cppcheck/lib/checkbufferoverrun.h

/*
 * Cppcheck - A tool for static C/C++ code analysis
 * Copyright (C) 2007-2019 Cppcheck team.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */


//---------------------------------------------------------------------------
#ifndef checkbufferoverrunH
#define checkbufferoverrunH
//---------------------------------------------------------------------------

#include "check.h"
#include "config.h"
#include "errorlogger.h"
#include "mathlib.h"
#include "tokenize.h"

#include <cstddef>
#include <list>
#include <map>
#include <string>
#include <vector>

class Settings;
class SymbolDatabase;
class Token;
namespace ValueFlow {
    class Value;
}  // namespace ValueFlow
namespace tinyxml2 {
    class XMLElement;
}  // namespace tinyxml2

// CWE ids used
static const struct CWE CWE119(119U); // Improper Restriction of Operations within the Bounds of a Memory Buffer

class Variable;

/// @addtogroup Checks
/// @{

/**
 * @brief buffer overruns and array index out of bounds
 *
 * Buffer overrun and array index out of bounds are pretty much the same.
 * But I generally use 'array index' if the code contains []. And the given
 * index is out of bounds.
 * I generally use 'buffer overrun' if you for example call a strcpy or
 * other function and pass a buffer and reads or writes too much data.
 */
class CPPCHECKLIB CheckBufferOverrun : public Check {
public:

    /** This constructor is used when registering the CheckClass */
    CheckBufferOverrun() : Check(myName()) {
    }

    /** This constructor is used when running checks. */
    CheckBufferOverrun(const Tokenizer *tokenizer, const Settings *settings, ErrorLogger *errorLogger)
        : Check(myName(), tokenizer, settings, errorLogger) {
    }

    void runSimplifiedChecks(const Tokenizer *tokenizer, const Settings *settings, ErrorLogger *errorLogger) OVERRIDE {
        CheckBufferOverrun checkBufferOverrun(tokenizer, settings, errorLogger);
        checkBufferOverrun.arrayIndex();
        checkBufferOverrun.bufferOverflow();
        checkBufferOverrun.arrayIndexThenCheck();
    }

    void runChecks(const Tokenizer *tokenizer, const Settings *settings, ErrorLogger *errorLogger) OVERRIDE {
        (void)tokenizer;
        (void)settings;
        (void)errorLogger;
    }

    void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings) const OVERRIDE {
        CheckBufferOverrun c(nullptr, settings, errorLogger);
        c.arrayIndexError(nullptr, nullptr, nullptr);
        c.negativeIndexError(nullptr, nullptr, nullptr);
        c.arrayIndexThenCheckError(nullptr, "i");
    }

private:

    void arrayIndex();
    void arrayIndexError(const Token *tok, const Variable *var, const ValueFlow::Value *index);
    void negativeIndexError(const Token *tok, const Variable *var, const ValueFlow::Value *negativeValue);

    void bufferOverflow();
    void bufferOverflowError(const Token *tok);

    void arrayIndexThenCheck();
    void arrayIndexThenCheckError(const Token *tok, const std::string &indexName);

    size_t getBufferSize(const Token *bufTok) const;

    static std::string myName() {
        return "Bounds checking";
    }

    std::string classInfo() const OVERRIDE {
        return "Out of bounds checking:\n"
               "- Array index out of bounds\n"
               "- Buffer overflow\n"
               "- Dangerous usage of strncat()\n"
               "- Using array index before checking it\n";
    }
};
/// @}
//---------------------------------------------------------------------------
#endif // checkbufferoverrunH
Fixing files using dos-style line change to use unix-style line change. 2009-01-31 20:29:27 +01:00			`/*`
			`* Cppcheck - A tool for static C/C++ code analysis`
Update copyright year 2019-02-09 07:24:06 +01:00			`* Copyright (C) 2007-2019 Cppcheck team.`
Fixing files using dos-style line change to use unix-style line change. 2009-01-31 20:29:27 +01:00			`*`
			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation, either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
Fix GPL comments in all files. ">." was missing from the end. 2009-09-27 17:08:31 +02:00			`* along with this program. If not, see <http://www.gnu.org/licenses/>.`
Fixing files using dos-style line change to use unix-style line change. 2009-01-31 20:29:27 +01:00			`*/`


