int wbt201_read_chunk(struct read_state* st, unsigned pos, unsigned limit
   }
 
   if (cs != st->data.checksum) {
-    db(2, "Checksums don't match. Got %02x, expected %02\n", cs, st->data.checksum);
+    db(2, "Checksums don't match. Got %02lx, expected %02\n", cs, st->data.checksum);
     return 0;
   }
 
-- 
2.30.2