			`//---------------------------------------------------------------------------`
Fixed #5007 (Same include guard naming) 2013-09-04 20:59:49 +02:00			`#ifndef checkbufferoverrunH`
			`#define checkbufferoverrunH`
Fixing files using dos-style line change to use unix-style line change. 2009-01-31 20:29:27 +01:00			`//---------------------------------------------------------------------------`

refactoring checkbufferoverrun 2009-03-20 17:35:53 +01:00			`#include "check.h"`
iwyu - include what you use 2017-05-27 04:33:47 +02:00			`#include "config.h"`
			`#include "errorlogger.h"`
VS: Fixed compiler warnings. Ticket: #2200 2010-11-21 11:48:27 +01:00			`#include "mathlib.h"`
iwyu - include what you use 2017-05-27 04:33:47 +02:00			`#include "tokenize.h"`
Mapped toomanyconfigs ,AssignmentAddressToInteger ,AssignmentIntegerToAddress ,CastIntegerToAddressAtReturn ,CastAddressToIntegerAtReturn ,assertWithSideEffect ,assignmentInAssert ,uselessAssignmentArg ,uselessAssignmentPtrArg ,comparisonOfFuncReturningBoolError ,comparisonOfTwoFuncsReturningBoolError ,comparisonOfBoolWithBoolError ,incrementboolean ,comparisonOfBoolWithInt ,compareBoolExpressionWithInt ,negativeIndex ,pointerOutOfBounds ,arrayIndexThenCheck ,possibleBufferAccessOutOfBounds ,argumentSize ,arrayIndexOutOfBoundsCond ,noConstructor ,copyCtorPointerCopying ,noCopyConstructor ,uninitMemberVar ,operatorEqVarError ,unusedPrivateFunction ,memsetClassFloat ,mallocOnClassWarning ,operatorEq ,thisSubtraction ,operatorEqRetRefThis ,operatorEqToSelf ,useInitializationList ,duplInheritedMember ,assignIfError ,comparisonError ,multiCondition ,mismatchingBitAnd ,oppositeInnerCondition ,incorrectLogicOperator ,redundantCondition ,moduloAlwaysTrueFalse to their CWEs ids. 2016-02-20 23:56:36 +01:00
iwyu - include what you use 2017-05-27 04:33:47 +02:00			`#include <cstddef>`
checkbufferoverrun: cleaned up the header includes 2009-02-11 06:16:10 +01:00			`#include <list>`
iwyu - include what you use 2017-05-27 04:33:47 +02:00			`#include <map>`
Refactoring: Use std::string instead of const char * 2010-02-14 19:58:17 +01:00			`#include <string>`
iwyu - include what you use 2017-05-27 04:33:47 +02:00			`#include <vector>`

			`class Settings;`
			`class SymbolDatabase;`
			`class Token;`
			`namespace ValueFlow {`
astyle formatting [ci skip] 2017-05-28 15:56:26 +02:00			`class Value;`
iwyu - include what you use 2017-05-27 04:33:47 +02:00			`} // namespace ValueFlow`
			`namespace tinyxml2 {`
astyle formatting [ci skip] 2017-05-28 15:56:26 +02:00			`class XMLElement;`
iwyu - include what you use 2017-05-27 04:33:47 +02:00			`} // namespace tinyxml2`
checkbufferoverrun: cleaned up the header includes 2009-02-11 06:16:10 +01:00
Mapped toomanyconfigs ,AssignmentAddressToInteger ,AssignmentIntegerToAddress ,CastIntegerToAddressAtReturn ,CastAddressToIntegerAtReturn ,assertWithSideEffect ,assignmentInAssert ,uselessAssignmentArg ,uselessAssignmentPtrArg ,comparisonOfFuncReturningBoolError ,comparisonOfTwoFuncsReturningBoolError ,comparisonOfBoolWithBoolError ,incrementboolean ,comparisonOfBoolWithInt ,compareBoolExpressionWithInt ,negativeIndex ,pointerOutOfBounds ,arrayIndexThenCheck ,possibleBufferAccessOutOfBounds ,argumentSize ,arrayIndexOutOfBoundsCond ,noConstructor ,copyCtorPointerCopying ,noCopyConstructor ,uninitMemberVar ,operatorEqVarError ,unusedPrivateFunction ,memsetClassFloat ,mallocOnClassWarning ,operatorEq ,thisSubtraction ,operatorEqRetRefThis ,operatorEqToSelf ,useInitializationList ,duplInheritedMember ,assignIfError ,comparisonError ,multiCondition ,mismatchingBitAnd ,oppositeInnerCondition ,incorrectLogicOperator ,redundantCondition ,moduloAlwaysTrueFalse to their CWEs ids. 2016-02-20 23:56:36 +01:00			`// CWE ids used`
			`static const struct CWE CWE119(119U); // Improper Restriction of Operations within the Bounds of a Memory Buffer`

start using symbol database array info for buffer overrun checks 2011-06-23 04:44:11 +02:00			`class Variable;`
Fixing files using dos-style line change to use unix-style line change. 2009-01-31 20:29:27 +01:00
doc: updated doxygen comments. three groups where created - 'GUI', 'Core' and 'Checks' 2009-07-17 10:49:01 +02:00			`/// @addtogroup Checks`
			`/// @{`

doxygen: added more comments for CheckNullPointer and CheckUninitVar 2010-03-13 21:42:59 +01:00			`/**`
			`* @brief buffer overruns and array index out of bounds`
			`*`
			`* Buffer overrun and array index out of bounds are pretty much the same.`
			`* But I generally use 'array index' if the code contains []. And the given`
			`* index is out of bounds.`
			`* I generally use 'buffer overrun' if you for example call a strcpy or`
			`* other function and pass a buffer and reads or writes too much data.`
			`*/`
Implemented support for building cppcheck lib into a dll Updated VS9 solution New VS10 solution that builds cppcheck into a dll used by cli and testrunner. Functional changes and advantages of new solution: - Share code between testrunner and cli; ability to share code with gui as well (not yet implemented) - Files of /lib are no longer compiled twice (should improve build time on single core machines) - Added configuration for building with PCRE support - Executables are build into /bin (/bin/debug in debug mode) folder (Should no longer require rebuild when switching between debug and release) - Completely x64 compatible (contains also x64-debug configuration now) 2012-06-10 14:19:09 +02:00			`class CPPCHECKLIB CheckBufferOverrun : public Check {`
Fixing files using dos-style line change to use unix-style line change. 2009-01-31 20:29:27 +01:00			`public:`
refactoring checkbufferoverrun 2009-03-20 17:35:53 +01:00
refactoring: there are now 2 functions for running checks. 'runChecks' and 'runSimplifiedChecks' 2009-03-21 07:53:23 +01:00			`/** This constructor is used when registering the CheckClass */`
Rename private member variables 2018-06-17 17:20:16 +02:00			`CheckBufferOverrun() : Check(myName()) {`
Updated to AStyle 2.03, require this version 2013-08-07 16:27:37 +02:00			`}`
refactoring checkbufferoverrun 2009-03-20 17:35:53 +01:00
doxygen updates 2010-03-17 22:16:18 +01:00			`/** This constructor is used when running checks. */`
refactoring: Renamed checking classes 2009-07-13 16:00:15 +02:00			`CheckBufferOverrun(const Tokenizer tokenizer, const Settings settings, ErrorLogger *errorLogger)`
Rename private member variables 2018-06-17 17:20:16 +02:00			`: Check(myName(), tokenizer, settings, errorLogger) {`
Updated to AStyle 2.03, require this version 2013-08-07 16:27:37 +02:00			`}`
refactoring checkbufferoverrun 2009-03-20 17:35:53 +01:00
Introduce macro OVERRIDE for gcc-4.6 compatibility. 2019-01-12 07:37:42 +01:00			`void runSimplifiedChecks(const Tokenizer tokenizer, const Settings settings, ErrorLogger *errorLogger) OVERRIDE {`
refactoring: Renamed checking classes 2009-07-13 16:00:15 +02:00			`CheckBufferOverrun checkBufferOverrun(tokenizer, settings, errorLogger);`
Start a major rewrite of CheckBufferOverrun. For now only the 'array index' and 'buffer overflow' checks are rewritten. There are important TODOs still; for instance adding CTU support using our CTU infrastructure, add handling of pointers (maybe I'll use FwdAnalysis for this), add handling of multidimensional arrays, etc.. 2019-03-09 22:14:02 +01:00			`checkBufferOverrun.arrayIndex();`
			`checkBufferOverrun.bufferOverflow();`
Add CheckBufferOverrun::arrayIndexThenCheck 2019-03-11 19:20:06 +01:00			`checkBufferOverrun.arrayIndexThenCheck();`
refactoring checkbufferoverrun 2009-03-20 17:35:53 +01:00			`}`
Fixing files using dos-style line change to use unix-style line change. 2009-01-31 20:29:27 +01:00
Introduce macro OVERRIDE for gcc-4.6 compatibility. 2019-01-12 07:37:42 +01:00			`void runChecks(const Tokenizer tokenizer, const Settings settings, ErrorLogger *errorLogger) OVERRIDE {`
Start a major rewrite of CheckBufferOverrun. For now only the 'array index' and 'buffer overflow' checks are rewritten. There are important TODOs still; for instance adding CTU support using our CTU infrastructure, add handling of pointers (maybe I'll use FwdAnalysis for this), add handling of multidimensional arrays, etc.. 2019-03-09 22:14:02 +01:00			`(void)tokenizer;`
			`(void)settings;`
			`(void)errorLogger;`
Fixed two false positives related to char arrays initialized by a literal: - Run check for writing to string literals on non-simplified token list (#7283) - Run buffer overrun checking for string literals on non-simplified token list (https://sourceforge.net/p/cppcheck/discussion/general/thread/2c33dfc5/) 2016-07-07 19:38:15 +02:00			`}`
doxygen: added more comments for CheckNullPointer and CheckUninitVar 2010-03-13 21:42:59 +01:00
Introduce macro OVERRIDE for gcc-4.6 compatibility. 2019-01-12 07:37:42 +01:00			`void getErrorMessages(ErrorLogger errorLogger, const Settings settings) const OVERRIDE {`
Minor refactoring: use nullptr (instead of 0/NULL), change signature of Tokenizer::createTokens 2016-05-07 16:30:54 +02:00			`CheckBufferOverrun c(nullptr, settings, errorLogger);`
Start a major rewrite of CheckBufferOverrun. For now only the 'array index' and 'buffer overflow' checks are rewritten. There are important TODOs still; for instance adding CTU support using our CTU infrastructure, add handling of pointers (maybe I'll use FwdAnalysis for this), add handling of multidimensional arrays, etc.. 2019-03-09 22:14:02 +01:00			`c.arrayIndexError(nullptr, nullptr, nullptr);`
			`c.negativeIndexError(nullptr, nullptr, nullptr);`
Add CheckBufferOverrun::arrayIndexThenCheck 2019-03-11 19:20:06 +01:00			`c.arrayIndexThenCheckError(nullptr, "i");`
refactoring - added 'getErrorMessages' to all check classes 2009-03-22 08:20:15 +01:00			`}`
Start a major rewrite of CheckBufferOverrun. For now only the 'array index' and 'buffer overflow' checks are rewritten. There are important TODOs still; for instance adding CTU support using our CTU infrastructure, add handling of pointers (maybe I'll use FwdAnalysis for this), add handling of multidimensional arrays, etc.. 2019-03-09 22:14:02 +01:00
Refactorizations on buffer overrun check: - Replaced a few indendation counters by smaller and faster code - Make use of safer nextArgument() function instead of some local implementations - Replaced some simple patterns by direct function calls - Made a strncpy/strncat search pattern more generic - Replaced offset variable by incrementation of Token* to avoid subsequent calls to tokAt - Increased data encapsulation in header 2012-03-17 21:55:08 +01:00			`private:`
added a classInfo function for each check class 2009-06-12 12:19:37 +02:00
Start a major rewrite of CheckBufferOverrun. For now only the 'array index' and 'buffer overflow' checks are rewritten. There are important TODOs still; for instance adding CTU support using our CTU infrastructure, add handling of pointers (maybe I'll use FwdAnalysis for this), add handling of multidimensional arrays, etc.. 2019-03-09 22:14:02 +01:00			`void arrayIndex();`
			`void arrayIndexError(const Token tok, const Variable var, const ValueFlow::Value *index);`
			`void negativeIndexError(const Token tok, const Variable var, const ValueFlow::Value *negativeValue);`

			`void bufferOverflow();`
			`void bufferOverflowError(const Token *tok);`

Add CheckBufferOverrun::arrayIndexThenCheck 2019-03-11 19:20:06 +01:00			`void arrayIndexThenCheck();`
			`void arrayIndexThenCheckError(const Token *tok, const std::string &indexName);`

Start a major rewrite of CheckBufferOverrun. For now only the 'array index' and 'buffer overflow' checks are rewritten. There are important TODOs still; for instance adding CTU support using our CTU infrastructure, add handling of pointers (maybe I'll use FwdAnalysis for this), add handling of multidimensional arrays, etc.. 2019-03-09 22:14:02 +01:00			`size_t getBufferSize(const Token *bufTok) const;`

astyle formatting 2014-11-20 14:20:09 +01:00			`static std::string myName() {`
doc: generating wiki documentation 2009-06-12 15:20:08 +02:00			`return "Bounds checking";`
			`}`

Introduce macro OVERRIDE for gcc-4.6 compatibility. 2019-01-12 07:37:42 +01:00			`std::string classInfo() const OVERRIDE {`
Improved checkBufferOverrun::classInfo (#4667) 2014-05-22 09:13:29 +02:00			`return "Out of bounds checking:\n"`
Start a major rewrite of CheckBufferOverrun. For now only the 'array index' and 'buffer overflow' checks are rewritten. There are important TODOs still; for instance adding CTU support using our CTU infrastructure, add handling of pointers (maybe I'll use FwdAnalysis for this), add handling of multidimensional arrays, etc.. 2019-03-09 22:14:02 +01:00			`"- Array index out of bounds\n"`
			`"- Buffer overflow\n"`
Add CheckBufferOverrun::arrayIndexThenCheck 2019-03-11 19:20:06 +01:00			`"- Dangerous usage of strncat()\n"`
			`"- Using array index before checking it\n";`
added a classInfo function for each check class 2009-06-12 12:19:37 +02:00			`}`
Fixing files using dos-style line change to use unix-style line change. 2009-01-31 20:29:27 +01:00			`};`
doc: updated doxygen comments. three groups where created - 'GUI', 'Core' and 'Checks' 2009-07-17 10:49:01 +02:00			`/// @}`
Fixing files using dos-style line change to use unix-style line change. 2009-01-31 20:29:27 +01:00			`//---------------------------------------------------------------------------`
Fixed #5007 (Same include guard naming) 2013-09-04 20:59:49 +02:00			`#endif // checkbufferoverrunH`